# IPThreat configuration file # # Added to fail2ban by Jeff Johnson (jjxtra) # # Action to report IP address to ipthreat.net # # You must sign up to obtain an API key from ipthreat.net and request bulk report permissions # https://ipthreat.net/integrations # # IPThreat is a 100% free site and service, all data is licensed under a creative commons by attribution license # Please do not integrate if you do not agree to the license # # IMPORTANT: # # Reporting an IP is a serious action. Make sure that it is legit. # Consider using this action only for: # * IP that has been banned more than once # * High max retry to avoid user mis-typing password # * Filters that are unlikely to be human error # # Example: # ``` # action = %(known/action)s # ipthreat[] # ``` # # The action accepts the following arguments: ipthreat[ipthreat_flags="8",ipthreat_system="SSH", ipthreat_apikey=...] # In most cases your action could be as simple as: ipthreat[], since the default flags and system are set to the most correct default values. # You can optionally override ipthreat_system and ipthreat_flags if desired. # The ipthreat_apikey must be set at the bottom of this configuration file. # # `ipthreat_system` is a short name of the system attacked, i.e. SSH, SMTP, MYSQL, PHP, etc. # # For `ipthreat_flags`, most cases will use 8 (BruteForce) which is the default, but you could use others. # You can use the name or the ordinal. # Multiple values are comma separated. # ``` # Name Ordinal Description # Dns 1 Abuse/attack of dns (domain name server) # Fraud 2 General fraud, whether orders, misuse of payment info, etc # DDos 4 Distributed denial of service attack, whether through http requests, large ping attack, etc # BruteForce 8 Brute force login attack # Proxy 16 IP is a proxy like TOR or other proxy server # Spam 32 Email, comment or other type of spam # Vpn 64 IP is part of a VPN # Hacking 128 General hacking outside of brute force attack (includes vulnerability scans, sql injection, etc.). Use port scan flag instead if it's just probe on ports. # BadBot 256 Bad bot that is not honoring robots.txt or just flooding with too many requests, etc # Compromised 512 The ip has been taken over by malware or botnet # Phishing 1024 The ip is involved in phishing or spoofing # Iot 2048 The ip has targetted an iot (Internet of Things) device # PortScan 4096 Port scan # See https://ipthreat.net/bulkreportformat for more information # ``` [Definition] # bypass action for restored tickets norestored = 1 # Option: actionstart # Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). # Values: CMD # actionstart = # Option: actionstop # Notes.: command executed at the stop of jail (or at the end of Fail2Ban) # Values: CMD # actionstop = # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # actioncheck = # Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # # Tags: See jail.conf(5) man page # Values: CMD # actionban = curl -sSf "https://api.ipthreat.net/api/report" -X POST -H "Content-Type: application/json" -H "X-API-KEY: " -d "{\"ip\":\"\",\"flags\":\"\",\"system\":\"\",\"notes\":\"fail2ban\"}" # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # actionunban = [Init] # Option: ipthreat_apikey # Notes Your API key from ipthreat.net # Values: STRING Default: None # Register for ipthreat [https://ipthreat.net], get api key and set below. # You will need to set the flags and system in the action call in jail.conf ipthreat_apikey = # By default, the ipthreat system is the name of the fail2ban jail ipthreat_system = # By default the ip threat flags is 8 (brute force), but you can override this per jail if desired ipthreat_flags = 8