我一直很讨厌各种暴力枚举撞端口的行为，之前自己写过一些小脚本向各大服务器提供商举报各种被滥用的 IP（虽然没啥用）

最近我意外发现 AbuseIPDB 居然能联动 Fail2ban，实现被滥用 IP 的全自动举报：Integrating AbuseIPDB with Fail2Ban

具体步骤，得先部署一个 Fail2ban，之后去申请 AbuseIPDB 的 API Key

apt install fail2ban -y

配置为启动服务

sudo systemctl enable fail2ban

之后添加对应的 Jail 规则，官方不希望我们直接使用 jail.conf 文件，我们需要复制或者创建一个 jail.local 文件

sudo nano /etc/fail2ban/jail.local

分享我的配置，我的配置有点激进，请按需求调整：

[DEFAULT]
ignoreip = 127.0.0.1/8
bantime  = -1           ; 封禁时间（秒），可以改成例如 10m, 1h，我这里是失败一次即封禁
findtime  = 600           ; 在这段时间内超过 maxretry 次就封禁
maxretry = 2              ; 最大失败尝试次数
backend = systemd         ; 日志系统，Ubuntu 用 systemd

[sshd]
enabled = true
port    = ssh
filter  = sshd
logpath = %(sshd_log)s
bantime = -1
findtime = 10m
maxretry = 5

之后去申请 AbuserIPDB 的 API Key，进这里：Register - AbuseIPDB，一切选择 Free 就对了，之后选择 API，申请密钥：API - AbuseIPDB

之后继续配置 Fail2ban，在上面配置的下面加上：

action = %(action_)s
         %(action_abuseipdb)s[abuseipdb_apikey="my-api-key", abuseipdb_category="18,22"]

这里的 my-api-key 替换成上文你申请到的 API Key

之后启动 Fail2ban 服务：

systemctl start fail2ban

然后检查一下服务有没有启动成功：

systemctl status fail2ban

不出意外的话应该就会变成绿色，即启动成功：

如果你想查看封禁名单的话，可以使用：

fail2ban-client status

这个会显示目前活跃的 jail，返回的结果为：

Status
|- Number of jail:      1
`- Jail list:   sshd

如果你想单独看 sshd 这一个 Jail，可以使用：

fail2ban-client status sshd

返回结果为：

Status for the jail: sshd
|- Filter
|  |- Currently failed: 1
|  |- Total failed:     1
|  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list:   xx.xx.xx.xx

这里就会展示出被封禁的 IP

然后可以回到 AbuseIPDB 的网站，登陆后点击：Report - AbuseIPDB，即可查看你提交的 IP

What 's more?

较早的版本的 Fail2ban 可能不支持直接接入 AbuserIPDB，可能需要自己写对应的 Action，你可以进入到 /etc/fail2ban/action.d 这个路径，看看里面有没有 abuseipdb.conf 这个文件，我里面的配置是这样的，可以供你参考：

# Fail2ban configuration file
#
# Action to report IP address to abuseipdb.com
# You must sign up to obtain an API key from abuseipdb.com.
#
# NOTE: These reports may include sensitive Info.
# If you want cleaner reports that ensure no user data see the helper script at the below website.
#
# IMPORTANT:
#
# Reporting an IP of abuse is a serious complaint. Make sure that it is
# serious. Fail2ban developers and network owners recommend you only use this
# action for:
#   * The recidive where the IP has been banned multiple times
#   * Where maxretry has been set quite high, beyond the normal user typing
#     password incorrectly.
#   * For filters that have a low likelihood of receiving human errors
#
# This action relies on a api_key being added to the above action conf,
# and the appropriate categories set.
#
# Example, for ssh bruteforce (in section [sshd] of `jail.local`): 
#   action = %(known/action)s
#            abuseipdb[abuseipdb_apikey="my-api-key", abuseipdb_category="18,22"]
#
# See below for categories.
#
# Added to fail2ban by Andrew James Collett (ajcollett)

## abuseIPDB Categories, `the abuseipdb_category` MUST be set in the jail.conf action call.
# Example, for ssh bruteforce: action = %(action_abuseipdb)s[abuseipdb_category="18,22"]
# ID    Title   Description
# 3       Fraud Orders
# 4       DDoS Attack
# 9       Open Proxy
# 10    Web Spam
# 11    Email Spam
# 14    Port Scan
# 18    Brute-Force
# 19    Bad Web Bot
# 20    Exploited Host
# 21    Web App Attack
# 22    SSH     Secure Shell (SSH) abuse. Use this category in combination with more specific categories.
# 23    IoT Targeted
# See https://abuseipdb.com/categories for more descriptions

[Definition]

# bypass action for restored tickets
norestored = 1

# Option:  actionstart
# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values:  CMD
#
actionstart =

# Option:  actionstop
# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
# Values:  CMD
#
actionstop =

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck =

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
#
#          ** IMPORTANT! **
#
#          By default, this posts directly to AbuseIPDB's API, unfortunately
#          this results in a lot of backslashes/escapes appearing in the
#          reports. This also may include info like your hostname.
#          If you have your own web server with PHP available, you can
#          use my (Shaun's) helper PHP script by commenting out the first #actionban
#          line below, uncommenting the second one, and pointing the URL at
#          wherever you install the helper script. For the PHP helper script, see
#          <https://wiki.shaunc.com/wikka.php?wakka=ReportingToAbuseIPDBWithFail2Ban>
#
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionban = lgm=$(printf '%%.1000s\n...' "<matches>"); curl -sSf "https://api.abuseipdb.com/api/v2/report" -H "Accept: application/json" -H "Key: <abuseipdb_apikey>" --data-urlencode "comment=$lgm" --data-urlencode "ip=<ip>" --data "categories=<abuseipdb_category>"

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionunban =

[Init]
# Option:  abuseipdb_apikey
# Notes    Your API key from abuseipdb.com
# Values:  STRING  Default: None
# Register for abuseipdb [https://www.abuseipdb.com], get api key and set below.
# You will need to set the category in the action call.
abuseipdb_apikey =