#6 Actions for reports to DShield, myNetWatchman, and ISP

closed-accepted
nobody
None
5
2008-10-13
2008-08-10
Russell Odom
No

Three new actions for Fail2ban, which will submit complaints about offending IPs to:
* DShield (http://www.dshield.org/)
* myNetWatchman (http://www.mynetwatchman.com/)
* the abuse or other contact e-mail address of the ISP concerned (found from a whois lookup)

I've been using all 3 of these myself for a month or so with no problems on CentOS 4 and Fedora 8 with Fail2ban 0.8.2. They've also been available on my web site, http://www.gloomytrousers.co.uk/open_source/fail2ban.shtml . The only pre-requisites are standard commands like perl, whois, awk, wget/curl, etc.

Reports for DShield are buffered (for a configurable time/number of reports) then sent be e-mail in batches, as per the guidelines at http://www.dshield.org/specs.html.

Reports to myNetWatchman are submitted to the web service in the same way as the official mNW client.

The complaints direct to ISPs tries various patterns to find the correct abuse/complaint addresses from the whois record (to avoid contacting inappropriate people), and will use those in preference to any other addresses in the whois record if it can. Experience to date has found it's pretty good at getting the right abuse addresses without contacting every address listed in the whois record, and although a surprising number of abuse addresses bounce, and I've had plenty of responses from ISPs indicating they'll take action. It includes a log excerpt (with time zone indicated) and a configurable message, and seems to meet reporting requirements for all ISPs according to the replies I've had.

Each file has some documentation and examples.

So, I'd like to submit these for inclusion in a future release of Fail2ban. Feedback welcome!

Discussion

  • Russell Odom
    Russell Odom
    2008-08-10

    dshield.conf, mynetwatchman.conf and complain.conf

     
  • Russell Odom
    Russell Odom
    2008-08-10

    • summary: Actions for reports to DSheild, myNetWatchman, and ISP --> Actions for reports to DShield, myNetWatchman, and ISP
     
  • Cyril Jaquier
    Cyril Jaquier
    2008-10-13

    • status: open --> closed-accepted
     
  • Cyril Jaquier
    Cyril Jaquier
    2008-10-13

    Added. Thanks. Will be in 0.8.4.