-
-
Save tmiland/778a2f916cde3796b72abc88e8ed64f8 to your computer and use it in GitHub Desktop.
LFD Reporting Script using Abuse IP DB v2 API
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/local/bin/php | |
| <?php | |
| // AbuseIPDB API v2 Key | |
| $api_key = 'xxx'; | |
| // AbuseIPDB API v2 Endpoint | |
| $api_endpoint = 'https://api.abuseipdb.com/api/v2/'; | |
| // AbuseIPDB User ID | |
| $user_id = 'yyy'; | |
| // Your Server IPs to hide | |
| $server_ip = [ 'server_ip' ]; | |
| // categories to string match against | |
| $categories = [ | |
| '5' => 'ftpd', | |
| '11' => 'email', | |
| '18' => 'brute-force', | |
| '21' => 'cpanel', | |
| '22' => 'ssh', | |
| '14' => 'port scan' | |
| ]; | |
| // default categories to tag in AbuseIPDB report | |
| $cats = [ '18' ]; | |
| /* DO NOT EDIT BELOW (Unless you know what you're doing) */ | |
| // get command line arguments | |
| $args = $argv; | |
| $msg = $args[6]; | |
| $log = $args[7]; | |
| $ips = $args[1]; | |
| // see if the message or logs include any of the keywords from categories | |
| foreach ($categories as $id => $category) { | |
| if (stristr($log, $category) || stristr($msg, $category)) { | |
| $cats[] = $id; | |
| } | |
| } | |
| // curl request function | |
| function request($path, $method = 'GET', $data) { | |
| global $api_endpoint, $api_key; | |
| // set api url | |
| $url = $api_endpoint . $path; | |
| // open curl connection | |
| $ch = curl_init(); | |
| // set the method and data to send | |
| if ($method == 'POST') { | |
| curl_setopt($ch, CURLOPT_POST, true); | |
| curl_setopt($ch, CURLOPT_POSTFIELDS, $data); | |
| } else { | |
| $url .= '?' . http_build_query($data); | |
| } | |
| curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); | |
| // set the url to call | |
| curl_setopt($ch, CURLOPT_URL, $url); | |
| // set the AbuseIPDB API Key as a header | |
| curl_setopt($ch, CURLOPT_HTTPHEADER, [ | |
| 'Accept: application/json;', | |
| 'Key: ' . $api_key, | |
| ]); | |
| // execute curl call | |
| $result = curl_exec($ch); | |
| // close connection | |
| curl_close($ch); | |
| // return response as json object | |
| return json_decode($result); | |
| } | |
| // output data from lfd arguments | |
| echo 'Remote IP: ' . $ips . PHP_EOL; | |
| echo 'Message: ' . $msg . PHP_EOL; | |
| echo 'Categories: ' . implode(', ', $cats) . PHP_EOL; | |
| // check AbuseIPDB reports | |
| $check = request('check', 'GET', [ 'ipAddress' => $ips, 'maxAgeInDays' => 1, 'verbose' => true ]); | |
| // loop through reports to see if IP was previously reported by yourself | |
| foreach ($check->data->reports as $report) { | |
| // stop script if IP already reported | |
| if ($report->reporterId == $user_id) { | |
| echo 'ALREADY REPORTED' . PHP_EOL; | |
| exit; | |
| } | |
| } | |
| echo 'IP Reported: '. count($check->data->reports) .' times.' . PHP_EOL; | |
| // report new IP to AbuseIPDB | |
| $publish = request('report', 'POST', [ 'ip' => $ips, 'categories' => implode(',', $cats), 'comment' => $msg ]); | |
| // output reported IP and confidence score | |
| if (isset($publish) && isset($publish->data->abuseConfidenceScore)) { | |
| echo 'Reported IP: '. $ips .'. Confidence Score: ' . $publish->data->abuseConfidenceScore . PHP_EOL; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment