CSF Logo ConfigServer Security & Firewall + AbuseIPDB
Integrating AbuseIPDB with CSF - Automatically Block Bad IPs

AbuseIPDB provides a free API for reporting and checking IP addresses. Every day webmasters, system administrators, and other IT professionals use our API to report thousands of IP addresses engaging spamming, hacking, vulnerability scanning, and other malicious activity in real time.

ConfigServer Security & Firewall (csf) is a stateful packet inspection (SPI) firewall, Login/Intrusion Detection and security application for Linux servers.

In this tutorial, we will learn how to set up CSF so that attempted intrusions against your system are automatically blocked. It is also possible to use CSF to pre-emptively block IP addresses in our blacklist.

1.) Install ConfigServer Security & Firewall (CSF) on your server

Before starting this tutorial, we assume that you have a Linux server with the CSF firewall and intrusion detection system installed. CSF is free software available at https://download.configserver.com/csf/install.txt . Please see the CSF documentation or HowToForge's installation and configuration tutorial to install CSF and set up your basic configuration to detect intrusion attempts on SSH, Apache, etc.

2.) Create an AbuseIPDB API key

Register an account with AbuseIPDB, and create an API key. The API is free to use, but you do have to create an account.

3) Verify CSF and lfd are working properly

Open the lfd log file (/var/log/lfd.log) and check if there are any reports.

If you see any report like the following, then everything is good!

Example log:

Jun 18 12:56:24 testbed lfd[14650]: (sshd) Failed SSH login from 157.230.169.36 (US/United States/-): 5 in the last 3600 secs - *Blocked in csf* [LF_SSHD]

Integrating our Blacklist (Optional)

Open the blocklists file in your preferred editor. Here we are using vi.

vi /etc/csf/csf.blocklists

Navigate to the end of the file and append the following:

# AbuseIPDB blacklist
# Details: https://docs.abuseipdb.com/#blacklist-endpoint
ABUSEIPDB|86400|10000|https://api.abuseipdb.com/api/v2/blacklist?key=YOUR_API_KEY&plaintext

The last line is where some items can be modified but only the first three fields. The first field (ABUSEIPDB) is what we chose for the name. The second field, is the interval in seconds at which the blocklist is updated. The third field is the number of IPs to pull from the list, this is capped at 10,000 unless you subscribe to a paid plan. With subscriber status, you can request more IPs from our list by setting the limit query parameter, and then increasing CSF's limit.

# AbuseIPDB blacklist
# Details: https://docs.abuseipdb.com/#blacklist-endpoint
ABUSEIPDB|86400|20000|https://api.abuseipdb.com/api/v2/blacklist?key=YOUR_API_KEY&plaintext&limit=20000

Note: there is no "unlimited" value for our blacklist. If you want all the IPs included, just set the value to an outrageous number like 1,000,000. However, without a reasonable cap you'll be straining CSF, even on modern hardware. Performance test appropriately.

After you finish editing the file, save it and restart CSF and lfd using:

csf -ra

Check the log file to ensure that the blocklist was added correctly:

cat /var/log/lfd.log

A successful entry will look like this:

Jun 20 18:34:30 testbed lfd[9475]: Retrieved and blocking blocklist ABUSEIPDB IP address ranges Jun 20 18:34:30 testbed lfd[9475]: IPSET: loading set new_ABUSEIPDB with 9999 entries Jun 20 18:34:30 testbed lfd[9475]: IPSET: switching set new_ABUSEIPDB to bl_ABUSEIPDB

If you see a response like this:

Jun 20 16:24:00 testbed lfd[30409]: Unable to retrieve blocklist ABUSEIPDB - Unable to download: Not Found

Then you probably entered the incorrect url.

Also, check that CSF added the correct number if IPs to the IPSET. If this is not the case, then you have to delete the csf.block.ABUSEIPDB file located in /var/lib/csf/csf.blockABUSEIPDB

Reporting to AbuseIPDB (Optional)

1.) Create an executable script that reports to AbuseIPDB.

Below is a usable script you may use. You can of course write your own in whatever language you prefer. Since CSF uses Perl, the public script is we display here is written in Perl. Also available is a shell or Python version.

And then make the script file executable using

chmod +x

2.) Set the BLOCK_REPORT variable in /etc/csf.conf to the executable script file.

BLOCK_REPORT = "/path/to/abuseipdb_report.pl"

And a note from CSF's readme.txt:

lfd launches the BLOCK_REPORT in a forked process which terminates after 10 seconds if not completed by then. It runs under the root account, so great care should be exercised with regard to security of the BLOCK_REPORT script.

Troubleshooting

  • If you are running into issues with CSF not working properly, ensure that you set the "TESTING" flag to zero, followed by a restart of CSF and lfd.

  • If CSF takes a while to restart, we recommend setting the FASTSTART variable to zero.

  • Everything that CSF or lfd does is logged on the log file /var/log/lfd.log


Thanks for supporting AbuseIPDB! Do you have any feedback or suggestions about this tutorial? Please let us know!

"ConfigServer" is a trademark of Way to the Web Limited