Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

enrich ip information from internetdb.shodan.io #3422

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

enrich ip information from internetdb.shodan.io #3422

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
enrich ip information from internetdb.shodan.io
  • Loading branch information
@duong22
duong22 committed Nov 30, 2022
commit 912949a46edcc542f7e6ae69a9a32fcdfff82675
46 changes: 46 additions & 0 deletions config/action.d/shodan-internetdb.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
# Fail2ban configuration file
# Action to get IP information from internetdb.shodan.io.
# Shodan provides IP properties: cpes, hostnames, open ports, tags and vulnerabilities for free.
#
# IMPORTANT:
# Action get IP details and save it to /etc/fail2ban/jail.d/fail2ban-shodan-internetdb.csv.
# Please ensure you have this repository.

[Definition]

# bypass action for restored tickets
norestored = 1

# Option: actionstart
# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart = [ -f /etc/fail2ban/jail.d/fail2ban-shodan-internetdb.csv ] && printf "Internetdb file exists." || echo -n "ip,cpes,tags,hostnames,ports,vulns," > /etc/fail2ban/jail.d/fail2ban-shodan-internetdb.csv

# Option: actionstop
# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop =

# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck =

# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = if grep -q '<ip>' /etc/fail2ban/jail.d/fail2ban-shodan-internetdb.csv; then printf "Already Have"; else status_code=$(curl -o /dev/null --write-out %%{http_code} -s "https://internetdb.shodan.io/<ip>"); if [ $status_code == 200 ]; then for word in tags cpes hostnames ports vulns; do curl -s "https://internetdb.shodan.io/<ip>" | grep -Po "\"$word\":\K\[(.*?)\]" | tr "\n" "," | sed "s/\"/\"\"/g" | sed "s/\[/\"[/g" | sed "s/\]/\]\"/g"; done >> /etc/fail2ban/jail.d/fail2ban-shodan-internetdb.csv | printf "\n<ip>," >> /etc/fail2ban/jail.d/fail2ban-shodan-internetdb.csv; else printf "\n<ip>,,,,,," >> /etc/fail2ban/jail.d/fail2ban-shodan-internetdb.csv; fi; fi

# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban = sed -i '/<ip>/d' /etc/fail2ban/jail.d/fail2ban-shodan-internetdb.csv