Report to AbuseTrack from fail2ban
fail2ban already watches your logs and bans the IP addresses that brute-force SSH or hammer your services. With the AbuseTrack integration, every ban also becomes a community report: the offending IP is sent to AbuseTrack through the public API, flagged as an IP / Brute Force entity with a comment describing what the attacker did. Your server turns into a sensor, and the wider community benefits from what it already detects.
Before you start
- A Linux server with fail2ban installed (for example apt-get install fail2ban) and curl available.
- Root access on that server.
- An AbuseTrack API key — create one under your account at /account/api-keys.
Install in one command
As root, run the installer with your API key. By default the integration is report-only — it does not change your firewall:
curl -fsSL https://abusetrack.io/integrations/fail2ban/install.sh | \
AT_API_KEY=your_api_key AT_API_URL=https://abusetrack.io bashWhat the installer does
- Writes /etc/abusetrack/report.conf with your key and endpoint (permissions 600).
- Installs the reporter script at /usr/local/bin/abusetrack-report.
- Installs the fail2ban action action.d/abusetrack.conf.
- Installs a self-contained filter.d/sshd.conf only if you do not already have one.
- Writes jail.d/abusetrack.conf wiring the sshd jail to the reporter.
- Restarts fail2ban and verifies your API key with a harmless lookup (nothing is reported during setup).
Options (environment variables)
Pass these before bash to customise the install. By default only the sshd jail is wired and nothing is blocked:
| Variable | Default | Meaning |
|---|---|---|
| AT_API_KEY | (required) | Your AbuseTrack API key |
| AT_API_URL | https://abusetrack.io | Base URL of the AbuseTrack instance |
| AT_THREAT | Brute Force | Threat type to report |
| AT_JAILS | sshd | Space-separated jails to wire up |
| AT_BAN | 0 | Set to 1 to also block the IP via iptables-multiport |
Because the integration is report-only by default, it is safe to add to an existing fail2ban setup without changing how you block traffic. Set AT_BAN=1 only if you also want fail2ban to drop the attacker.
What a report looks like
Each ban produces a JSON report like this, posted to /api/v1/reports:
{
"type": "ip",
"value": "203.0.113.10",
"threatType": "Brute Force",
"comment": "fail2ban: SSH (sshd) brute-force — 8 failed attempts (jail: sshd)"
}Verify and troubleshoot
Reserved and documentation IP ranges cannot be reported, so use a real address when testing manually. Useful commands:
tail -f /var/log/abusetrack-report.log # reporter output
fail2ban-client status sshd # bans so far
/usr/local/bin/abusetrack-report 203.0.113.10 sshd 5 # manual test reportUninstall
Remove the jail and action files and reload fail2ban:
rm /etc/fail2ban/jail.d/abusetrack.conf /etc/fail2ban/action.d/abusetrack.conf
fail2ban-client reloadGoing further
You can wire additional jails (web brute force, mail, and so on) by listing them in AT_JAILS, and you can pair reporting with consuming the community blocklist via the CrowdSec integration on the same host.