# AbuseTrack × fail2ban

Turn any Linux server into an AbuseTrack sensor. Every IP that fail2ban bans
(SSH brute-force and any other jail you wire up) is reported to your AbuseTrack
account through the public API — flagged as **IP / Brute Force** with a comment
describing what the attacker did. Think AbuseIPDB, but community-owned.

## Install

1. Create an API key at `…/account/api-keys`.
2. On your server, as **root**:

```bash
curl -fsSL https://abusetrack.io/integrations/fail2ban/install.sh | \
  AT_API_KEY=your_api_key AT_API_URL=https://abusetrack.io bash
```

The installer:

- writes `/etc/abusetrack/report.conf` (your key + endpoint),
- installs the reporter `/usr/local/bin/abusetrack-report`,
- installs the fail2ban action `action.d/abusetrack.conf`,
- installs a self-contained `filter.d/sshd.conf` **only if** you don't already
  have one,
- writes `jail.d/abusetrack.conf` wiring the `sshd` jail to the reporter,
- reloads fail2ban and verifies your API key (real bans are reported as they
  happen; reserved/documentation IP ranges can't be reported).

## Options (environment variables)

| Variable     | Default            | Meaning                                            |
| ------------ | ------------------ | -------------------------------------------------- |
| `AT_API_KEY` | _(required)_       | Your AbuseTrack API key                            |
| `AT_API_URL` | `https://abusetrack.io` | Base URL of the AbuseTrack instance           |
| `AT_THREAT`  | `Brute Force`      | Threat type to report                              |
| `AT_JAILS`   | `sshd`             | Space-separated jails to wire up                   |
| `AT_BAN`     | `0`                | `1` also blocks the IP via `iptables-multiport`    |

By default the integration is **report-only** — it does not change your
firewall. Set `AT_BAN=1` if you also want fail2ban to block the attacker.

## How a report looks

```json
{
  "type": "ip",
  "value": "203.0.113.10",
  "threatType": "Brute Force",
  "comment": "fail2ban: SSH (sshd) brute-force — 8 failed attempts (jail: sshd)"
}
```

## Verify / troubleshoot

```bash
tail -f /var/log/abusetrack-report.log      # reporter output
fail2ban-client status sshd                 # bans so far
/usr/local/bin/abusetrack-report 203.0.113.10 sshd 5   # manual test report
```

## Uninstall

```bash
rm /etc/fail2ban/jail.d/abusetrack.conf /etc/fail2ban/action.d/abusetrack.conf
fail2ban-client reload
```