功能描述

Auto-report fail2ban banned IPs to AbuseIPDB and notify via Telegram. Use when monitoring server security, reporting attackers, or checking banned IPs. Watches fail2ban for new bans, reports them to AbuseIPDB, and sends alerts.

使用说明 (SKILL.md)

fail2ban Reporter

Name: fail2ban Reporter
Author: jestersimpps

Monitor fail2ban bans and auto-report attackers to AbuseIPDB.

Setup

Get a free AbuseIPDB API key at https://www.abuseipdb.com/account/api
Store it: pass insert abuseipdb/api-key
Install the monitor: bash {baseDir}/scripts/install.sh

Manual Usage

Report all currently banned IPs

bash {baseDir}/scripts/report-banned.sh

Check a specific IP

bash {baseDir}/scripts/check-ip.sh \x3Cip>

Show ban stats

bash {baseDir}/scripts/stats.sh

Auto-Reporting

The install script sets up a fail2ban action that auto-reports new bans.

bash {baseDir}/scripts/install.sh    # install auto-reporting
bash {baseDir}/scripts/uninstall.sh  # remove auto-reporting

Heartbeat Integration

Add to HEARTBEAT.md to check for new bans periodically:

- [ ] Check fail2ban stats and report any unreported IPs to AbuseIPDB

Workflow

fail2ban bans an IP → action triggers report-single.sh
Script reports to AbuseIPDB with SSH brute-force category
Sends Telegram notification (if configured)
Logs report to /var/log/abuseipdb-reports.log

API Reference

See references/abuseipdb-api.md for full API docs.

安全使用建议

Before installing: (1) Review the scripts (install.sh, report-*.sh, uninstall.sh) yourself — they will write /etc/fail2ban/action.d/abuseipdb.conf, edit /etc/fail2ban/jail.local, and restart fail2ban (requires sudo). (2) Ensure you actually want automatic external reporting to AbuseIPDB — reports are sent to a third party and could affect how IPs are treated. (3) Provide an AbuseIPDB API key via ABUSEIPDB_KEY or store it at pass show abuseipdb/api-key; the skill metadata does not declare this requirement so it will fail silently if missing. (4) Backup /etc/fail2ban/jail.local before running install.sh because the script edits it with sed. (5) Note: Telegram notifications are advertised but no Telegram code or env vars are present — if you need alerts via Telegram, you'll have to add that yourself. (6) If you are uncomfortable with a script running as root and modifying system service config, run the reporting scripts manually (report-banned.sh / report-single.sh) instead of running install.sh.

功能分析

Type: OpenClaw Skill Name: fail2ban-reporter Version: 1.0.0 This skill is designed to integrate with fail2ban to automatically report banned IPs to AbuseIPDB. It performs high-privilege operations, such as modifying fail2ban configuration files (`/etc/fail2ban/action.d/abuseipdb.conf`, `/etc/fail2ban/jail.local`) and restarting the fail2ban service, as seen in `scripts/install.sh` and `scripts/uninstall.sh`. It also makes external network calls to `api.abuseipdb.com` using `curl` to report and check IPs, as shown in `scripts/report-single.sh` and `scripts/check-ip.sh`. API keys are handled securely via environment variables or `pass`. All actions are clearly aligned with the stated purpose, require explicit user interaction (e.g., `sudo` for installation), and there is no evidence of malicious intent, unauthorized data exfiltration, or harmful prompt injection attempts in `SKILL.md` or `README.md`.

能力评估

⚠ Purpose & Capability

The skill's declared registry metadata lists no required environment variables or binaries, but the scripts and SKILL.md clearly require an AbuseIPDB API key (ABUSEIPDB_KEY or pass entry), and system tools like fail2ban, jq, and curl. The README and SKILL.md advertise Telegram notifications but there is no code implementing Telegram integration. The requested filesystem and systemd changes (editing /etc/fail2ban/* and restarting fail2ban) are appropriate for the stated purpose, but the metadata omission and unimplemented Telegram feature are incoherent with the skill description.

ℹ Instruction Scope

Runtime instructions and scripts stay within the stated purpose: they read fail2ban state, report IPs to AbuseIPDB, and log results to /var/log/abuseipdb-reports.log. The install/uninstall scripts modify /etc/fail2ban/action.d and /etc/fail2ban/jail.local and restart fail2ban (requires root). Scripts read the AbuseIPDB key either from environment or via pass. There is no evidence of other data collection or exfiltration beyond reporting to AbuseIPDB, but the install modifies system configuration and requires sudo — users should review the exact sed edits before running.

✓ Install Mechanism

There is no remote install step; this is an instruction-and-script package included in the skill. That lowers supply-chain risk. The install script writes files under /etc/fail2ban and restarts fail2ban, which is expected for the functionality. No downloads from untrusted URLs are performed.

⚠ Credentials

The skill requires an AbuseIPDB API key (checked at runtime via ABUSEIPDB_KEY or pass show abuseipdb/api-key), plus system-level sudo to edit fail2ban config, but the manifest declares no required env vars or credentials. The use of pass to read a specific entry is reasonable, but the metadata should have declared the primary credential. No other unrelated credentials are requested.

ℹ Persistence & Privilege

The skill does not request always:true and is user-invocable. The installer requires root and modifies system fail2ban configs and restarts the service — this is necessary for auto-reporting, but it's a high-privilege operation. Users should expect and approve these changes before installing. The skill does not appear to change other skills or agent-wide configs.

版本历史

v1.0.0

Initial release

元数据

Slug fail2ban-reporter

版本 1.0.0

许可证 —

累计安装 4

当前安装数 3

历史版本数 1

常见问题