https://ipthreat.net integration

Author: jjxtra

IPBanCore/Core/IPBan/IPBanConfig.cs

@@ -113,6 +113,8 @@ public void Dispose()
         private readonly TimeSpan cycleTime = TimeSpan.FromMinutes(1.0d);
         private readonly TimeSpan minimumTimeBetweenFailedLoginAttempts = TimeSpan.FromSeconds(5.0);
         private readonly TimeSpan minimumTimeBetweenSuccessfulLoginAttempts = TimeSpan.FromSeconds(5.0);
+
+        private readonly string ipThreatApiKey = string.Empty;
         private readonly int failedLoginAttemptsBeforeBan = 5;
         private readonly bool resetFailedLoginCountForUnbannedIPAddresses;
         private readonly string firewallRulePrefix = "IPBan_";
@@ -180,6 +182,7 @@ private IPBanConfig(XmlDocument doc, IDnsLookup dns = null, IDnsServerList dnsLi
                 appSettings[node.Attributes["key"].Value] = node.Attributes["value"].Value;
             }
 
+            GetConfig<string>("IPThreatApiKey", ref ipThreatApiKey);
             GetConfig<int>("FailedLoginAttemptsBeforeBan", ref failedLoginAttemptsBeforeBan, 1, 50);
             GetConfig<bool>("ResetFailedLoginCountForUnbannedIPAddresses", ref resetFailedLoginCountForUnbannedIPAddresses);
             GetConfigArray<TimeSpan>("BanTime", ref banTimes, emptyTimeSpanArray);
@@ -881,6 +884,11 @@ appSettingsOverride is not null &&
         /// </summary>
         public IReadOnlyDictionary<string, string> AppSettings => appSettings;
 
+        /// <summary>
+        /// Api key from https://ipthreat.net, if any
+        /// </summary>
+        public string IPThreatApiKey { get { return ipThreatApiKey; } }
+        
         /// <summary>
         /// Number of failed login attempts before a ban is initiated
         /// </summary>

IPBanCore/Core/IPBan/IPBanIPThreatUploader.cs

@@ -0,0 +1,129 @@
+using System;
+using System.Net.Http;
+using System.Threading.Tasks;
+using System.Threading;
+using System.Collections.Generic;
+using System.Linq;
+using System.Globalization;
+using System.Reflection;
+using System.Diagnostics.CodeAnalysis;
+
+namespace DigitalRuby.IPBanCore;
+
+/// <summary>
+/// Sync failed logins to ipthreat api
+/// </summary>
+public sealed class IPBanIPThreatUploader : IUpdater, IIPAddressEventHandler
+{
+    private static readonly Uri ipThreatReportApiUri = new("https://api.ipthreat.net/api/bulkreport");
+    
+    private readonly IIPBanService service;
+    private readonly Random random = new();
+    private readonly List<IPAddressLogEvent> events = new();
+    
+    private DateTime nextRun;
+
+    /// <summary>
+    /// Constructor
+    /// </summary>
+    /// <param name="service">Service</param>
+    public IPBanIPThreatUploader(IIPBanService service)
+    {
+        this.service = service;
+        nextRun = IPBanService.UtcNow;//.AddMinutes(random.Next(30, 91));
+    }
+    
+    /// <inheritdoc />
+    public void Dispose()
+    {
+        
+    }
+
+    /// <inheritdoc />
+    public async Task Update(CancellationToken cancelToken = default)
+    {
+        // ready to run?
+        var now = IPBanService.UtcNow;
+        if (now < nextRun)
+        {
+            return;
+        }
+
+        // do we have an api key?
+        var apiKey = (service.Config.IPThreatApiKey ?? string.Empty).Trim();
+        if (string.IsNullOrWhiteSpace(apiKey))
+        {
+            return;
+        }
+        // api key can be read from env var if starts and ends with %
+        else if (apiKey.StartsWith("%") && apiKey.EndsWith("%"))
+        {
+            apiKey = Environment.GetEnvironmentVariable(apiKey.Trim('%'));
+            if (string.IsNullOrWhiteSpace(apiKey))
+            {
+                return;
+            }
+        }
+        
+        // copy events
+        IReadOnlyCollection<IPAddressLogEvent> eventsCopy;
+        lock (events)
+        {
+            eventsCopy = events.ToArray();
+            events.Clear();
+        }
+        if (eventsCopy.Count == 0)
+        {
+            return;
+        }
+
+        // post json
+        try
+        {
+            /*
+            [{
+                "ip": "1.2.3.4",
+                "flags": "None",
+                "system": "SMTP",
+                "notes": "Failed password",
+                "ts": "2022-09-02T15:24:07.842Z",
+                "count": 1
+            }]
+            */
+            var transform =
+                eventsCopy.Select(e => new
+                {
+                    ip = e.IPAddress,
+                    flags = "BruteForce",
+                    system = e.Source,
+                    notes = "ipban " + Assembly.GetEntryAssembly()?.GetName().Version?.ToString(3),
+                    ts = e.Timestamp.ToString("s", CultureInfo.InvariantCulture) + "Z",
+                    count = e.Count
+                });
+            var jsonObj = new { items = transform };
+            // have to use newtonsoft here
+            var postJson = System.Text.Encoding.UTF8.GetBytes(Newtonsoft.Json.JsonConvert.SerializeObject(jsonObj));
+            await service.RequestMaker.MakeRequestAsync(ipThreatReportApiUri,
+                postJson,
+                new KeyValuePair<string, object>[] { new KeyValuePair<string, object>("X-API-KEY", apiKey) },
+                cancelToken);
+        }
+        catch (Exception ex)
+        {
+            Logger.Error(ex, "Failed to post json to ipthreat api, please double check your IPThreatApiKey setting");
+        }
+
+        // set next run time
+        nextRun = now.AddMinutes(random.Next(30, 91));
+    }
+
+    /// <inheritdoc />
+    public void AddIPAddressLogEvents(IEnumerable<IPAddressLogEvent> events)
+    {
+        lock (events)
+        {
+            this.events.AddRange(events.Where(e => e.Type == IPAddressEventType.FailedLogin &&
+                !service.Config.IsWhitelisted(e.IPAddress)));
+        }
+    }
+}

IPBanCore/Core/IPBan/IPBanService.cs

@@ -129,6 +129,7 @@ public void AddIPAddressLogEvents(IEnumerable<IPAddressLogEvent> events)
             {
                 pendingLogEvents.AddRange(eventsArray);
             }
+            IPThreatUploader.AddIPAddressLogEvents(eventsArray);
         }
 
         /// <summary>
@@ -374,6 +375,7 @@ public async Task RunAsync(CancellationToken cancelToken)
                     AddUpdater(new IPBanUnblockIPAddressesUpdater(this, Path.Combine(AppContext.BaseDirectory, "unban*.txt")));
                     AddUpdater(new IPBanBlockIPAddressesUpdater(this, Path.Combine(AppContext.BaseDirectory, "ban*.txt")));
                     AddUpdater(DnsList);
+                    AddUpdater(IPThreatUploader ??= new IPBanIPThreatUploader(this));
 
                     // start delegate if we have one
                     IPBanDelegate?.Start(this);

IPBanCore/Core/IPBan/IPBanService_Fields.cs

@@ -104,6 +104,11 @@ public string ConfigFilePath
         /// </summary>
         public IDnsServerList DnsList { get; set; } = new IPBanDnsServerList();
 
+        /// <summary>
+        /// If an api key is specified in the IPThreatApiKey app setting
+        /// </summary>
+        public IPBanIPThreatUploader IPThreatUploader { get; set; }
+    
         /// <summary>
         /// Extra handler for banned ip addresses (optional)
         /// </summary>

IPBanCore/Core/Interfaces/IHttpRequestMaker.cs

@@ -49,7 +49,7 @@ public interface IHttpRequestMaker
         /// <param name="headers">Optional http headers</param>
         /// <param name="cancelToken">Cancel token</param>
         /// <returns>Task of response byte[]</returns>
-        Task<byte[]> MakeRequestAsync(Uri uri, string postJson = null, IEnumerable<KeyValuePair<string, object>> headers = null,
+        Task<byte[]> MakeRequestAsync(Uri uri, byte[] postJson = null, IEnumerable<KeyValuePair<string, object>> headers = null,
             CancellationToken cancelToken = default) => throw new NotImplementedException();
     }
 
@@ -83,7 +83,7 @@ public class DefaultHttpRequestMaker : IHttpRequestMaker
         public static long LocalRequestCount { get { return localRequestCount; } }
 
         /// <inheritdoc />
-        public async Task<byte[]> MakeRequestAsync(Uri uri, string postJson = null, IEnumerable<KeyValuePair<string, object>> headers = null,
+        public async Task<byte[]> MakeRequestAsync(Uri uri, byte[] postJson = null, IEnumerable<KeyValuePair<string, object>> headers = null,
             CancellationToken cancelToken = default)
         {
             if (uri.Host.StartsWith("localhost", StringComparison.OrdinalIgnoreCase) ||
@@ -122,15 +122,16 @@ public async Task<byte[]> MakeRequestAsync(Uri uri, string postJson = null, IEnu
                 }
             }
             byte[] response;
-            if (string.IsNullOrWhiteSpace(postJson))
+            if (postJson is null || postJson.Length == 0)
             {
                 msg.Method = HttpMethod.Get;
             }
             else
             {
-                msg.Headers.Add("Cache-Control", "no-cache");
                 msg.Method = HttpMethod.Post;
-                msg.Content = new StringContent(postJson, Encoding.UTF8, "application/json");
+                msg.Headers.Add("Cache-Control", "no-cache");
+                msg.Content = new ByteArrayContent(postJson);
+                msg.Content.Headers.Add("Content-Type", "application/json; charset=utf-8");
             }
 
             var responseMsg = await client.SendAsync(msg, cancelToken);
@@ -139,17 +140,19 @@ public async Task<byte[]> MakeRequestAsync(Uri uri, string postJson = null, IEnu
             {
                 throw new WebException("Request to url " + uri + " failed, status: " + responseMsg.StatusCode + ", response: " + Encoding.UTF8.GetString(response));
             }
-            if (uri.AbsolutePath.EndsWith(".gz", StringComparison.OrdinalIgnoreCase))
+            else if (response is not null &&
+                response.Length != 0 &&
+                uri.AbsolutePath.EndsWith(".gz", StringComparison.OrdinalIgnoreCase))
             {
                 try
                 {
                     // in case response somehow got gzip decompressed already, catch exception and keep response as is
-                    MemoryStream decompressdStream = new();
+                    MemoryStream decompressStream = new();
                     {
                         using GZipStream gz = new(new MemoryStream(response), CompressionMode.Decompress, true);
-                        gz.CopyTo(decompressdStream);
+                        gz.CopyTo(decompressStream);
                     }
-                    response = decompressdStream.ToArray();
+                    response = decompressStream.ToArray();
                 }
                 catch
                 {

IPBanCore/IPBanCore.csproj

@@ -6,9 +6,9 @@
 		<PreserveCompilationContext>true</PreserveCompilationContext>
 		<PackageRequireLicenseAcceptance>true</PackageRequireLicenseAcceptance>
 		<PackageId>DigitalRuby.IPBanCore</PackageId>
-		<Version>1.7.4</Version>
-		<AssemblyVersion>1.7.4</AssemblyVersion>
-		<FileVersion>1.7.4</FileVersion>
+		<Version>1.8.0</Version>
+		<AssemblyVersion>1.8.0</AssemblyVersion>
+		<FileVersion>1.8.0</FileVersion>
 		<Authors>Jeff Johnson</Authors>
 		<Company>Digital Ruby, LLC</Company>
 		<Product>IPBan</Product>

IPBanCore/ipban.config

@@ -767,6 +767,16 @@ Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. Reason: Could not find a l
 
   <appSettings>
 
+	<!--
+	Enter your https://ipthreat.net api key here to submit failed logins to the 100% free ipthreat site and service
+	1] Create an account on the ipthreat website : https://ipthreat.net/account/signup
+	2] Go to https://ipthreat.net/requestpermissions to get bulk report permission
+	3] Once you get an email back verifying permissions, create an api key at https://ipthreat.net/account?tab=apikeys
+	4] Enter your api key below (no need to restart the service)
+	Note: You can use %env_var_name% to read the api key from an environment variable to avoid exposing it in the config
+	-->
+	<add key="IPThreatApiKey" value="" />
+	  
     <!-- Number of failed logins before banning the ip address -->
     <add key="FailedLoginAttemptsBeforeBan" value="5"/>
 

IPBanTests/IPBanUriFirewallRuleTests.cs

@@ -82,7 +82,7 @@ private async Task TestFileInternal(string uri)
             }
         }
 
-        public Task<byte[]> MakeRequestAsync(Uri uri, string postJson = null, IEnumerable<KeyValuePair<string, object>> headers = null,
+        public Task<byte[]> MakeRequestAsync(Uri uri, byte[] postJson = null, IEnumerable<KeyValuePair<string, object>> headers = null,
             CancellationToken cancelToken = default)
         {
             return Task.FromResult(Encoding.UTF8.GetBytes(GetTestFile()));

README.md

@@ -1,16 +1,14 @@
 IPBan - Block out attackers quickly and easily on Linux and Windows
 -----
 [![Github Sponsorship](.github/github_sponsor_btn.svg)](https://github.com/sponsors/jjxtra)
-
 [![Donate](https://img.shields.io/badge/Donate-PayPal-green.svg)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=7EJ3K33SRLU9E)
-
 [![Build Status](https://dev.azure.com/DigitalRuby/DigitalRuby/_apis/build/status/DigitalRuby_IPBan?branchName=master)](https://dev.azure.com/DigitalRuby/DigitalRuby/_build/latest?definitionId=4&branchName=master)
 
-Get a discount on IPBan Pro by visiting <a href='https://ipban.com/upgrade-to-ipban-pro/'>https://ipban.com/upgrade-to-ipban-pro/</a>.
-
-You can also visit the ipban discord at https://discord.gg/GRmbCcKFNR to chat with other IPBan users.
-
-<a href="https://ipban.com/newsletter">Sign up for the IPBan Mailing List</a>
+**Helpful Links**
+- Get a discount on IPBan Pro by visiting <a href='https://ipban.com/upgrade-to-ipban-pro/'>https://ipban.com/upgrade-to-ipban-pro/</a>.
+- <a href='https://ipthreat.net/integrations/ipban'>Integrate IPBan with IPThreat</a>, a 100% free to use website and service. Unlike some other sites and services, we don't charge a high subscription fee. Keeping your servers protected should not cost a fortune.
+- You can also visit the ipban discord at https://discord.gg/GRmbCcKFNR to chat with other IPBan users.
+- <a href="https://ipban.com/newsletter">Sign up for the IPBan Mailing List</a>
 
 **Requirements**
 - IPBan requires .NET 6 SDK to build and debug code. For an IDE, I suggest Visual Studio Community for Windows, or VS code for Linux. All are free. You can build a self contained executable to eliminate the need for dotnet core on the server machine, or just download the precompiled binaries.
@@ -75,6 +73,10 @@ To disable anonymously sending banned ip addresses to the global ipban database,
 
 Get a discount on IPBan Pro by visiting <a href='https://ipban.com/upgrade-to-ipban-pro/'>https://ipban.com/upgrade-to-ipban-pro/</a>.
 
+**Other Services**
+
+<a href='https://ipthreat.net/integrations/ipban'>Integrate IPBan with IPThreat</a>, a 100% free to use website and service. Unlike some other sites and services, we don't charge high subscription fee. Keeping your servers protected should not cost a fortune.
+
 **Dontations**
 If the free IPBan has helped you and you feel so inclined, please consider donating...