I'd like to request that the automated abuse reports produced contain the destination (attacked) IP address in their opening line.
The reason for this is that CSF only takes the hostname as written in "/etc/hostname", which is not an FQDN on many Linux distributions.
There is plenty of (unrelated) discussion about as to whether this file should contain an FQDN or only system name, but opinions aside, an FQDN will not be available in all circumstances. Also the IP address associated with an FQDN could change at any time, so it would be ideal to have "at this time this FQDN/name pointed to this IP address". Currently on
Debian derived systems, which use "/etc/hostname" for a system name only, the abuse report may not contain enough information as to what got attacked. For example:
The 2 attached files also do not contain the attacked IP address, only the hostname. In some cases this information can only be pieced together if the attack type was email login, in which case the mailbox username (if it's a full email address) will be present, but otherwise nothing.The IP address 62.x.x.x (FR/France/-/-/example/[ASXXXX Example]) was found attacking smtpauth on systemname 5 times in the last 7200 seconds.
Attached is an X-ARF report (see http://www.x-arf.org/specification.html) and the original log report that triggered this block.
Abuse Contact for 62.x.x.x: [email@example.com]
The current abuse login attack 0.1.2 schema does specify "Destination" and "Destination-Type" nodes which should also contain an IP address.
Thanks for reading. (and for CSF)