Abuse report should contain destination (attacked) IP address

[Adambean]

Hello,

I'd like to request that the automated abuse reports produced contain the destination (attacked) IP address in their opening line.

The reason for this is that CSF only takes the hostname as written in "/etc/hostname", which is not an FQDN on many Linux distributions.

There is plenty of (unrelated) discussion about as to whether this file should contain an FQDN or only system name, but opinions aside, an FQDN will not be available in all circumstances. Also the IP address associated with an FQDN could change at any time, so it would be ideal to have "at this time this FQDN/name pointed to this IP address". Currently on

Debian derived systems, which use "/etc/hostname" for a system name only, the abuse report may not contain enough information as to what got attacked. For example:

The IP address 62.x.x.x (FR/France/-/-/example/[ASXXXX Example]) was found attacking smtpauth on systemname 5 times in the last 7200 seconds.

Attached is an X-ARF report (see http://www.x-arf.org/specification.html) and the original log report that triggered this block.

Abuse Contact for 62.x.x.x: [abuse@example.com]

...discolaimer...

The 2 attached files also do not contain the attacked IP address, only the hostname. In some cases this information can only be pieced together if the attack type was email login, in which case the mailbox username (if it's a full email address) will be present, but otherwise nothing.

The current abuse login attack 0.1.2 schema does specify "Destination" and "Destination-Type" nodes which should also contain an IP address.

Thanks for reading. (and for CSF)

[designextreme]

I would like to add my support to adding the destination (i.e. the username) to the logs.

This would be very helpful in identifying mainly genuine users repeatedly logging in with the same invalid login credentials (e.g. an email account).

Example:

Oct 25 13:59:50 de lfd[12345]: (imapd) Failed IMAP login from 123.123.123.99 with username abc@somedomain.com (GB/United Kingdom/some-host-32-32-32.someispcom): 10 in the last 3600 secs - *Blocked in csf* [LF_IMAPD]


Additionally. these blocks almost always involve the same login credentials - surely there should be a basic check if this is the case before performing a block?

[Adambean]

The abuse report wouldn't need to contain usernames, e.g. for mailboxes, because abuse reports are intended to be relayed to the ISP of the offending IP address rather than your own information as a system administrator.

LFD will already give you a separate email containing a snippet of logs of which would contain usernames and such for your information, for example snippets from Exim, Postfix, Dovecot, or SSHd.

My suggestion was specifically regarding the auto-generated x-arf should you opt in to this in LFD's configuration to be relayed to an offending IP address' ISP. I'd like to see the destination IP address (your server) shown in that so the ISP knows what their customer has been targeting. (Seeing a username of a mailbox or similar would be too much information, and frankly little use, for a foreign ISP.)