v.1.0.4

README.md

@@ -9,6 +9,9 @@ module (version 1.x-1.0.5 or newest) to automatically block anyone who tries to
 Usually it is a bad crawler looking for known potentially vulnerable paths, 
 such as "wp-admin.php", "xmlrpc.php" and so on.
 
+**New in version version 1.x-1.0.4:** option "Report to AbuseIPDB" can be enabled for automatic reporting to AbuseIPDB about blocked scanners activity.
+(You need to install [AbuseIPDB report](https://backdropcms.org/project/abuseipdb_report) module to see and use this option.)
+
 Installation
 ------------
 Install this module using the official Backdrop CMS instructions at https://backdropcms.org/guide/modules
@@ -21,7 +24,8 @@ and may be used for:
 
 - add your patterns for paths to be restricted (some usefull patterns are already added out of the box);
 - set paths or portions of paths that will NOT be restricted to avoid self-blocking;
-- enable or disable logging for blocked access attempts (enabled by default);
+- enable automatic reporting to AbuseIPDB about blocked scanners activity ("AbuseIPDB report" module should be installed);
+- enable logging for blocked access attempts (enabled by default);
 - select the time after which the blocked IP will be unblocked automatically;
 - use "Test Mode" to test your patterns, your current IP will not be blocked, but you may see a message when you try to visit the restricted path.
 

antiscan.admin.inc

@@ -8,9 +8,8 @@
  * Define the form for manage blocking restricted paths
  *
  */
-function antiscan_form() {
+function antiscan_form($form, &$form_state) {
   $config = config('antiscan.settings');
-  $form   = array();
 
   $form['top'] = array(
     '#markup' => t('When a web crawler or even a person tries to visit a path that matches one of the patterns specified in the field below, their IP address will be blocked.')
@@ -25,8 +24,8 @@ function antiscan_form() {
     '#title' => t('Restricted path patterns'),
     '#required' => TRUE,
     '#description' => t('Enter paths or portions of paths to restrict, separating them with commas or new lines.')
-      . '<br>' . t('Please note: the <b>*</b> character is a wildcard for end of pattern, so pattern like') . '<b> wp-* </b>' 
-      . t('will match to any path containing "wp-admin", "wp-login", etc.'),
+      . '<br>' . t('Please note: the <b>*</b> character is a wildcard for end of pattern, so pattern like') . '<b> /wp-* </b>' 
+      . t('will match to any path containing "/wp-admin", "/wp-login.php", etc.'),
 
   );
 
@@ -54,6 +53,15 @@ function antiscan_form() {
       . '<br>' . t('Same format of rules as above.'),
   );
 
+  if (module_exists('abuseipdb_report')) { 
+    $form['abuseipdb_report'] = array(
+      '#type' => 'checkbox',
+      '#title' => t('Report to AbuseIPDB'),
+      '#default_value' => $config->get('abuseipdb_report'),
+      '#description' => t('Report to AbuseIPDB about blocked scanners activity.'), 
+    );
+  }  
+
   $form['log_enabled'] = array(
     '#type' => 'checkbox',
     '#title' => t('Enable logging'),
@@ -120,20 +128,23 @@ function antiscan_form_validate($form, &$form_state) {
  * Implements hook_submit().
  */
 function antiscan_form_submit($form, &$form_state) {
-  $config         = config('antiscan.settings');
-  $path_patterns  = trim($form_state['values']['path_patterns']);
-  $path_noblock   = trim($form_state['values']['path_noblock']);
-  $log_enabled    = (int) $form_state['values']['log_enabled'];
-  $unblock        = (int) $form_state['values']['unblock'];
-  $unblock_after  = (int) $form_state['values']['unblock_after']; 
-  $test_mode      = (int) $form_state['values']['test_mode'];
+  $config        = config('antiscan.settings');
+  $path_patterns = trim($form_state['values']['path_patterns']);
+  $path_noblock  = trim($form_state['values']['path_noblock']);
+  $log_enabled   = (int) $form_state['values']['log_enabled'];
+  $unblock       = (int) $form_state['values']['unblock'];
+  $unblock_after = (int) $form_state['values']['unblock_after']; 
+  $test_mode     = (int) $form_state['values']['test_mode'];
 
-  $config->set('path_patterns',  strtolower($path_patterns));
-  $config->set('path_noblock',   strtolower($path_noblock));
-  $config->set('log_enabled',    $log_enabled);
-  $config->set('unblock',        $unblock);
-  $config->set('unblock_after',  $unblock_after);
-  $config->set('test_mode',      $test_mode);
+  $config->set('path_patterns', strtolower($path_patterns));
+  $config->set('path_noblock',  strtolower($path_noblock));
+  if (isset($form_state['values']['abuseipdb_report'])) {  
+    $config->set('abuseipdb_report', $form_state['values']['abuseipdb_report']);
+  }
+  $config->set('log_enabled',   $log_enabled);
+  $config->set('unblock',       $unblock);
+  $config->set('unblock_after', $unblock_after);
+  $config->set('test_mode',     $test_mode);
 
   $config->save();
   backdrop_set_message(t('The configuration options have been saved.'));

antiscan.info

@@ -8,4 +8,4 @@ dependencies[] = ip_blocking (>=1.0.5)
 
 configure = admin/config/people/antiscan
 
-version = 1.0.3 
+version = 1.0.4 

antiscan.install

@@ -29,4 +29,16 @@ function antiscan_requirements($phase) {
   }
 
   return $requirements;
-}
+}
+
+/**
+ *  Add and initialize new variable.
+ *  Set first starting time for reports.
+ */
+function antiscan_update_1000() {
+  $config = config('antiscan.settings');
+  $config->set('abuseipdb_report', 0);
+  $config->save();
+
+  state_set('antiscan_abuseipdb_report_last_date', time());
+}

antiscan.module

@@ -153,14 +153,19 @@ function antiscan_is_denied($ip) {
  * Implementation of hook_cron().
 */
 function antiscan_cron() {
-  $config        = config('antiscan.settings');
-  $unblock       = $config->get('unblock');
-  $unblock_after = $config->get('unblock_after');
-  $time_expired  = time() - $unblock_after;  
+  $config           = config('antiscan.settings');
+  $abuseipdb_report = $config->get('abuseipdb_report');
+  $unblock          = $config->get('unblock');
+  $unblock_after    = $config->get('unblock_after');
+  $time_expired     = time() - $unblock_after;  
 
   if ($unblock) {
     antiscan_unblock($time_expired);
   }
+
+  if ($abuseipdb_report) {
+    antiscan_abuseipdb_report();
+  }
 }
 
 /**
@@ -179,6 +184,45 @@ function antiscan_unblock($time_expired) {
   }
 }
 
+/**
+ * Report blocked IP to AbuseIPDB.
+ */
+function antiscan_abuseipdb_report() {
+
+  if (module_exists('abuseipdb_report')) {
+    $config           = config('antiscan.settings');
+    $abuseipdb_report = $config->get('abuseipdb_report');
+
+    if ($abuseipdb_report) {
+      $last_report_date = state_get('antiscan_abuseipdb_report_last_date', 0);
+
+      $result = db_select('blocked_ips', 'bi')
+          ->fields('bi', array(
+            'ip', 'reason',
+            )
+          )
+          ->condition('uid', MODULE_UID, '=')                
+          ->condition('time', $last_report_date, '>')                
+          ->execute()
+          ->fetchAll();
+
+      if ($result) {
+        // Most relevant categories: Brute-Force, Bad Web Bot, Web App Attack
+        $categories = array(18, 19, 21);
+
+        foreach ($result as $record => $value) {
+          $ip = $value->ip;
+          $request = $value->reason;
+          abuseipdb_report_ip($ip, $request, '"Antiscan" module', $categories);
+          sleep(1);
+        }
+
+        state_set('antiscan_abuseipdb_report_last_date', time());
+      }
+    }
+  }
+}
+
 /**
  * Utility function
  * @param string $raw_string

config/antiscan.settings.json

@@ -5,6 +5,7 @@
   "log_enabled": 1,
   "test_mode": 0,
   "unblock": 1,
-  "unblock_after": 604800
+  "unblock_after": 604800,
+  "abuseipdb_report": 0
 }