fail2ban-reporter – OpenClaw Skill

---

name: fail2ban-reporter description: "Auto-report fail2ban banned IPs to AbuseIPDB and notify via Telegram. Use when monitoring server security, reporting attackers, or checking banned IPs. Watches fail2ban for new bans, reports them to AbuseIPDB, and sends alerts."

fail2ban Reporter

Monitor fail2ban bans and auto-report attackers to AbuseIPDB.

Setup

1. Get a free AbuseIPDB API key at https://www.abuseipdb.com/account/api
2. Store it: pass insert abuseipdb/api-key
3. Install the monitor: bash {baseDir}/scripts/install.sh

Manual Usage

Report all currently banned IPs

bash {baseDir}/scripts/report-banned.sh

Check a specific IP

bash {baseDir}/scripts/check-ip.sh <ip>

Show ban stats

bash {baseDir}/scripts/stats.sh

Auto-Reporting

The install script sets up a fail2ban action that auto-reports new bans.

bash {baseDir}/scripts/install.sh    # install auto-reporting
bash {baseDir}/scripts/uninstall.sh  # remove auto-reporting

Heartbeat Integration

Add to HEARTBEAT.md to check for new bans periodically:

- [ ] Check fail2ban stats and report any unreported IPs to AbuseIPDB

Workflow

1. fail2ban bans an IP → action triggers report-single.sh
2. Script reports to AbuseIPDB with SSH brute-force category
3. Sends Telegram notification (if configured)
4. Logs report to /var/log/abuseipdb-reports.log

API Reference

See references/abuseipdb-api.md for full API docs.

🛡️ Clawdbot fail2ban Reporter

Auto-report fail2ban banned IPs to AbuseIPDB, protecting the community from brute-force attackers.

Built for Clawdbot — works as a standalone tool too.

Why?

Every server with a public IP gets attacked. fail2ban blocks them locally — but reporting to AbuseIPDB blocks them globally. When you report an attacker, every other server using AbuseIPDB's blocklist benefits.

Real stats from a fresh server:

Within 60 seconds of enabling fail2ban:
→ 62 failed SSH attempts
→ 9 unique IPs banned  
→ Attacks from 7 countries

Quick Start

1. Get an AbuseIPDB API Key (free)

Sign up at abuseipdb.com — free tier allows 1000 reports/day.

2. Store your API key

# Using pass (recommended)
pass insert abuseipdb/api-key

# Or export directly
export ABUSEIPDB_KEY="your-api-key"

3. Report currently banned IPs

bash scripts/report-banned.sh

4. Enable auto-reporting (optional)

sudo bash scripts/install.sh

Now every new fail2ban ban automatically reports to AbuseIPDB.

Usage

Report all banned IPs

bash scripts/report-banned.sh          # default: sshd jail
bash scripts/report-banned.sh nginx    # custom jail

Check an IP's reputation

bash scripts/check-ip.sh 1.2.3.4

View stats

bash scripts/stats.sh

Remove auto-reporting

sudo bash scripts/uninstall.sh

Clawdbot Skill

If you're using Clawdbot, install as a skill:

# Copy to skills directory
cp -r . ~/.clawdbot/skills/fail2ban-reporter/

Then ask your Clawdbot:

• "Report banned IPs to AbuseIPDB"
• "Check IP 1.2.3.4"
• "Show fail2ban stats"

Heartbeat Integration

Add to your HEARTBEAT.md:

- [ ] Check fail2ban for new bans, report unreported IPs to AbuseIPDB

How It Works

Attacker → SSH brute-force → fail2ban bans IP → report-single.sh
                                                      ↓
                                              AbuseIPDB API (report)
                                                      ↓
                                              /var/log/abuseipdb-reports.log

Prerequisites

• fail2ban — sudo apt install fail2ban
• jq — sudo apt install jq
• curl — usually pre-installed
• pass (optional) — for secure API key storage

License

MIT — report those attackers, protect the community! 🛡️