AbuseIPDB has a free API plan that will allow you to get a list of up to 10.000 blacklisted IP addresses that are currently reported for malicious activity.
On a Linux server, we can use this data to automatically block that bad IP traffic from our servers.
Block IP addresses on the firewall
Here is a small script that when run will get the list from AbuseIPDB and block them on the firewall:
#!/bin/bash
# Your AbuseIPDB API key
api_key="your_api_key_here"
# Fetch the latest abuse data from AbuseIPDB
curl -s "https://api.abuseipdb.com/api/v2/blacklist?key=$api_key" > abuse_data.json
# Extract the IP addresses from the abuse data
ips=$(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" abuse_data.json)
# Add each IP address to the firewall blocklist
for ip in $ips; do
/usr/sbin/csf -d $ip "Added by AbuseIPDB script"
done
# Restart the firewall to apply the changes
/usr/sbin/csf -r
Make sure to replace your_api_key_here with your AbuseIPDB API key.
Automatically check IPs on the AbuseIPDB list and block them
To automatically check each IP that accesses the server against the AbuseIPDB database and block reported IPs, you can modify the firewall configuration and add a script to automate the check and block process. Here’s an example of how you can do this with the ConfigServer Firewall (CSF).
Modify the CSF configuration to automatically check each incoming IP against the AbuseIPDB database:
Edit the CSF configuration file
nano /etc/csf/csf.conf
Enable the IP blacklists feature
BLACKLIST_ENABLE = "1"
Edit the csf.blocklists file
nano /etc/csf/csf.blocklists
Set the abuse database URL
# AbuseIPDB blacklist
# Details: https://docs.abuseipdb.com/#blacklist-endpoint
ABUSEIPDB|86400|10000|https://api.abuseipdb.com/api/v2/blacklist?key=YOUR_API_KEY&plaintext
Note that you’ll need to replace $api_key
with your actual AbuseIPDB API key.
Then restart the firewall
csf -ra
Check current IP connections on the AbuseIPDB list and block them
You can also create a script that will check all current connections in the AbuseIPDB top 10.000 list and if present blocks them immediately. This might come in handy at DoS attack times.
#!/bin/bash
# Your AbuseIPDB API key
api_key="your_api_key_here"
# Fetch the latest abuse data from AbuseIPDB
curl -s "https://api.abuseipdb.com/api/v2/blacklist?key=$api_key" > abuse_data.json
# Extract the IP addresses from the abuse data
ips=$(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" abuse_data.json)
# Check each incoming IP against the abuse database
for incoming_ip in $(/sbin/iptables -L INPUT -n --line-numbers | awk '/dpt:22/ {print $8}'); do
for reported_ip in $ips; do
if [ "$incoming_ip" == "$reported_ip" ]; then
# Block the IP
/usr/sbin/csf -d $incoming_ip "Blocked by AbuseIPDB"
fi
done
done