Use AbuseIPDB API to block bad IP’s on ConfigServer Firewall

Use AbuseIPDB API to block bad IP’s on ConfigServer Firewall

AbuseIPDB has a free API plan that will allow you to get a list of up to 10.000 blacklisted IP addresses that are currently reported for malicious activity.

On a Linux server, we can use this data to automatically block that bad IP traffic from our servers.


Block IP addresses on the firewall

Here is a small script that when run will get the list from AbuseIPDB and block them on the firewall:

#!/bin/bash

# Your AbuseIPDB API key
api_key="your_api_key_here"

# Fetch the latest abuse data from AbuseIPDB
curl -s "https://api.abuseipdb.com/api/v2/blacklist?key=$api_key" > abuse_data.json

# Extract the IP addresses from the abuse data
ips=$(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" abuse_data.json)

# Add each IP address to the firewall blocklist
for ip in $ips; do
  /usr/sbin/csf -d $ip "Added by AbuseIPDB script"
done

# Restart the firewall to apply the changes
/usr/sbin/csf -r

Make sure to replace your_api_key_here with your AbuseIPDB API key.


Automatically check IPs on the AbuseIPDB list and block them

To automatically check each IP that accesses the server against the AbuseIPDB database and block reported IPs, you can modify the firewall configuration and add a script to automate the check and block process. Here’s an example of how you can do this with the ConfigServer Firewall (CSF).

Modify the CSF configuration to automatically check each incoming IP against the AbuseIPDB database:

See also  Whitelist Dynamic IP in CSF and cPanel

Edit the CSF configuration file

nano /etc/csf/csf.conf

Enable the IP blacklists feature

BLACKLIST_ENABLE = "1"

Edit the csf.blocklists file

nano /etc/csf/csf.blocklists

Set the abuse database URL

# AbuseIPDB blacklist
# Details: https://docs.abuseipdb.com/#blacklist-endpoint
ABUSEIPDB|86400|10000|https://api.abuseipdb.com/api/v2/blacklist?key=YOUR_API_KEY&plaintext

Note that you’ll need to replace $api_key with your actual AbuseIPDB API key.

Then restart the firewall

csf -ra

Check current IP connections on the AbuseIPDB list and block them

You can also create a script that will check all current connections in the AbuseIPDB top 10.000 list and if present blocks them immediately. This might come in handy at DoS attack times.

#!/bin/bash

# Your AbuseIPDB API key
api_key="your_api_key_here"

# Fetch the latest abuse data from AbuseIPDB
curl -s "https://api.abuseipdb.com/api/v2/blacklist?key=$api_key" > abuse_data.json

# Extract the IP addresses from the abuse data
ips=$(grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" abuse_data.json)

# Check each incoming IP against the abuse database
for incoming_ip in $(/sbin/iptables -L INPUT -n --line-numbers | awk '/dpt:22/ {print $8}'); do
  for reported_ip in $ips; do
    if [ "$incoming_ip" == "$reported_ip" ]; then
      # Block the IP
      /usr/sbin/csf -d $incoming_ip "Blocked by AbuseIPDB"
    fi
  done
done

whoami
Stefan Pejcic
Join the discussion

I enjoy constructive responses and professional comments to my posts, and invite anyone to comment or link to my site.