Report Blacklisted IP addresses to AbuseIPDB

Issue #116 open
Web User created an issue

Could you possibly add the ability to report all blacklisted IP addresses to the AbuseIPDB website?

Per the documentation for their API it would be as simple as adding the following code to the routine that performs the blacklisting…

# POST the submission.
curl \
  --data-urlencode "ip=" \
  -d categories=18,22 \
  --data-urlencode "comment=SSH login attempts with user root." \
  -H "Key: $YOUR_API_KEY" \
  -H "Accept: application/json"

Of course the end-user would need to apply for an AbuseIPDB API key for this to be effective. The same API could be used to check whether an attacking IP address is blacklisted and add them to the SSHGUARD blacklist immediately rather than going through the block/wait/block/wait/ban process.

Comments (4)

  1. Kevin Zheng
    • changed status to open

    The place to add this is src/fw/ (then you'll need to rebuild). Do you think this change is simple enough that all we need are documentation updates?

  2. Web User reporter

    Possibly, may also want to consider adding a configuration option to enable/disable the feature.

  3. Web User reporter

    I would place this code in the sshguard_blacklist.c file somewhere around the end of the section that states adding the IP address to the blacklist was successful…

    void blacklist_add(const attacker_t *restrict newel) {
    assert(blacklist_file != NULL && blacklist != NULL);
    if (blacklist_contains(&newel->attack.address)) {
    sshguard_log(LOG_WARNING, "blacklist: %s is already blacklisted",

    int retval = fprintf(blacklist_file, "%lld|%d|%d|%s\n",
            (long long)newel->whenlast, newel->attack.service,
            newel->attack.address.kind, newel->attack.address.value);
    if (retval > 0) {
        sshguard_log(LOG_DEBUG, "blacklist: added %s",
        list_append(blacklist, newel);
    } else {
        sshguard_log(LOG_ERR, "blacklist: could not add %s: %s",
  4. Web User reporter

    AbuseIPDB is a subscription service, free API users can only report 1,000 ip addresses per day, this is why it would be wise to only report those attackers that end up in the blacklist after repeated abuse. I suppose you could sign up for an API key for each device you install it on rather than sharing a key, that may help. Speaking of which, we will need to add a place in the configuration file for the AbuseIPDB API key. Perhaps the existence of this key would also be how you enable/disable the feature, this way we only need one parameter in the config file.

  5. Log in to comment