Sign In
Access your IPWhois.net account
No account? Create one
Automated Reporting
Parse server logs with cron jobs and automatically report malicious IPs to the IPWhois Blacklist. Covers SSH, Apache, Nginx, and more.
5 min setup Bash scripts Runs on schedule
Blacklist / Docs / Automated Reporting
Overview

If you do not use Fail2Ban, you can still contribute to the blacklist by parsing your server logs directly. These scripts run on a schedule via cron and report IPs that show clear signs of malicious activity.

Threshold matters. Only report IPs with a meaningful number of failures to avoid false positives. The scripts below use conservative thresholds.
SSH Brute-Force Reporter
/usr/local/bin/ipwhois-report-ssh.sh
#!/bin/bash # Report IPs with 5+ failed SSH logins in the last 30 minutes # Cron: */30 * * * * LOG="/var/log/auth.log" # Debian/Ubuntu # LOG="/var/log/secure" # CentOS/RHEL THRESHOLD=5 REPORTED="/tmp/ipwhois-reported-ssh.txt" touch "$REPORTED" grep "Failed password" "$LOG" \ | awk '{print $(NF-3)}' \ | sort | uniq -c | sort -rn \ | while read count ip; do # Skip if below threshold or already reported recently [ "$count" -lt "$THRESHOLD" ] && continue grep -q "^${ip}$" "$REPORTED" && continue # Report to IPWhois Blacklist curl -sSf -m 10 -X POST https://bl.ipwhois.net/api/report \ -d "ip=$ip" \ -d "type=brute-force" \ -d "message=${count}+failed+SSH+logins" \ 2>&1 | logger -t ipwhois-ssh echo "$ip" >> "$REPORTED" sleep 1 done # Reset reported list daily find "$REPORTED" -mtime +1 -exec truncate -s 0 {} \;
Web Scanner / Exploit Probe Reporter
/usr/local/bin/ipwhois-report-web.sh
#!/bin/bash # Report IPs probing for common vulnerabilities # Cron: */30 * * * * LOG="/var/log/nginx/access.log" # or /var/log/apache2/access.log THRESHOLD=10 REPORTED="/tmp/ipwhois-reported-web.txt" touch "$REPORTED" # Patterns that indicate scanning / exploit probing PATTERNS="wp-login|xmlrpc|\.env|phpmyadmin|/admin|setup\.php|cgi-bin|\.git" grep -iE "$PATTERNS" "$LOG" \ | awk '{print $1}' \ | sort | uniq -c | sort -rn \ | while read count ip; do [ "$count" -lt "$THRESHOLD" ] && continue grep -q "^${ip}$" "$REPORTED" && continue curl -sSf -m 10 -X POST https://bl.ipwhois.net/api/report \ -d "ip=$ip" \ -d "type=scan" \ -d "message=${count}+exploit+probes" \ 2>&1 | logger -t ipwhois-web echo "$ip" >> "$REPORTED" sleep 1 done find "$REPORTED" -mtime +1 -exec truncate -s 0 {} \;
Postfix / Mail Spam Reporter
/usr/local/bin/ipwhois-report-mail.sh
#!/bin/bash # Report IPs with failed SASL auth (spam relay attempts) # Cron: 0 * * * * LOG="/var/log/mail.log" THRESHOLD=3 REPORTED="/tmp/ipwhois-reported-mail.txt" touch "$REPORTED" grep "authentication failed" "$LOG" \ | grep -oP '\[\K[0-9.]+' \ | sort | uniq -c | sort -rn \ | while read count ip; do [ "$count" -lt "$THRESHOLD" ] && continue grep -q "^${ip}$" "$REPORTED" && continue curl -sSf -m 10 -X POST https://bl.ipwhois.net/api/report \ -d "ip=$ip" \ -d "type=spam" \ -d "message=${count}+failed+SASL+auth" \ 2>&1 | logger -t ipwhois-mail echo "$ip" >> "$REPORTED" sleep 1 done find "$REPORTED" -mtime +1 -exec truncate -s 0 {} \;
Setting Up Cron
# Make scripts executable sudo chmod +x /usr/local/bin/ipwhois-report-*.sh # Add to cron (run as root) sudo crontab -e # Add these lines: */30 * * * * /usr/local/bin/ipwhois-report-ssh.sh */30 * * * * /usr/local/bin/ipwhois-report-web.sh 0 * * * * /usr/local/bin/ipwhois-report-mail.sh

Or use /etc/cron.d/ files for easier management:

echo '*/30 * * * * root /usr/local/bin/ipwhois-report-ssh.sh */30 * * * * root /usr/local/bin/ipwhois-report-web.sh 0 * * * * root /usr/local/bin/ipwhois-report-mail.sh' | sudo tee /etc/cron.d/ipwhois-reporters
Testing
# Run each script manually to verify sudo /usr/local/bin/ipwhois-report-ssh.sh sudo /usr/local/bin/ipwhois-report-web.sh # Check syslog for report confirmations sudo grep "ipwhois-" /var/log/syslog | tail -10 # Verify cron is running grep CRON /var/log/syslog | tail -5
Troubleshooting
  • Script produces no output: Your log files may be in a different location. Check with ls -la /var/log/auth.log /var/log/secure. On systemd-only systems, use journalctl instead of log files.
  • Too many reports: Increase the threshold or reduce the cron frequency. The API rate limit is 500 reports/day.
  • Log rotation: If logs are rotated frequently, the script may miss entries. Consider using journalctl --since "30 min ago" instead of grepping log files.
  • Duplicate reports: The reported-IPs file prevents duplicates within 24 hours. If it gets too large, the daily truncation handles cleanup.
IPWhois Blacklist — Community-driven IP threat intelligence — ipwhois.net