AbuseIPDB
IP Reputation & Reporting
AbuseIPDB is an online project that helps system administrators, webmasters and security users check and report IP addresses associated with abusive activity on the internet.
What is AbuseIPDB?
It can be useful when you see suspicious connection attempts in server logs, firewall logs, SSH logs, web server logs, mail server logs or router logs.
Official website: https://www.abuseipdb.com/
AbuseIPDB is a public IP reputation database. It collects reports about IP addresses that have been observed performing suspicious or malicious activity.
Examples of reported activity may include:
- SSH brute-force attempts
- web login brute-force attempts
- port scanning
- spam
- DDoS-related traffic
- web application attacks
- SQL injection attempts
- phishing-related activity
- malware-related activity
- abusive bot traffic
- suspicious automated scanning
You can use AbuseIPDB in two basic ways:
- Check whether an IP address has already been reported.
- Report an IP address that attacked or abused your own system.
What AdGuard Home does
- Blocks ads on DNS level
- Blocks tracking domains
- Blocks known malicious domains
- Blocks selected telemetry domains
- Can apply custom blocklists
- Can apply custom allowlists
- Can show DNS query logs
- Can show which client requested which domain
- Can protect the whole LAN when used as the main DNS server
What AdGuard Home does not do
- It does not replace a firewall
- It does not block traffic by packet content
- It does not inspect encrypted HTTPS content
- It does not replace antivirus software
- It does not replace system updates
- It does not replace safe browser habits
- It does not fully protect against phishing if the domain is not blocked
Why AbuseIPDB is useful & Limitations
Why AbuseIPDB is useful
AdGuard Home works on the DNS level. When a computer, phone, smart TV or another device asks for a blocked domain, AdGuard Home can refuse the DNS answer. The blocked connection is then usually never created.
This can reduce unwanted advertising, tracking, telemetry and malicious domain access across the whole local network.
The best place to use AdGuard Home is usually one central device in the local network:
- home server
- NAS
- TrueNAS SCALE / TrueNAS Community Edition
- Raspberry Pi
- mini PC
- Linux server
- Docker host
- virtual machine
- container platform
Supported platforms
AdGuard Home can be used on many platforms:
- Linux, Windows, macOS
- Raspberry Pi
- Docker / container platforms
- TrueNAS SCALE / TrueNAS Community Edition Apps
- Proxmox VM or LXC
- NAS / homelab server
- x86 / x64 hardware
- ARM hardware
AdGuard also provides client applications and browser extensions for common end-user platforms: Windows, macOS, Android, iOS, browser extensions.
For whole-network blocking, use AdGuard Home. For protection on one specific device outside your network, use the AdGuard client app or AdGuard DNS configuration.
Important limitation
AbuseIPDB should be understood as a reputation and threat-intelligence helper, not as absolute proof.
An IP address can belong to:
- dynamic ISP user
- shared hosting server
- VPN provider
- proxy server
- cloud provider
- NAT gateway
- compromised server
- public Wi-Fi network
- Tor exit node
- corporate network
This means that one bad report does not always prove that the current user of that IP address is the same attacker. Always evaluate the score, number of reports, report age, categories and your own logs.
IP Verification Workflow & Linux Commands
Manual IP address check
To check an IP address manually, open AbuseIPDB and use the search field: https://www.abuseipdb.com/
You can check whether the IP address has been reported, how many reports exist, which categories were used and how recent the activity is.
Useful IP verification workflow
When you find a suspicious IP address in logs, do not block blindly. First collect context.
- Find the suspicious IP address in your logs.
- Check what service was attacked.
- Check timestamp and repeated attempts.
- Check the IP address in AbuseIPDB.
- Check reverse DNS and whois information.
- Decide whether to block, rate-limit, report or ignore.
Basic Linux commands for IP investigation
Check current active connections:
Show listening TCP and UDP services:
Search SSH authentication logs on Debian / Ubuntu:
Search SSH authentication logs on RHEL / Fedora / Rocky / AlmaLinux:
Show SSH service logs with systemd:
sudo journalctl -u sshd
Check whois information:
Check reverse DNS:
Traceroute / path diagnostic:
AbuseIPDB API & Reporting
AbuseIPDB API
Advanced users can register an AbuseIPDB account and create an API key. The API can be used to check IP reputation, report abusive IP addresses and download blacklist data according to the selected account plan.
API documentation: https://docs.abuseipdb.com/
Example API check request:
–data-urlencode “ipAddress=1.2.3.4” \
-d maxAgeInDays=90 \
-d verbose \
-H “Key: YOUR_API_KEY” \
-H “Accept: application/json”
Replace:
YOUR_API_KEY with your own AbuseIPDB API key
Reporting an abusive IP address
Only report IP addresses that actually attacked or abused your own system or network. Do not report IP addresses only because they look suspicious or because someone else reported them.
A good report should include:
- correct source IP address
- correct abuse category
- timestamp
- short log evidence
- service that was attacked
- clear technical description
Do not include private data, passwords, full personal information or sensitive internal information in public report comments.
Fail2Ban Integration & Firewall Usage
Fail2Ban integration
AbuseIPDB can be integrated with Fail2Ban. Fail2Ban monitors logs, detects repeated failed login attempts or abusive behavior and can ban the offending IP address using local firewall rules.
With AbuseIPDB integration, Fail2Ban can also automatically report abusive IP addresses to AbuseIPDB.
Check Fail2Ban version:
Check whether the AbuseIPDB action file exists:
Example local Fail2Ban jail file:
Basic SSH jail example:
enabled = true
port = ssh
filter = sshd
logpath = %(sshd_log)s
maxretry = 5
findtime = 10m
bantime = 1h
AbuseIPDB reporting action must be configured with your API key according to the official AbuseIPDB and Fail2Ban documentation.
Important: automatic reporting should be configured carefully. A broken or too aggressive Fail2Ban rule can send poor-quality reports or exhaust API limits.
Firewall usage
AbuseIPDB can help you decide whether an IP address should be blocked, but your firewall is still responsible for the actual blocking.
Temporary block with iptables:
Temporary block with nftables example:
With UFW:
With firewalld:
For production servers, prefer structured firewall rules, sets, time-based bans or Fail2Ban instead of manually adding many individual rules.
Use Cases & Blacklist Data
Using AbuseIPDB blacklist data
AbuseIPDB also provides blacklist data depending on the account plan and API limits. This can be used by security tools, firewalls or scripts.
However, blocking large public blacklists blindly can cause false positives. Some IP addresses may belong to cloud providers, hosting providers, VPNs or shared infrastructure.
Recommended approach:
- Use AbuseIPDB data as one signal.
- Combine it with your own logs.
- Prefer temporary bans over permanent bans.
- Whitelist your own trusted networks.
- Monitor false positives.
- Do not block business-critical networks blindly.
Good use cases
- Checking suspicious SSH login attempts
- Checking repeated web attack sources
- Enriching firewall logs
- Investigating spam sources
- Reporting real attacks from your own server logs
- Integrating with Fail2Ban
- Creating security dashboards
- Checking IP reputation during incident response
Bad use cases
- Assuming every reported IP is always malicious
- Blocking entire cloud providers without review
- Reporting IPs without evidence
- Publishing private API keys
- Using reports as legal proof
- Replacing firewall rules with reputation checks only
- Ignoring your own logs and context
Practical workflow example
Example: you see repeated SSH login failures from one IP address.
- Check SSH logs.
- Confirm repeated failed attempts.
- Check the IP in AbuseIPDB.
- Check whois and reverse DNS.
- Let Fail2Ban ban the IP locally.
- If the activity is real and clear, report it to AbuseIPDB.
- Keep the ban temporary unless the abuse continues.
Quick Commands & Final Summary
Quick command summary
sudo ss -ltnup
Check established connections:
sudo ss -tnp state established
Search failed SSH logins on Debian / Ubuntu:
sudo grep “Failed password” /var/log/auth.log
Search failed SSH logins on RHEL / Fedora:
sudo grep “Failed password” /var/log/secure
Check SSH logs:
sudo journalctl -u ssh
sudo journalctl -u sshd
Whois lookup:
whois 1.2.3.4
Reverse DNS:
dig -x 1.2.3.4
AbuseIPDB API check:
curl -G https://api.abuseipdb.com/api/v2/check \
–data-urlencode “ipAddress=1.2.3.4” \
-d maxAgeInDays=90 \
-d verbose \
-H “Key: YOUR_API_KEY” \
-H “Accept: application/json”
UFW block:
sudo ufw deny from 1.2.3.4
iptables block:
sudo iptables -A INPUT -s 1.2.3.4 -j DROP
Final summary
AbuseIPDB is a useful tool for checking and reporting abusive IP addresses. It is especially useful for system administrators, webmasters, server owners and security users who want to enrich their logs with IP reputation data.
It should be used as one part of a larger security setup: firewall rules, Fail2Ban, system updates, good SSH configuration, log monitoring and backups.