Automated Reporting
Cron-based log parsing and IP reporting. Step-by-step setup guide with code examples.
184,732 IPs
7,362 reports
Free API
Quick Install
Ubuntu
Debian
CentOS
RHEL
Any Linux
Copy the scripts below or use the quick setup command:
No API key needed (500 reports/day):
curl -sL https://bl.ipwhois.net/api/cron/install | sudo bash
No curl? Use wget:
wget -qO- https://bl.ipwhois.net/api/cron/install | sudo bash
Installs 3 reporter scripts (SSH, Web, Mail) + cron jobs. No Fail2Ban required.
Requires:
bash + curl
cron
Root access
What is this?
If you don't use Fail2Ban or CSF, you can still report malicious IPs by parsing server logs directly. These lightweight bash scripts run via cron and detect attacks from SSH, web and mail logs.
SSH
Reports IPs with 5+ failed SSH login attempts.
Web
Reports IPs scanning for exploits (wp-login, .env, phpMyAdmin...).
Mail
Reports IPs with failed SASL auth (spam relay attempts).
SSH Brute-Force Reporter
/usr/local/bin/ipwhois-report-ssh.sh
#!/bin/bash
# Report IPs with 5+ failed SSH logins
# Cron: */30 * * * *
LOG="/var/log/auth.log"
THRESHOLD=5
REPORTED="/tmp/ipwhois-reported-ssh.txt"
touch "$REPORTED"
grep "Failed password" "$LOG" \
| awk '{print $(NF-3)}' \
| sort | uniq -c | sort -rn \
| while read count ip; do
[ "$count" -lt "$THRESHOLD" ] && continue
grep -q "^${ip}$" "$REPORTED" && continue
curl -sSf -m 10 -X POST https://bl.ipwhois.net/api/report \
-d "ip=$ip" \
-d "type=brute-force" \
-d "message=${count} failed SSH logins" \
-d "source=ids" \
>> /var/log/ipwhois-report.log 2>&1
echo "$ip" >> "$REPORTED"
sleep 1
done
find "$REPORTED" -mtime +1 -exec truncate -s 0 {} \;
Web Scanner Reporter
/usr/local/bin/ipwhois-report-web.sh
#!/bin/bash
# Report IPs probing for common vulnerabilities
# Cron: */30 * * * *
LOG="/var/log/nginx/access.log" # or /var/log/apache2/access.log
THRESHOLD=10
REPORTED="/tmp/ipwhois-reported-web.txt"
touch "$REPORTED"
PATTERNS="wp-login|xmlrpc|\.env|phpmyadmin|/admin|setup\.php|cgi-bin|\.git"
grep -iE "$PATTERNS" "$LOG" \
| awk '{print $1}' \
| sort | uniq -c | sort -rn \
| while read count ip; do
[ "$count" -lt "$THRESHOLD" ] && continue
grep -q "^${ip}$" "$REPORTED" && continue
curl -sSf -m 10 -X POST https://bl.ipwhois.net/api/report \
-d "ip=$ip" \
-d "type=scan" \
-d "message=${count} exploit probes" \
-d "source=ids" \
>> /var/log/ipwhois-report.log 2>&1
echo "$ip" >> "$REPORTED"
sleep 1
done
find "$REPORTED" -mtime +1 -exec truncate -s 0 {} \;
Mail Spam Reporter
/usr/local/bin/ipwhois-report-mail.sh
#!/bin/bash
# Report IPs with failed SASL auth (spam relay attempts)
# Cron: 0 * * * *
LOG="/var/log/mail.log"
THRESHOLD=3
REPORTED="/tmp/ipwhois-reported-mail.txt"
touch "$REPORTED"
grep "authentication failed" "$LOG" \
| grep -oP '\[\K[0-9.]+' \
| sort | uniq -c | sort -rn \
| while read count ip; do
[ "$count" -lt "$THRESHOLD" ] && continue
grep -q "^${ip}$" "$REPORTED" && continue
curl -sSf -m 10 -X POST https://bl.ipwhois.net/api/report \
-d "ip=$ip" \
-d "type=spam" \
-d "message=${count} failed SASL auth" \
-d "source=ids" \
>> /var/log/ipwhois-report.log 2>&1
echo "$ip" >> "$REPORTED"
sleep 1
done
find "$REPORTED" -mtime +1 -exec truncate -s 0 {} \;
Manual Cron Setup
sudo chmod +x /usr/local/bin/ipwhois-report-*.sh
touch /var/log/ipwhois-report.log
echo '*/30 * * * * root /usr/local/bin/ipwhois-report-ssh.sh
*/30 * * * * root /usr/local/bin/ipwhois-report-web.sh
0 * * * * root /usr/local/bin/ipwhois-report-mail.sh' | sudo tee /etc/cron.d/ipwhois-reporters
Troubleshooting
- No reports: Check log paths. CentOS/RHEL uses
/var/log/secureinstead of/var/log/auth.log. - Too many reports: Increase threshold or reduce cron frequency. Free limit: 500/day per IP, 30/day anonymous.
- Log rotation: Scripts scan the whole log. After rotation, the reported list resets daily via
find -mtime +1. - Apache logs: Change
LOGpath to/var/log/apache2/access.logor/var/log/httpd/access_log. - View reports:
tail -f /var/log/ipwhois-report.log