A single compromise on a web server can turn it into a attack vector You're guaranteed to have your IP blacklisted if you send out massive amounts of spam or botnets. So you need to detect quickly the first signs to react quickly and reduce the negative impact.

Security experts are realistic and unanimous: given enough time, any service will end up being hacked. A 0-day vulnerability, a technical error, a sufficiently long attack... Security at 100% is out of this world.

So the right approach, in addition to getting closer to the 0% risk by preventive safety measures, is to continuous monitoring the reputation of its PIs, so as to react at the first sign of an incident to limit the attack surface and prevent blacklists from getting out of control.

Info: What is an IP blacklist?

An IP blacklist is a register of IP addresses deemed to be malicious or undesirable (spam, attacks, fraud) that systems consult to deny or restrict access. It is used by firewalls, mail servers and websites, but can also produce false positives; entries evolve and can be removed after verification.

In this article, we'll look at how to set up an alert system based on two free solutions:

Uptime Kuma, a free monitoring tool hosted on your own machine or a VPS ;
AbuseIPDB, a collaborative database of reported IP addresses.

This adapted prevention is used for’web hosting infrastructure LRob and should be useful to you if you also host services. We remind you that the real-time status of the LRob infratructure, including any presence in the AbuseIPDB blacklist, can be consulted publicly: https://uptime.lrob.net/status/lrob.

This article will guide you step-by-step through how to reproduce this configuration at home.

⚠️ Are your servers costing you too much money and time? Don't miss our multi-site hosting packages, that will earn you a time and a security while saving money and benefiting from a high level of service. exceptional support ! Also available in hosting for a single site.

Why monitor your IP reputation?

Better to act at the very first sign of a problem than waiting until it's too late.
If a mailbox is compromised or a website has a vulnerability, your server can quickly become a "firewall". attack vector, This means you can send millions of spam messages in just a few minutes.

LRob already applies effective protection measures, such as a anti-bruteforce on emails and a time limit for sending, to limit this kind of damage. But whatever the measures, proactive monitoring of the IP reputation enables any anomalies to be detected quickly, and action to be taken before the situation becomes a nuisance.

Because the abuse lists (blacklists) inform the public that your IPs have been compromised. And if your IP is blacklisted, service providers often block emails, restrict access to certain services and generally harm the trust granted to a server or site.

So the aim of the game is this: Not to be a victim of blacklists, but to use them as a means of reliable indicator to spot suspicious behaviour on a machine, even when there is no active attack. Attacks can be brief or very discreet. Those who receive them, on the other hand, cannot miss them.

With regular monitoring, any rise in the abuse score can be identified immediately and action taken. before before the consequences become costly. In the end, it's a measure that's half preventive and half curative. In other words, it avoids the worst.

What you need before you start

Before setting up this surveillance system, you need to have :

access (free or paying) to the’API AbuseIPDB
a instance Uptime Kuma functional, installed on a Local VM, a VPS or any other permanently accessible server.

Uptime Kuma will be configured to automatically query the AbuseIPDB API, retrieve the abuse score of your IP, and check whether there is still less than or equal to to a fixed threshold (for example 5%).
If this score exceeds the chosen limit, you will receive an alert so that you can intervene quickly.

This tutorial is based solely on AbuseIPDB as a source of reputation, which is already very reliable for everyday use.

Step-by-step configuration in Uptime Kuma

The aim is to create a monitor which will regularly check the abuse score of your IP on AbuseIPDB, and alert you if this score exceeds a set threshold. To do this, we're going to use a JSON expression that returns true or false depending on the result of the check. True: all is well. False: you receive the alert.

1. Create a new base monitor

In the Uptime Kuma interface :

Click on “Add a monitor”

Monitor type : HTTP(s) - Json Query

Display name (Friendly Name), for example :
AbuseIPDB HOSTNAME IP
(replace HOSTNAME and IP with your values)

Heartbeat Interval Set the desired frequency (e.g. every 3600 seconds, i.e. 1 hour).
Retries : 0

2. Basic AbuseIPDB API monitor settings

URL : https://api.abuseipdb.com/api/v2/check
Json Query : $number($.data.abuseConfidenceScore) <= 5
- (replace 5 by your tolerance threshold, which corresponds to the percentage of risk on AbuseIPDB)
Expected Value : true

💡 This expression returns true if the score is less than or equal to your threshold, and false otherwise. Uptime Kuma then triggers an alert according to your notification settings, only if the result is false.

3. Configuring the HTTP options of the AbuseIPDB API

In HTTP Options :

Method : GET
Body Encoding : JSON

In Body, define this code by replacing Your_IP by the IP to be monitored :

{
    "ipAddress": "Your_IP",
    "maxAgeInDays": "1",
    "verbose": "true"
}

In Headers, put your API key in place of Your_API_Key :

{
    "Key": "Your_API_Key",
    "Accept": "application/json"
}

4. Check the final configuration

You should get a similar configuration:

5. Save and test

Once you have set the parameters, click on Save then observe the first test:

If the score is below the threshold → monitor UP
If the score exceeds the threshold → monitor DOWN and alert sent

With this setting, you will know immediately if the reputation of your IP is deteriorating.
For example:

Score 0 → everything's fine
Score 4 → still acceptable
Score 12 → alert

A word about the detection threshold trick in JSON

At LRob, almost 1 year ago, when we received a customer whose site had to be repaired following a hack, his site was exploited during the repair on our servers. This was the only instance of malicious use on LRob servers. This enabled us to discover AbuseIPDB with great enthusiasm, as we were looking for just such a tool.

A brief incident with a positive outcome, you might say.

Except that since this incident, an AbuseIPDB contributor continues to report the server's IP every week, even though the incident has been over for almost 1 year. And there's no way to stop it. As soon as he issues even a single report, the IP score rises to 4% risk.

Basically, Uptime Kuma can only be used to check whether Expected Value = 0.
In other words, a risk of 1% or 4% triggered alertE. So this server was always on alert.
A false positive.

The clean solution : assess a threshold directly into the Json Query thanks to a expression JSONata. Instead of waiting for the exact value “0”, Uptime Kuma now checks that the score is less than or equal to to a limit considered healthy (for example 5); and returns true or false. From now on, the state will only go on alert if if the score exceeds the value.

This is the principle of this code, which checks whether the value in question is less than or equal to 5.

$number($.data.abuseConfidenceScore) <= 5

Uptime Kuma waits for value true in return. If the threshold is below 5, no alert. If it's higher, alert.

This configuration correction has just been applied, so if you visit the’server status In the 24 hours following the publication of this article, you will see that «Blacklists» is not at 100% uptime, unlike all the other services. You now have the whole story.

Conclusion

We hope that the configuration used for the’web hosting infrastructure LRob will help you better secure your servers, to help us make a better internet.

And if you think that was very interesting, remember that this is just the tip of the iceberg of what LRob is doing to provide an exceptional service!

We are convinced that LRob deserves to be better known.
So take a look at the site, Read what we have to say, take a look at the offers, try out our in-house Chatbot, and don't hesitate to share what you find interesting on all your networks. It'll help us in our mission for a clean Internet!

Thank you for reading and for your support.

Guide: Monitor your IP reputation for free with Uptime Kuma and AbuseIPDB