Guide: Free IP reputation monitoring with Uptime Kuma and AbuseIPDB

Security experts are realistic and unanimous: given enough time, any service will end up hacked. A 0-day vulnerability, a technical error, a sufficiently long attack... Security at 100% is out of this world.

So the right approach, in addition to approaching 0% risk through preventive security measures, is to continuously monitor the reputation of its IPs, so as to react at the first sign of an incident to limit the attack surface and prevent blacklists from getting out of control.

In this article, we'll look at how to set up an alert system based on two free solutions:

• Uptime Kuma, a free monitoring tool, hosted on your own machine or a VPS ;
• AbuseIPDB, collaborative database of reported IP addresses.

This adapted prevention is employed for the web hosting infrastructure LRob and should be useful to you, if you also host services. We remind you that the real-time status of the LRob infratructure, including any presence in the AbuseIPDB blacklist, can be consulted publicly: https://uptime.lrob.net/status/lrob.

This step-by-step guide will show you how to reproduce this configuration at home.

Why monitor your IP's reputation?

It's better to act at the first sign of a problem than to wait until it's too late.
If a mailbox is compromised or a site has a vulnerability, your server can quickly become an attack vector, for example sending millions of spam messages in a matter of minutes.

LRob already applies effective protections, such as an anti-bruteforce on emails and an hourly sending limit, to limit this kind of damage. But whatever the measures, proactive monitoring of an IP's reputation means that any anomalies can be detected quickly, and action taken before the situation becomes embarrassing.

Because blacklists (blacklists) inform the public about the maliciousness of your IPs. And if your IP is blacklisted, providers often block emails, restrict access to certain services and overall damage the trust placed in a server or site.

So the aim of the game is this: Not to be a victim of blacklists, but to use them as a reliable indicator to spot suspicious behavior on a machine, even outside an active attack. Because attacks can be brief or very discreet. Those who receive them, on the other hand, can't miss them.

And for that, with regular monitoring, we can immediately identify any rise in the abuse score and intervene before the consequences become costly. Ultimately, it's a measure that's half preventive, half curative. Or, to put it another way, the worst is avoided.

What you need before you start

Before setting up this monitoring system, you need to have :

• access (free or paid) to the API AbuseIPDB.
• a working Uptime Kuma instance, installed on a localVM, a VPS or any other permanently accessible server.

Uptime Kuma will be configured to query the AbuseIPDB API automatically, retrieve your IP's abuse score, and check whether it remains less than or equal to a set threshold (e.g. 5%).
If this score exceeds the chosen limit, you'll receive an alert to take prompt action.

This tutorial relies solely on AbuseIPDB as a source of reputation, which is already very reliable for everyday use.

Step-by-step configuration in Uptime Kuma

The aim is to create a monitor that will regularly check your IP's abuse score on AbuseIPDB, and alert you if it exceeds a set threshold. To do this, we're going to exploit a JSON expression that returns true or false depending on the result of the check. True: all's well. False: you receive the alert.

1. Create a new base monitor

In the Uptime Kuma interface :

Click on "Add a monitor"

Monitor type: HTTP(s) - Json Query

Display name (Friendly Name), for example:
AbuseIPDB HOSTNAME IP
(replace HOSTNAME and IP with your values)

• Heartbeat Interval: set the desired frequency (e.g. every 3600 seconds, or 1h).
• Retries : 0

2. Basic AbuseIPDB API monitor settings

• URL: https://api.abuseipdb.com/api/v2/check
• Json Query : $number($.data.abuseConfidenceScore) <= 5
  • (replace 5 by your tolerance threshold, which corresponds to the percentage of risk on AbuseIPDB)
• Expected Value : true

💡 This expression returns true if the score is less than or equal to your threshold, and false otherwise. Uptime Kuma then triggers an alert according to your notifications setting, only if the result is false.

3. Setting HTTP options for the AbuseIPDB API

In HTTP Options:

• Method : GET
• Body Encoding : JSON

In Body, define this code by replacing Your_IP with the IP to be monitored:

{
    "ipAddress": "Your_IP",
    "maxAgeInDays": "1",
    "verbose": "true"
}

In Headersput your API key in place of Your_API_Key :

{
    "Key": "Your_API_Key",
    "Accept": "application/json"
}

4. Check final configuration

You should get a similar configuration:

5. Save and test

Once you have defined the parameters, click on Save then observe the first test:

• If score is below threshold → monitor UP
• If score exceeds threshold → monitor DOWN and alert sent

With this setting, you'll know immediately if your IP's reputation is deteriorating.
For example:

• Score 0 → everything's fine
• Score 4 → still acceptable
• Score 12 → alert

A word about the JSON detection threshold trick

At LRob, almost 1 year ago, when we received a customer whose site had to be repaired following a hack, his site was exploited during the repair on our servers. This was the only instance of malicious use on LRob servers. This enabled us to discover AbuseIPDB with great enthusiasm since we were looking for just such a tool.

A brief incident with a positive outcome, you might say.

Except that since this incident, an AbuseIPDB contributor continues to report the server's IP every week, even though the incident has been over for almost 1 year. And there's no way to stop it. As soon as he issues even a single report, the IP score goes back up to 4% risk.

However, Uptime Kuma only allows you to check if Expected Value = 0.
In other words, a risk at 1% or 4% triggered alertE. So this server was on alert all the time.
A false positive.

The clean solution: evaluate a threshold directly in the Json Query thanks to a JSONata expression. Rather than waiting for the exact value "0", Uptime Kuma now checks that the score is less than or equal to a limit deemed healthy (e.g. 5); and returns true or false. From now on, the state will only go into alert if the score exceeds the value.

This is the principle of this code, which checks whether the value in question is less than or equal to 5.

$number($.data.abuseConfidenceScore) <= 5

Uptime Kuma waits for value true in return. If the threshold is below 5, no alert. If higher, alert.

This config correction has just been applied, so if you visit the server status within 24 hours of publishing this article, you'll see that "Blacklists" isn't at 100% uptime, unlike all the other services. Now you've got the whole story.

Conclusion

We hope that the configuration used for the web hosting infrastructure LRob will help you better secure your servers, to help us make a better internet.

And if you think that was very interesting, remember that it's just the tip of the iceberg of what LRob does to ensure exceptional service!

We are convinced that LRob deserves to be better known.
So take a tour of the site, read what we have to say, look at the offers, try out our in-house Chatbot, and don't hesitate to share what you find interesting on all your networks, it will support us in our mission for a clean internet!

Thank you for reading and for your support.