A single compromise on a web server can turn it into a attack vector You'll be blacklisted for your IP if you don't send out massive amounts of spam or botnets. So you need to detect quickly the first signs to react quickly and reduce the negative impact.
Security experts are realistic and unanimous: given enough time, any service will end up hacked. A 0-day vulnerability, a technical error, a sufficiently long attack... Security at 100% is out of this world.
So the right approach, in addition to getting closer to 0% risk by preventive safety measures, is to continuous monitoring the reputation of its IPs, so as to react at the first sign of trouble to limit the attack surface and prevent blacklists from getting out of control.
Info: What is an IP blacklist?
An IP blacklist is a register of IP addresses known to be malicious or undesirable (spam, attacks, fraud), which systems consult to deny or restrict access. It is used by firewalls, mail servers and web sites, but can also produce false positives; entries evolve and can be removed after verification.
In this article, we'll look at how to set up an alert system based on two free solutions:
- Uptime Kuma, a free monitoring tool, hosted on your own machine or a VPS ;
- AbuseIPDB, collaborative database of reported IP addresses.
This adapted prevention is used for the’web hosting infrastructure LRob and should be useful to you, if you also host services. We remind you that the real-time status of the LRob infratructure, including any presence in the AbuseIPDB blacklist, is publicly available: https://uptime.lrob.net/status/lrob.
This step-by-step guide will show you how to reproduce this configuration at home.
⚠️ Are your servers costing you too much time and money? Don't miss our multi-site hosting packages, that will earn you a time and a safety while saving money and benefiting from a high level of service. exceptional support ! Also available in single-site hosting.
Why monitor your IP's reputation?
Better to act at the first sign of trouble of a problem than waiting until it's too late.
If a mailbox is compromised or a website has a vulnerability, your server can quickly become a attack vector, for example, to send millions of spam messages in just a few minutes.
LRob already applies effective protection measures, such as a anti-bruteforce on emails and a hourly dispatch limit, to limit this kind of damage. But whatever the measures, proactive monitoring of the IP reputation enables any anomalies to be detected quickly, and action taken before the situation becomes a nuisance.
Because abuse lists (blacklists) inform the public about the malicious use of your IP. And if your IP is blacklisted, providers often block e-mails, restrict access to certain services and generally harm the trust granted to a server or site.
So the aim of the game is this: Not to be a victim of blacklists, but to use them as a tool reliable indicator to detect suspicious behavior on a machine, even when no active attack is taking place. Because attacks can be brief or very discreet. Those who receive them, on the other hand, can't miss them.
With regular monitoring, we can immediately identify any rise in the abuse score and take action. before before the consequences become costly. In short, it's half preventive, half curative. Or, to put it another way, the worst is avoided.
What you need before you start
Before setting up this monitoring system, you need to have :
- access (free or paid) to the’API AbuseIPDB
- a instance Uptime Kuma functional, installed on a Local VM, a VPS or any other permanently accessible server.
Uptime Kuma will be configured to automatically query the AbuseIPDB API, retrieve the abuse score of your IP, and check if there's still less than or equal to to a fixed threshold (e.g. 5%).
If this score exceeds the chosen limit, you'll receive an alert so you can take prompt action.
This tutorial is based solely on AbuseIPDB as a source of reputation, which is already very reliable for everyday use.
Step-by-step configuration in Uptime Kuma
The aim is to create a monitor which will regularly check the abuse score of your IP on AbuseIPDB, and alert you if this score exceeds a set threshold. To do this, we'll use a JSON expression that returns true or false according to the result of the check. True: all is well. False: you receive the alert.
1. Create a new base monitor
In the Uptime Kuma interface :
Click on “Add a monitor”
Monitor type : HTTP(s) - Json Query
Display name (Friendly Name), for example :AbuseIPDB HOSTNAME IP
(replace HOSTNAME and IP with your values)
- Heartbeat Interval Set the desired frequency (e.g. every 3600 seconds, i.e. 1h).
- Retries : 0
2. Basic AbuseIPDB API monitor settings
- URL :
https://api.abuseipdb.com/api/v2/check - Json Query :
$number($.data.abuseConfidenceScore) <= 5- (replace
5by your tolerance threshold, which corresponds to the percentage of risk on AbuseIPDB)
- (replace
- Expected Value :
true
💡 This expression returns true if the score is less than or equal to your threshold, and false otherwise. Uptime Kuma then triggers an alert according to your notification settings, only if the result is false.
3. Setting HTTP options for the AbuseIPDB API
In HTTP Options :
- Method :
GET - Body Encoding :
JSON
In Body, define this code by replacing Your_IP by the IP to be monitored :
{
"ipAddress": "Your_IP",
"maxAgeInDays": "1",
"verbose": "true"
}In Headers, put your API key in place of Your_API_Key :
{
"Key": "Your_API_Key",
"Accept": "application/json"
}
4. Check final configuration
You should get a similar configuration:
5. Save and test
Once you have defined the parameters, click on Save then observe the first test:
- If the score is below the threshold → monitor UP
- If the score exceeds the → monitor threshold DOWN and alert sent
With this setting, you'll know immediately if your IP's reputation is deteriorating.
For example:
- Score 0 → everything's fine
- Score 4 → still acceptable
- Score 12 → alert
A word about the JSON detection threshold trick
At LRob, almost 1 year ago, when we received a customer whose site had to be repaired following a hack, his site was exploited during the repair on our servers. This was the only instance of malicious use on LRob servers. This enabled us to discover AbuseIPDB with great enthusiasm, as we were looking for just such a tool.
A brief incident with a positive outcome, you might say.
Except that since this incident, an AbuseIPDB contributor continues to report the server's IP every week, even though the incident has been over for almost 1 year. And there's no way to stop it. As soon as he issues even a single report, the IP score rises to 4% of risk.
Basically, Uptime Kuma can only be used to check whether Expected Value = 0.
In other words, a risk at 1% or 4% triggered alertE. So this server was always on alert.
A false positive.
The clean solution: evaluate a threshold directly into the Json Query thanks to a expression JSONata. Rather than waiting for the exact value “0”, Uptime Kuma now checks that the score is less than or equal to to a healthy limit (e.g. 5); and returns true or false. From now on, the state will only go on alert if the score exceeds the.
This is the principle of this code, which checks whether the value in question is less than or equal to 5.
$number($.data.abuseConfidenceScore) <= 5Uptime Kuma waits for value true in return. If the threshold is below 5, no alert. If higher, alert.
This configuration correction has just been applied, so if you visit the’server status within 24 hours of the publication of this article, you'll see that «Blacklists» is not at 100% uptime, unlike all the other services. Now you've got the whole story.
Conclusion
We hope that the configuration used for the’web hosting infrastructure LRob will help you better secure your servers, to help us make a better Internet.
And if you think that was very interesting, remember that it's just the tip of the iceberg of what LRob does to ensure exceptional service!
We're convinced that LRob deserves to be better known.
Then take a look at the site, Read what we have to say, take a look at our offers, try out our in-house Chatbot, and don't hesitate to share what you find interesting on all your networks, to support our mission for a clean Internet!
Thank you for reading and for your support.
Leave a Reply
You must be logged in to post a comment.