/ Updated 29 March 2024 / 3 min read

Integrating AbuseIPDB With the Nginx Ultimate Bad Bot Blocker Script

The Nginx Bad Bot Blocker script is fantastic and a no-brainer to install on any Nginx server hosting publicly accessible websites.

As great as it is though, I’ve recently noticed a significant increase in the number of attacks on the servers which I administer and websites in general. So I looked into into integrating the paid API from AbuseIPDB.

This is how I got it to work.

First of all, it’s worth noting that the Bad Bot Blocker script already incorporates the free version of the API which returns the top 10k recently reported IPs. So this script is only needed if you want to sign up for a paid plan (Basic will return up to 100k IPs at a specified confidence level).

TLDR: You can find the script here: https://github.com/robwent/abuseipdb-bad-bot-blocker

The following needs to be saved on the server as root. I chose to install to the same directory as the bad bot blocker update script: /usr/local/sbin/update-abuseipdb.sh

Replace your-key with your actual API key and adjust the confidence level.

#!/bin/bash

# Save this file as /usr/local/sbin/update-abuseipdb.sh
# Edit api key and confidence level
# Make it Executable chmod 700 /usr/local/sbin/update-abuseipdb.sh
# Daily Cron as root (every 4 hours)
# 0 */4 * * * /usr/local/sbin/update-abuseipdb.sh > /dev/null 2>&1
# Include the output in /etc/nginx/bots.d/blacklist-ips.conf
# include /etc/nginx/bots.d/abuseipdb;

ABUSEIPDB_KEY="your-key"
ABUSEIPDB_FILE_PATH=/etc/nginx/bots.d/abuseipdb
ABUSEIPDB_CONFIDENCE=90
ABUSEIPDB_LIMIT=9999999

echo "#AbuseIPDB - Confidence: $ABUSEIPDB_CONFIDENCE" > $ABUSEIPDB_FILE_PATH;
echo "" >> $ABUSEIPDB_FILE_PATH;
response=`curl -s -L "https://api.abuseipdb.com/api/v2/blacklist?confidenceMinimum=$ABUSEIPDB_CONFIDENCE&limit=$ABUSEIPDB_LIMIT" \
  -H "Key: $ABUSEIPDB_KEY" \
  -H "Accept: text/plain"`

# If the response is empty, exit the script
if [ -z "$response" ]; then
    echo "No response from the API. Exiting..."
    exit 1
fi

for i in $response; do
    echo "$i 1;" >> $ABUSEIPDB_FILE_PATH;
done

echo "" >> $ABUSEIPDB_FILE_PATH;

#test configuration and reload nginx
nginx -t && systemctl reload nginx

Once added, the script needs to be made executable:

chmod 700 /usr/local/sbin/update-abuseipdb.sh

You can now test running it as root and then check the results file for correct formatting.

/usr/local/sbin/update-abuseipdb.sh > /dev/null 2>&1
nano /etc/nginx/bots.d/abuseipdb

The abuseip file should be a list of IP addresses followed by a space, a 1 (Meaning they should be blocked) and a colon. EG:

134.209.162.58 1;
201.213.134.20 1;
200.98.136.68 1;
185.254.231.252 1;
159.203.110.93 1;
152.32.199.26 1;
101.36.114.198 1;

If everything looks ok, you can then set up a cron job as root to update the list periodically:

crontab -e

Add to the end of the file, adjusting the timing if required:

0 */4 * * * /usr/local/sbin/update-abuseipdb.sh > /dev/null 2>&1

The above line would update every 4 hours, 6 times a day.

The list now needs to be included in the blacklist-ips.conf file so that the IPs actually get blocked:

nano /etc/nginx/bots.d/blacklist-ips.conf

At the end of the file, add the include:

include /etc/nginx/bots.d/abuseipdb;

You can then test the configuration and reload Nginx to apply the changes:

nginx -t && service nginx restart