An integration tool designed to analyze UFW logs and report IP addresses blocked by the firewall to the AbuseIPDB database. To prevent excessive reporting of the same IP address within a short time period, the tool uses a temporary cache file to track previously reported IP addresses.
β If you like this repository or find it useful, I'd greatly appreciate it if you could give it a star. Many thanks!
Also, check this out: sefinek/Cloudflare-WAF-To-AbuseIPDB
Important
- If you'd like to make changes to any files in this repository, please start by creating a public fork.
- According to AbuseIPDB's policy, UDP traffic should not be reported!
- Node.js + npm
- PM2 (
npm i -g pm2) - Git
- Linux (Ubuntu or Debian)
- Easy Configuration β The
config.jsfile allows for quick and simple configuration. - Simple Installer β Enables fast and seamless integration deployment.
- Self-IP Protection (IPv4 & IPv6) β The script will never report IP addresses belonging to you or your server, even if you're using a dynamic IP address.
- IP Filtering β Local and special-purpose IP addresses will never be reported.
- IP Whitelist β Maintain a
whitelist.txtfile with IP addresses that should never be reported (e.g., your home IP when running on a VPS). - UDP Traffic Filtering β UDP traffic is automatically skipped in accordance with AbuseIPDB's policy.
- Report Cooldown β Prevents duplicate reports of the same IP within a configurable time window (default: 12 hours).
- Bulk Reporting Support β If the script encounters a rate limit, it will start buffering collected IPs and send a bulk report.
- Discord Webhooks Integration:
- Critical notifications
- Script error alerts
- Daily summaries of reported IPs
- Automatic Updates β The script regularly fetches and applies the latest updates. You can disable this feature if you'd prefer.
bash <(curl -fsS https://raw.githubusercontent.com/sefinek/UFW-AbuseIPDB-Reporter/main/install.sh)bash <(wget -qO- https://raw.githubusercontent.com/sefinek/UFW-AbuseIPDB-Reporter/main/install.sh)See https://gist.github.com/sefinek/fb50041a5f456321d58104bbf3f6e649.
See https://gist.github.com/sefinek/1de50073ffbbae82fc901506304f0ada.
sudo apt update && sudo apt upgrade
cd ~
git clone --recurse-submodules https://github.com/sefinek/UFW-AbuseIPDB-Reporter.git ufw-abuseipdb
cd ufw-abuseipdb
npm install --omit=dev
cp config.default.js config.js
sudo chown syslog:"$USER" "$ufw_log_path"
sudo chmod 640 "$ufw_log_path"
npm install -g pm2@latest
sudo mkdir -p /var/log/ufw-abuseipdb
sudo chown -R "$USER":"$USER" /var/log/ufw-abuseipdb
pm2 start
eval "$(pm2 startup | grep sudo)"
pm2 saveAfter a successful installation, the script will run continuously in the background, monitoring UFW logs and automatically reporting IP addresses.
Servers are constantly scanned by bots, usually looking for security vulnerabilities and similar weaknesses. So don't be surprised if the number of reports sent to AbuseIPDB exceeds a thousand the next day.
pm2 logs ufw-abuseipdbBlocked by UFW on NY01 [8096/tcp] | SPT: 52458 | TTL: 243 | LEN: 40 | TOS: 0x08 β’ Reported by: github.com/sefinek/UFW-AbuseIPDB-Reporter
Blocked by UFW on PL02 [64505/tcp] | SPT: 34017 | TTL: 43 | LEN: 44 | TOS: 0x00 β’ Reported by: github.com/sefinek/UFW-AbuseIPDB-Reporter
If you want to contribute to the development of this project, feel free to create a new Pull request. I will definitely appreciate it!
π GPL-3.0 License
Copyright Β© 2024-2026 Sefinek
