Netabuse started in 2012 as a hobby project and is nowadays maintained by a team of volunteers.
All network abuse on our network is automatically indexed in a central database. Aggregated reports per IP-address are emailed at least one a day to the originating networks's abuse contact in X-ARF format. If the number of incidents form a subnet is too high, the subnet will be added to the firewall automatically.
The system analyses logfiles from several applications to detect abuse and add it to the database.
The system searched the abuse-contect for the offending IP-address sends an X-ARF email. If the email is handled by a ticketing system, the ticket-ID will be detected and linked to our report. New reports will be added to the same ticket.
When too much abuse from a subnet is detected, a firewall rule for blocking traffic from the subnet will be created and activated automatically. The rule will be removed a few days after the abuse has stopped.
ipset list abuse_v4 > /dev/null 2>&1 || (ipset create abuse_v4 hash:net family inet)
ipset list abuse_v6 > /dev/null 2>&1 || (ipset create abuse_v6 hash:net family inet6)
Also create some firewall-rules that use these sets.
iptables -A INPUT -m set --match-set abuse_v4 src -m comment --comment "Block abuse" -j DROP
ip6tables -A INPUT -m set --match-set abuse_v6 src -m comment --comment "Block abuse" -j DROP
Finally, create a cronjob that updates the contents of these sets
# Run this cronjob hourly to update set for ipset
wget https://netabuse.info/export/ipset.php?version=4 -q -O /tmp/abuse_v4.ipset
if [ `cat /tmp/abuse_v4.ipset | wc -l` -gt 1 ]; then
/sbin/ipset restore < /tmp/abuse_v4.ipset
wget https://netabuse.info/export/ipset.php?version=6 -q -O /tmp/abuse_v6.ipset
if [ `cat /tmp/abuse_v6.ipset | wc -l` -gt 1 ]; then
/sbin/ipset restore < /tmp/abuse_v6.ipset
If you have any questions about the software, managing abuse in your network or anything else, please do not hesitate to use the contact form. Normally your question will be answered in 24 hours.