Check IP address blacklist status in Bash

Here is a Linux Bash shell script to check whether an IP address is listed in a DNSBL blacklist, or RBL. This is a modified version of a by J65nko posted Bash script to check an IP address reputation status in several blacklists. I’ve added HttpBl as backlist and an API key is required for this list. Using this script in Bash you can quickly test if an IP address is blacklisted.

Bash blacklist check code #

If you want to check the blacklisting status of an IP address in Bash, then save the following shell code into a newly created file called blcheck (for example). The Bash code is easy to understand and speaks for itself.

Here you have your own blacklist RBL checker Linux shell script:

Looking for a PowerShell blacklist check script? See my post PowerShell IP address blacklist check: find an IP address' blacklist status & reputation

#!/bin/sh
#
# Check if an IP address is listed on one of the 
# following blacklists. The format is chosen to 
# make it easy to add or delete. The shell script
# will strip multiple white spaces.

BLISTS="
    dnsbl.httpbl.org
    cbl.abuseat.org
    dnsbl.sorbs.net
    bl.spamcop.net
    zen.spamhaus.org
    combined.njabl.org
"
# register at http://www.projecthoneypot.org/httpbl_api.php to
# obtain an API-key
HTTPbl_API_KEY="[your_api_key]"
# simple shell function to show an error message and exit
#  $0  : the name of shell script, $1 is the string passed as argument
#  >&2  : redirect/send the message to stderr
ERROR() {
  echo $0 ERROR: $1 >&2
  exit 2
}

# -- Sanity check on parameters
[ $# -ne 1 ] && ERROR 'Please specify a single IP address'
# -- if the address consists of 4 groups of minimal 1, maximal digits,
#    separated by '.'
# -- reverse the order
# -- if the address does not match these criteria the variable
#    'reverse will be empty'
reverse=$(echo $1 |
  # on one line!
  sed -ne "s~^([0-9]{1,3}).([0-9]{1,3}).([0-9]{1,3}).
     ([0-9]{1,3})$~4.3.2.1~p")
if [ "x${reverse}" = "x" ] ; then
      ERROR  "IMHO '$1' doesn't look like a valid IP address"
      exit 1
fi

# Assuming an IP address of 11.22.33.44 as parameter or argument
# If the IP address in $0 passes our crude regular expression
# check, the variable  ${reverse} will contain 44.33.22.11
# In this case the test will be:
#   [ "x44.33.22.11" = "x" ]
# This test will fail and the program will continue
# An empty '${reverse}' means that shell argument $1 doesn't pass our
# simple IP address check. In that case the test will be:
#   [ "x" = "x" ]
# This evaluates to true, so the script will call the ERROR function
# and quit
# -- do a reverse ( address -> name) DNS lookup
REVERSE_DNS=$(dig +short -x $1)
echo IP $1 NAME ${REVERSE_DNS:----}

# -- cycle through all the blacklists
for BL in ${BLISTS} ; do
    # print the UTC date (without linefeed)
    printf $(env TZ=UTC date "+%Y-%m-%d_%H:%M:%S")
    # show the reversed IP and append the name of the blacklist
    if [ "$BL" == "dnsbl.httpbl.org" ];
    then
      printf "%-50s" " ${HTTPbl_API_KEY}.${reverse}.${BL}."
    else
      printf "%-50s" " ${reverse}.${BL}."
    fi
    # use dig to lookup the name in the blacklist
    # echo "$(dig +short -t a ${reverse}.${BL}. |  tr 'n' ' ')"
    if [ "$BL" == "dnsbl.httpbl.org" ];
    then
      LISTED="$(dig +short -t a ${HTTPbl_API_KEY}.${reverse}.${BL}.)"
      echo ${LISTED:----}
    else
      LISTED="$(dig +short -t a ${reverse}.${BL}.)"
      echo ${LISTED:----}
    fi
done
# --- EOT ------

Save the file (in vi: :wq) and give it execute permissions: chmod u+x blcheck.

Blacklist script command-line usage #

To look up an IP address to see if it’s blacklisted, use the blcheck script on your Bash command line prompt:

./blcheck aa.bbb.cc.ddd

Or input taken from a text file:

for address in `cat blacklist.txt`;
   do ./blcheck $address;
   sleep 2;
   done

The result is for example:

$ ./blcheck 95.56.124.235
IP 95.56.124.235 NAME ---
2011-10-14_10:00:24 [your_api_key].235.124.56.95.dnsbl.httpbl.org.     ---
2011-10-14_10:00:24 235.124.56.95.cbl.abuseat.org.                   127.0.0.2
2011-10-14_10:00:24 235.124.56.95.dnsbl.sorbs.net.                   ---
2011-10-14_10:00:24 235.124.56.95.bl.spamcop.net.                    ---
2011-10-14_10:00:24 235.124.56.95.zen.spamhaus.org.                  127.0.0.4 127.0.0.11
2011-10-14_10:00:24 235.124.56.95.combined.njabl.org.                ---
$ ./blcheck 84.235.75.80
IP 84.235.75.80 NAME 84-235-75-80.saudi.net.sa.
2011-10-14_10:01:39 [your_api_key].80.75.235.84.dnsbl.httpbl.org.      127.1.38.1
2011-10-14_10:01:39 80.75.235.84.cbl.abuseat.org.                    127.0.0.2
2011-10-14_10:01:39 80.75.235.84.dnsbl.sorbs.net.                    127.0.0.7
2011-10-14_10:01:39 80.75.235.84.bl.spamcop.net.                     127.0.0.2
2011-10-14_10:01:39 80.75.235.84.zen.spamhaus.org.                   127.0.0.11 127.0.0.4
2011-10-14_10:01:39 80.75.235.84.combined.njabl.org.                 ---

Please Support Saotn.org

Each post on Sysadmins of the North takes a significant amount of time to research, write, and edit. Therefore, your donation helps a lot! For example, a donation of $3 U.S. buys me a cup of coffee, and as you know: things jsut work better with coffee. A $10 U.S. donation buys me one month of web hosting (yes, hosting costs money). But seriously, thank you for any amount. Much appreciated!

I thought you might find this interesting:   Install Elasticsearch on CentOS 6.7

Please donate to support this site if you found a post interesting or if it helped you solve a problem. Thanks! (Tip: no Paypal account required)

If you appreciated this post, then please donate using this Paypal button


Jan Reilink

My name is Jan. I am not a hacker, coder, developer, programmer or guru. I am merely a system administrator, doing my daily thing at Vevida in the Netherlands. With over 15 years of experience, my specialties include Windows Server, IIS, Linux (CentOS, Debian), security, PHP, websites & optimization.

Leave a Reply

1 Comment on "Check IP address blacklist status in Bash"

Hi! Join the discussion, leave a reply!

Sort by:   newest | oldest | most voted
Anonymous
Guest

I like your script very much, with the sed line it did not work, but I used the sentence from the original script.
Perhaps there is a possibility to only show line that are “blacklisted” instead of all, this could be handy when us use more then 5 blacklisted servers.