Sysadmins of the North

Technical blog, where topics include: computer, server, web, sysadmin, MySQL, database, virtualization, optimization and security

Check IP address blacklist status in Bash

Here is a Linux Bash shell script to check whether an IP address is listed in a DNSBL blacklist, or RBL. This is a modified version of a by J65nko posted Bash script to check an IP address reputation status in several blacklists. I’ve added HttpBl as backlist and an API key is required for this list. Using this script in Bash you can quickly test if an IP address is blacklisted.

Bash blacklist check code

If you want to check the blacklisting status of an IP address in Bash, then save the following shell code into a newly created file called blcheck (for example). The Bash code is easy to understand and speaks for itself.

Here you have your own blacklist RBL checker Linux shell script:

Looking for a PowerShell blacklist check script? See my post PowerShell IP address blacklist check: find an IP address' blacklist status & reputation

# Check if an IP address is listed on one of the 
# following blacklists. The format is chosen to 
# make it easy to add or delete. The shell script
# will strip multiple white spaces.

# register at to
# obtain an API-key
# simple shell function to show an error message and exit
#  $0  : the name of shell script, $1 is the string passed as argument
#  >&2  : redirect/send the message to stderr
  echo $0 ERROR: $1 >&2
  exit 2

# -- Sanity check on parameters
[ $# -ne 1 ] && ERROR 'Please specify a single IP address'
# -- if the address consists of 4 groups of minimal 1, maximal digits,
#    separated by '.'
# -- reverse the order
# -- if the address does not match these criteria the variable
#    'reverse will be empty'
reverse=$(echo $1 |
  # on one line!
  sed -ne "s~^([0-9]{1,3}).([0-9]{1,3}).([0-9]{1,3}).
if [ "x${reverse}" = "x" ] ; then
      ERROR  "IMHO '$1' doesn't look like a valid IP address"
      exit 1

# Assuming an IP address of as parameter or argument
# If the IP address in $0 passes our crude regular expression
# check, the variable  ${reverse} will contain
# In this case the test will be:
#   [ "x44.33.22.11" = "x" ]
# This test will fail and the program will continue
# An empty '${reverse}' means that shell argument $1 doesn't pass our
# simple IP address check. In that case the test will be:
#   [ "x" = "x" ]
# This evaluates to true, so the script will call the ERROR function
# and quit
# -- do a reverse ( address -> name) DNS lookup
REVERSE_DNS=$(dig +short -x $1)
echo IP $1 NAME ${REVERSE_DNS:----}

# -- cycle through all the blacklists
for BL in ${BLISTS} ; do
    # print the UTC date (without linefeed)
    printf $(env TZ=UTC date "+%Y-%m-%d_%H:%M:%S")
    # show the reversed IP and append the name of the blacklist
    if [ "$BL" == "" ];
      printf "%-50s" " ${HTTPbl_API_KEY}.${reverse}.${BL}."
      printf "%-50s" " ${reverse}.${BL}."
    # use dig to lookup the name in the blacklist
    # echo "$(dig +short -t a ${reverse}.${BL}. |  tr 'n' ' ')"
    if [ "$BL" == "" ];
      LISTED="$(dig +short -t a ${HTTPbl_API_KEY}.${reverse}.${BL}.)"
      echo ${LISTED:----}
      LISTED="$(dig +short -t a ${reverse}.${BL}.)"
      echo ${LISTED:----}
# --- EOT ------

Save the file (in vi: :wq) and give it execute permissions: chmod u+x blcheck.

Blacklist script command-line usage

To look up an IP address to see if it’s blacklisted, use the blcheck script on your Bash command line prompt:


Or input taken from a text file:

for address in `cat blacklist.txt`;
   do ./blcheck $address;
   sleep 2;

The result is for example:

$ ./blcheck
2011-10-14_10:00:24 [your_api_key]     ---
2011-10-14_10:00:24                   ---
2011-10-14_10:00:24                    ---
2011-10-14_10:00:24                ---
$ ./blcheck
2011-10-14_10:01:39 [your_api_key]
2011-10-14_10:01:39                 ---


PHP on IIS 7.5/8.0: No input file specified.


Project Honey Pot


  1. je

    Hi! Good day! What will be the outpuut if the IP has been blacklisted or not?

    • Hi je,
      It’s in the examples: a positive, listed, query response provides details, or the output is nothing if the IP is not listed.

      • A response of ‘—‘ means IP is not listed. From years ago, I recall that responses of “127.0.0.X” where X is some number mean the IP is listed and the X indicates what sort of list it’s on. See this web site for what the X tells you: .
        I just quickly needed something like this and found your script. I had to make some edits, in particular to the sed line that reversed the IP octets. I just changed it into a similar perl -ne line. Also had to change “==” to “=” in some tests. I’m using bash 4.4.19 .

        • I’m curious Marnix to what changes you had to make, because I use the script daily, on GNU bash 4.4.23(1)-release, without issues. Maybe you can post it here in a comment or as a gist?

          PS: the sed line needs to be on one line, it’s on multiple in this post.

      • Different black lists may have different meanings for the 127.0.0.X responses. Here is one place where lists those that it uses:

        • Hi Marnix,

          Thanks for your replies!

          True, there can be different 127.0.0.x responses for different types of listings. For me, it’s enough to know whether an IP address is listed or not. But you can use Project Honey Pot’s HTTP:Bl API for example to block IP addresses on your website if they are listed longer than x or y -days in the blacklist: Fun stuff to try 😉

  2. Anonymous

    I like your script very much, with the sed line it did not work, but I used the sentence from the original script.
    Perhaps there is a possibility to only show line that are “blacklisted” instead of all, this could be handy when us use more then 5 blacklisted servers.

Leave a Reply

Your email address will not be published. Required fields are marked *

Powered by WordPress & Theme by Anders Norén

20 queries, 0.479 seconds running PHP version 7.3.0
qipoee EEJt whUlM