Check IP address blacklist status in Bash

Jan Reilink GNU Linux

Here is a Linux Bash shell script to check whether an IP address is listed in a DNSBL blacklist, or RBL. This is a modified version of a by J65nko posted Bash script to check an IP address reputation status in several blacklists. I’ve added HttpBl as backlist and an API key is required for this list. Using this script in Bash you can quickly test if an IP address is blacklisted.

If you want to check the blacklisting status of an IP address in Bash, then save the following shell code into a newly created file called blcheck (for example). The Bash code is easy to understand and speaks for itself.

Here you have your own blacklist RBL checker Linux shell script:

Looking for a PowerShell blacklist check script? See my post PowerShell IP address blacklist check: find an IP address’ blacklist status & reputation.

#!/bin/sh
#
# Check if an IP address is listed on one of the 
# following blacklists. The format is chosen to 
# make it easy to add or delete. The shell script
# will strip multiple white spaces.

BLISTS="
    dnsbl.httpbl.org
    cbl.abuseat.org
    dnsbl.sorbs.net
    bl.spamcop.net
    zen.spamhaus.org
    combined.njabl.org
"
# register at http://www.projecthoneypot.org/httpbl_api.php to
# obtain an API-key
HTTPbl_API_KEY="[your_api_key]"
# simple shell function to show an error message and exit
#  $0  : the name of shell script, $1 is the string passed as argument
#  >&2  : redirect/send the message to stderr
ERROR() {
  echo $0 ERROR: $1 >&2
  exit 2
}

# -- Sanity check on parameters
[ $# -ne 1 ] && ERROR 'Please specify a single IP address'
# -- if the address consists of 4 groups of minimal 1, maximal digits,
#    separated by '.'
# -- reverse the order
# -- if the address does not match these criteria the variable
#    'reverse will be empty'
reverse=$(echo $1 |
sed -ne "s~^\([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\)\.\([0-9]\{1,3\}\)$~\4.\3.\2.\1~p")
if [ "x${reverse}" = "x" ] ; then
      ERROR  "IMHO '$1' doesn't look like a valid IP address"
      exit 1
fi

# Assuming an IP address of 11.22.33.44 as parameter or argument
# If the IP address in $0 passes our crude regular expression
# check, the variable  ${reverse} will contain 44.33.22.11
# In this case the test will be:
#   [ "x44.33.22.11" = "x" ]
# This test will fail and the program will continue
# An empty '${reverse}' means that shell argument $1 doesn't pass our
# simple IP address check. In that case the test will be:
#   [ "x" = "x" ]
# This evaluates to true, so the script will call the ERROR function
# and quit
# -- do a reverse ( address -> name) DNS lookup
REVERSE_DNS=$(dig +short -x $1)
echo IP $1 NAME ${REVERSE_DNS:----}

# -- cycle through all the blacklists
for BL in ${BLISTS} ; do
    # print the UTC date (without linefeed)
    printf $(env TZ=UTC date "+%Y-%m-%d_%H:%M:%S")
    # show the reversed IP and append the name of the blacklist
    if [ "$BL" == "dnsbl.httpbl.org" ];
    then
      printf "%-50s" " ${HTTPbl_API_KEY}.${reverse}.${BL}."
    else
      printf "%-50s" " ${reverse}.${BL}."
    fi
    # use dig to lookup the name in the blacklist
    # echo "$(dig +short -t a ${reverse}.${BL}. |  tr 'n' ' ')"
    if [ "$BL" == "dnsbl.httpbl.org" ];
    then
      LISTED="$(dig +short -t a ${HTTPbl_API_KEY}.${reverse}.${BL}.)"
      echo ${LISTED:----}
    else
      LISTED="$(dig +short -t a ${reverse}.${BL}.)"
      echo ${LISTED:----}
    fi
done
# --- EOT ------Code language: Bash (bash)

Save the file (in vi: :wq) and give it execute permissions: chmod u+x blcheck.

Blacklist script command-line usage

To look up an IP address to see if it’s blacklisted, use the blcheck script on your Bash command line prompt:

./blcheck aa.bbb.cc.dddCode language: Bash (bash)

Or input taken from a text file:

for address in `cat blacklist.txt`;
   do ./blcheck $address;
   sleep 2;
   doneCode language: Bash (bash)

The result is for example:

$ ./blcheck 95.56.124.235
IP 95.56.124.235 NAME ---
2011-10-14_10:00:24 [your_api_key].235.124.56.95.dnsbl.httpbl.org.     ---
2011-10-14_10:00:24 235.124.56.95.cbl.abuseat.org.                   127.0.0.2
2011-10-14_10:00:24 235.124.56.95.dnsbl.sorbs.net.                   ---
2011-10-14_10:00:24 235.124.56.95.bl.spamcop.net.                    ---
2011-10-14_10:00:24 235.124.56.95.zen.spamhaus.org.                  127.0.0.4 127.0.0.11
2011-10-14_10:00:24 235.124.56.95.combined.njabl.org.                ---
$ ./blcheck 84.235.75.80
IP 84.235.75.80 NAME 84-235-75-80.saudi.net.sa.
2011-10-14_10:01:39 [your_api_key].80.75.235.84.dnsbl.httpbl.org.      127.1.38.1
2011-10-14_10:01:39 80.75.235.84.cbl.abuseat.org.                    127.0.0.2
2011-10-14_10:01:39 80.75.235.84.dnsbl.sorbs.net.                    127.0.0.7
2011-10-14_10:01:39 80.75.235.84.bl.spamcop.net.                     127.0.0.2
2011-10-14_10:01:39 80.75.235.84.zen.spamhaus.org.                   127.0.0.11 127.0.0.4
2011-10-14_10:01:39 80.75.235.84.combined.njabl.org.                 ---Code language: Bash (bash)

Protip: Donate $10, 20 or 30 through Paypal (or see my donate page) and support this site. Thank you <3

Related Posts

Share this post

Share on LinkedIn Share on Reddit

Jan Reilink

Hi, my name is Jan. I am not a hacker, coder, developer or guru. I am merely an application manager / systems administrator, doing my daily thing at Embrace - The Human Cloud. In the past I worked for clidn and Vevida. With over 20 years of experience, my specialties include Windows Server, IIS, Linux (CentOS, Debian), security, PHP, websites & optimization. I blog at https://www.saotn.org.

16 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Are you in my blocklist? - Sysadmins of the North
26/03/2023 11:40

[…] to make the list of IP’s smaller and block entire networks. If you use my Bash script to check an IP address blacklist status you can quickly verify whether an IP address is already listed in Project Honey Pot, for […]

0
Better of 2021 – UCEPROTECT: When RBLs Go Unhealthy – hqwallbase
25/12/2021 11:06

[…] discovered https://github.com/polera/rblwatch very adaptable, and personally use the bash script right here, which permits me to verify a full Class C IP vary (256 addresses) in lower than 5 minutes in […]

0
Kyvan Emami
16/08/2021 19:57

Hey Jan,

Great script that does exactly what I was looking for. Only issue I had with it is the part that checks for valid IP addresses. Currently, with the regex you have it accepts something like 999.999.999.999 as a valid IP.

The regex below only accepts IP addresses in the accepted IPv4 range:
reverse=$(echo “$1” |
sed -nr “s~^(25[0-5]|2[0-4][0-9]|1?[0-9]{0,2})\.(25[0-5]|2[0-4][0-9]|1?[0-9]{0,2})\.(25[0-5]|2[0-4][0-9]|1?[0-9]{0,2})\.(25[0-5]|2[0-4][0-9]|1?[0-9]{0,2})$~\4.\3.\2.\1~p”)

If I ever end up fixing it to exclude private IPv4 ranges as well, I’ll put it here in case you want it.

0
Jan Reilink
Author
Reply to  Kyvan Emami
19/08/2021 10:44

Thank you for your addition Kyvan, much appreciated! :)

0
Jose Pontes
12/02/2021 23:55

Hi there, I was looking for a different kind of script, but with the same purpose, actually I need to teste several IPs against different DNS NAMESERVERS maybe with a ping command or something that gives out the “ping time-out” when the IP is listed and blocked. Currently I have several servers that have this kind of censorship, but each server has several IPs if I find the ones that are unable to be ping I could change forward URL to one that does, maybe a warning via email would be enough.

Would this be possible?
Could you help me out?

0
Ken Clifton
13/10/2020 21:28

Thanks Jan! Nice bash script — thank you! I am using bash version 5.0.17 . To get this working I had to change the if statements at the end to use a single equal sign for the string tests as:

# -- cycle through all the blacklists
for BL in ${BLISTS} ; do
    # print the UTC date (without linefeed)
    printf $(env TZ=UTC date "+%Y-%m-%d_%H:%M:%S")
    # show the reversed IP and append the name of the blacklist
    if [ "$BL" = 'dnsbl.httpbl.org' ];
    then
      printf "%-50s" " ${HTTPbl_API_KEY}.${reverse}.${BL}."
    else
      printf "%-50s" " ${reverse}.${BL}."
    fi
    # use dig to lookup the name in the blacklist
    # echo "$(dig +short -t a ${reverse}.${BL}. |  tr 'n' ' ')"
    if [ "$BL" = 'dnsbl.httpbl.org' ];
    then
      LISTED="$(dig +short -t a ${HTTPbl_API_KEY}.${reverse}.${BL}.)"
      echo ${LISTED:----}
    else
      LISTED="$(dig +short -t a ${reverse}.${BL}.)"
      echo ${LISTED:----}
    fi
done
# --- EOT ------
0
Jan Reilink
Author
Reply to  Ken Clifton
14/10/2020 13:38

Thank you very much Ken! I must admin I haven’t used this script in quite a while, great to see your contribution to keeping it updated :)

0
Christiane
16/10/2019 15:34

Hey,
not sure if anybody still reads the comments on this post, but thought I’d try my luck.
I copied the whole script like it is and get the “‘…’ doesn’t look like a valid IP address” Error everytime, though I definitely executed the scrip with (multiple different) valid IP addresses. Any idea on what the reason could be?
Or maybe anyone else had the same problem and found an easy solution?

0
Jan Reilink
Author
Reply to  Christiane
17/10/2019 00:15

Hi Christiane,
Yes, these comments are still read :) Somehow some characters got lost in the code (might be due to Gutenberg in WordPress – I don’t know). I’ve fixed the sed line, and it now works as expected again.

My apologies for the inconvenience.

0
je
13/04/2018 04:50

Hi! Good day! What will be the outpuut if the IP has been blacklisted or not?

0
Jan Reilink
Author
Reply to  je
13/04/2018 08:37

Hi je,
It’s in the examples: a positive, listed, query response provides details, or the output is nothing if the IP is not listed.

0
Marnix A. van Ammers
Reply to  Jan Reilink
21/09/2018 02:07

A response of ‘—‘ means IP is not listed. From years ago, I recall that responses of “127.0.0.X” where X is some number mean the IP is listed and the X indicates what sort of list it’s on. See this web site for what the X tells you: https://www.spamhaus.org/faq/section/Spamhaus%20DBL#291 .
I just quickly needed something like this and found your script. I had to make some edits, in particular to the sed line that reversed the IP octets. I just changed it into a similar perl -ne line. Also had to change “==” to “=” in some tests. I’m using bash 4.4.19 .

0
Jan Reilink
Author
Reply to  Marnix A. van Ammers
21/09/2018 13:16

I’m curious Marnix to what changes you had to make, because I use the script daily, on GNU bash 4.4.23(1)-release, without issues. Maybe you can post it here in a comment or as a gist?

PS: the sed line needs to be on one line, it’s on multiple in this post.

0
Marnix A. van Ammers
Reply to  Jan Reilink
21/09/2018 02:17

Different black lists may have different meanings for the 127.0.0.X responses. Here is one place where zen.spamhaus.org lists those that it uses: https://www.spamhaus.org/zen/

0
Jan Reilink
Author
Reply to  Marnix A. van Ammers
21/09/2018 13:03

Hi Marnix,

Thanks for your replies!

True, there can be different 127.0.0.x responses for different types of listings. For me, it’s enough to know whether an IP address is listed or not. But you can use Project Honey Pot’s HTTP:Bl API for example to block IP addresses on your website if they are listed longer than x or y -days in the blacklist: https://www.projecthoneypot.org/httpbl_api.php. Fun stuff to try ;-)

0
Anonymous
20/03/2017 13:51

I like your script very much, with the sed line it did not work, but I used the sentence from the original script.
Perhaps there is a possibility to only show line that are “blacklisted” instead of all, this could be handy when us use more then 5 blacklisted servers.

0