Report IP Abuse
Register as a threat reporter, submit abuse reports from your infrastructure, and help improve the WAYSCloud threat intelligence network. Reports from verified sources directly influence IP threat scores visible to all users.
What you are building
A reporting pipeline that sends IP abuse data from your systems (fail2ban, IDS, honeypots, or manual review) into the WAYSCloud threat intelligence network. Your reports increase threat scores for malicious IPs, helping everyone block attackers faster.
When to use
- You run fail2ban, Suricata, or other IDS that detects malicious IPs
- You operate honeypots that capture attacker activity
- You manually investigate security incidents and want to share findings
- You want to request delisting of an IP that was previously reported
What you need
- A WAYSCloud account with an IP Intelligence API key
- A domain you control (for verification — increases your trust score)
Step 1: Register as a reporter
Tell WAYSCloud about your organization and how you detect abuse.
curl -X POST https://api.wayscloud.services/v1/ip/reporters/register \
-H "X-API-Key: wayscloud_ipintel_abc12_YOUR_SECRET" \
-H "Content-Type: application/json" \
-d '{
"name": "ACME Security Lab",
"source_type": "hybrid",
"contact": "security@acme.com",
"intent": "fail2ban + manual incident review",
"domain": "acme.com"
}'Response:
{
"reporter_id": "550e8400-e29b-41d4-a716-446655440000",
"trust_score": 0.4,
"status": "active",
"usage": {
"report_endpoint": "POST /v1/ip/report",
"auth": "Use your WAYSCloud API key (same X-API-Key header)"
}
}Your initial trust score depends on source_type:
| Source type | Trust score | Description |
|---|---|---|
automated | 0.4 | Fully automated (fail2ban, IDS) |
hybrid | 0.6 | Automated detection + human review |
manual | 0.8 | Human-verified reports only |
Save the reporter_id — you need it for domain verification.
Step 2: Verify your domain (optional, recommended)
Verifying domain ownership raises your trust score to 1.0 — the maximum. Verified reports carry more weight in threat scoring.
Add a DNS TXT record:
_wayscloud-reporter.acme.com TXT "reporter=550e8400-e29b-41d4-a716-446655440000"Then verify:
curl -X POST https://api.wayscloud.services/v1/ip/reporters/verify \
-H "X-API-Key: wayscloud_ipintel_abc12_YOUR_SECRET" \
-H "Content-Type: application/json" \
-d '{
"reporter_id": "550e8400-e29b-41d4-a716-446655440000",
"domain": "acme.com"
}'Response:
{
"reporter_id": "550e8400-e29b-41d4-a716-446655440000",
"domain": "acme.com",
"trust_score": 1.0,
"message": "Domain ownership verified successfully"
}Step 3: Submit abuse reports
Report malicious IPs as they are detected. Each report includes the IP, attack category, severity, and optionally a comment.
curl -X POST https://api.wayscloud.services/v1/ip/report \
-H "X-API-Key: wayscloud_ipintel_abc12_YOUR_SECRET" \
-H "Content-Type: application/json" \
-d '{
"ip": "45.155.205.233",
"category": "ssh_bruteforce",
"severity": "high",
"confidence": 0.9,
"comment": "Repeated SSH login attempts over 24h",
"session_id": "fail2ban-ssh-20260330"
}'Response:
{
"report_id": 12345,
"ip": "45.155.205.233",
"category": "ssh_bruteforce",
"initial_score": 24.0,
"message": "Abuse report submitted successfully"
}Available categories:
| Category | Description |
|---|---|
ssh_bruteforce | SSH login brute force |
ftp_bruteforce | FTP login brute force |
web_attack | HTTP exploit attempts |
port_scan | Port scanning |
spam | Email spam source |
phishing | Phishing host |
malware | Malware distribution |
botnet | Botnet command & control |
ddos | DDoS participation |
other | Other abuse |
Duplicate reports (same IP + category within 1 hour) are automatically deduplicated.
Step 4: Request delisting (if needed)
If an IP you manage has been reported and you have resolved the issue, request delisting:
curl -X POST https://api.wayscloud.services/v1/ip/delist \
-H "X-API-Key: wayscloud_ipintel_abc12_YOUR_SECRET" \
-H "Content-Type: application/json" \
-d '{
"ip_address": "203.0.113.50",
"hostname": "mail.example.com",
"reason": "Server was compromised via outdated plugin. Now patched, firewall updated, malware removed.",
"contact_email": "admin@example.com"
}'Response:
{
"request_id": "660f9511-f3a0-5483-b827-1f13c4d55111",
"ip_address": "203.0.113.50",
"verification_status": "ip_verified",
"message": "Delisting request submitted. Review typically takes 24-48 hours."
}IP ownership is verified automatically via reverse DNS. Requests from verified IP owners are processed faster.
Automate with fail2ban
Add a custom action to report banned IPs automatically:
# /etc/fail2ban/action.d/wayscloud-report.conf
[Definition]
actionban = curl -s -X POST https://api.wayscloud.services/v1/ip/report \
-H "X-API-Key: <apikey>" \
-H "Content-Type: application/json" \
-d '{"ip": "<ip>", "category": "ssh_bruteforce", "severity": "medium", "confidence": 0.8, "session_id": "fail2ban-<name>-<ip>"}'# /etc/fail2ban/jail.local
[sshd]
action = %(action_mwl)s
wayscloud-report[apikey=wayscloud_ipintel_abc12_YOUR_SECRET]You now have
- A registered reporter identity in the WAYSCloud threat intelligence network
- Domain verification for maximum trust score (1.0)
- A pipeline for submitting abuse reports (manual or automated)
- Ability to request delisting for IPs you manage
- Integration with fail2ban for automatic reporting
Next: Look up any IP to see how reports affect threat scores, or protect your login flow using IP Intelligence.
Related
- IP Intelligence — look up IPs, threat scores, and detection flags
- IP Intelligence API reference — all endpoints
- Protect Login with IP Intelligence — use threat data in your auth flow
- WAYSCloud Shield — DNS-level threat filtering