Community-driven IP blacklist available via API and GitHub. Use it to block known malicious IPs in your firewall, web server, or application — updated automatically from real-world attack data.
Every IP in the blacklist comes from community reports that hit our reputation engine. An IP is included only when:
The blacklist refreshes automatically — there is no manual editorial review. The whole pipeline
is open and transparent: you can verify any entry via
GET /reportedip/v2/check?ip=<ip>&verbose=true
to see the exact score breakdown.
The full blacklist is published as a public GitHub repository, updated every 48 hours from the live API data. You can clone it, use it in CI/CD pipelines, or integrate it into your infrastructure.
github.com/reportedip/reportedip-blacklist
reportedip-blacklist/
├── blacklist-all.txt # All IPs, one per line
├── blacklist-all.json # All IPs with metadata
├── blacklist-all.csv # All IPs, CSV format
└── lists/
├── spam.txt
├── brute-force.txt
├── cms-login.txt
├── web-attacks.txt
├── scanning.txt
├── exploitation.txt
├── honeypot.txt
├── phishing.txt
└── malware.txt
Plain text, one IP address per line. Lines starting with # are comments
containing metadata such as generation time and total count.
# ReportedIP Blacklist
# Generated: 2026-03-10T00:00:00Z
# Total: 12847
1.2.3.4
5.6.7.8
9.10.11.12Array of objects with full metadata for each IP, including confidence score, categories, and the last time the IP was reported.
[
{
"ip": "1.2.3.4",
"confidence": 95,
"categories": ["brute-force", "cms-login"],
"last_seen": "2026-03-09T14:22:00Z"
},
{
"ip": "5.6.7.8",
"confidence": 82,
"categories": ["scanning"],
"last_seen": "2026-03-08T09:15:00Z"
}
]Comma-separated values with headers. Easy to import into spreadsheets, databases, or SIEM tools.
ip,confidence,category,last_seen
1.2.3.4,95,brute-force,2026-03-09T14:22:00Z
5.6.7.8,82,scanning,2026-03-08T09:15:00Z
9.10.11.12,78,web-attacks,2026-03-07T20:45:00ZUse the blacklist files to block malicious IPs at the firewall or web server level. Below are integration examples for common tools.
Generate a blocklist config and include it in your Nginx server block:
# Generate Nginx blocklist from TXT file
awk '{print "deny " $1 ";"}' blacklist-all.txt > /etc/nginx/blocklist.conf# /etc/nginx/sites-enabled/default
server {
include /etc/nginx/blocklist.conf;
# ... rest of your config
}# .htaccess — Block reported IPs
<RequireAll>
Require all granted
Require not ip 1.2.3.4
Require not ip 5.6.7.8
Require not ip 9.10.11.12
</RequireAll># Block all IPs from the blacklist
while read ip; do
iptables -A INPUT -s "$ip" -j DROP
done < blacklist-all.txtCreate a custom jail that bans IPs from the ReportedIP blacklist:
# /etc/fail2ban/jail.d/reportedip.conf
[reportedip-blacklist]
enabled = true
banaction = iptables-allports
bantime = 86400
filter = reportedip-blacklist
logpath = /var/log/reportedip-blacklist.log
maxretry = 1
The /blacklist endpoint provides real-time access to the full blacklist with
filtering options. An API key is required.
| Parameter | Type | Description |
|---|---|---|
format |
string | Response format: json (default), txt, csv |
source |
string | Blacklist source: community (default) — only one source available; the source parameter is reserved for future use |
confidence_minimum |
integer | Minimum confidence score (0–100). Default: 75 |
category |
string | Filter by threat category slug (e.g. brute-force, spam) |
limit |
integer | Maximum number of IPs to return. Default: 10000 |
curl -H "X-Key: YOUR_API_KEY" \
"https://reportedip.de/wp-json/reportedip/v2/blacklist?format=txt&confidence_minimum=90"See the API Reference for full endpoint documentation, response format, and additional parameters.
Set up a cron job to automatically download the latest blacklist and update your firewall rules.
# /etc/cron.d/reportedip-blacklist
0 */6 * * * root /usr/local/bin/update-reportedip-blocklist.sh#!/bin/bash
# /usr/local/bin/update-reportedip-blocklist.sh
# Downloads the latest ReportedIP blacklist and updates Nginx blocklist
API_KEY="your-api-key-here"
API_URL="https://reportedip.de/wp-json/reportedip/v2/blacklist"
BLOCKLIST="/etc/nginx/blocklist.conf"
TMPFILE=$(mktemp)
# Download latest blacklist in TXT format
curl -sf -H "X-Key: $API_KEY" \
"$API_URL?format=txt&confidence_minimum=90" \
-o "$TMPFILE"
if [ $? -eq 0 ] && [ -s "$TMPFILE" ]; then
# Convert to Nginx deny directives
grep -v "^#" "$TMPFILE" | grep -v "^$" | \
awk '{print "deny " $1 ";"}' > "$BLOCKLIST"
# Reload Nginx
nginx -t && systemctl reload nginx
echo "$(date): Blocklist updated with $(wc -l < "$BLOCKLIST") entries"
else
echo "$(date): Failed to download blacklist" >&2
fi
rm -f "$TMPFILE"| Method | Latency | Auth Required | Best For |
|---|---|---|---|
| API | Real-time | Yes (API key) | Automated blocking, dynamic firewall rules, SIEM integration |
| GitHub | Up to 48 hours | No | Static firewall rules, CI/CD pipelines, offline analysis |