Frequently Asked Questions

IP Intelligence is a real-time threat intelligence service from WAYSCloud that helps you identify and block malicious IP addresses.

Think of it as a global neighborhood watch for the internet. We combine two powerful sources:

• Community reports: When servers get attacked, they report it to our network
• WAYSCloud infrastructure intelligence: We operate a large cloud platform that receives enormous amounts of traffic data. Threats detected in our infrastructure are classified and shared with the network

This intelligence is instantly shared with everyone, helping block threats before they reach you.

Use cases:

• Block attackers at your firewall/nginx
• Protect login pages from bruteforce
• Prevent fraud in e-commerce checkouts
• Monitor traffic patterns for anomalies
• Share your fail2ban data to help the community

IP Intelligence is operated by WAYSCloud, a Norwegian technology company providing cloud and AI platforms.

Key facts:

• Based in Norway (EU/EEA data protection standards)
• Focus: Security, threat intelligence, and infrastructure protection

Contributors get free access. If you share threat data (fail2ban, honeypots, manual reports), you get unlimited API access.

Why? Because threat intelligence is better when shared. You help us by reporting attackers, we help you by sharing global intelligence.

Non-contributors: Contact us for API access options if you only want to consume threat intelligence without contributing.

We analyze multiple factors to determine if an IP is a threat:

• Report volume: How many times has this IP been reported?
• Report quality: Verified reporters carry more weight than anonymous
• Time relevance: Recent threats matter more than old ones
• Attack severity: SSH bruteforce vs. critical exploit attempts
• Geographic context: Datacenter attacks vs. residential IPs

The result is a threat score that helps you decide: block immediately, monitor closely, or allow.

Use Case: Block known attackers at nginx level before they reach your application.

Method 1: Pre-request threat check

# Add to nginx.conf
location /login {
    # Check IP before processing
    auth_request /threat-check;

    # Your normal config
    proxy_pass http://backend;
}

location = /threat-check {
    internal;
    proxy_pass https://api.ip.wayscloud.services/json/$remote_addr;
    proxy_pass_request_body off;
    proxy_set_header Content-Length "";

    # Block if threat score > 50
    # (implement with nginx-lua or auth service)
}

Method 2: Periodic blocklist generation

#!/bin/bash
# Cron: Run every 5 minutes
# Downloads high-threat IPs and blocks them

curl -s "https://api.ip.wayscloud.services/api/threats/live?time_range=24h" \
  | jq -r '.threats[] | select(.threat_score > 70) | .ip_address' \
  > /etc/nginx/blocked_ips.txt

# Reload nginx
nginx -s reload

nginx.conf:

geo $blocked_ip {
    default 0;
    include /etc/nginx/blocked_ips.txt;
}

server {
    if ($blocked_ip) {
        return 403 "Access denied - threat detected";
    }
}

Use Case: Prevent fraudulent orders from known threat IPs.

Node.js/Express Example:

const axios = require('axios');

// Middleware for checkout protection
async function checkThreatIP(req, res, next) {
    const clientIP = req.headers['x-forwarded-for']?.split(',')[0] || req.ip;

    try {
        const response = await axios.get(
            `https://api.ip.wayscloud.services/json/${clientIP}`
        );

        const threatScore = response.data.threat_intel?.risk_score || 0;

        if (threatScore > 70) {
            // High risk - block or require additional verification
            return res.status(403).json({
                error: "Additional verification required",
                message: "Please contact support to complete your order"
            });
        }

        if (threatScore > 30) {
            // Medium risk - add to request for fraud team review
            req.threatLevel = 'medium';
            req.threatScore = threatScore;
        }

        next();
    } catch (error) {
        // On error, allow request (fail open)
        next();
    }
}

// Use in checkout route
app.post('/api/checkout', checkThreatIP, async (req, res) => {
    // Process order
    // If req.threatLevel === 'medium', flag for manual review
});

Python/Django Example:

import requests
from django.http import JsonResponse

def threat_check_middleware(get_response):
    def middleware(request):
        if request.path.startswith('/checkout'):
            client_ip = request.META.get('HTTP_X_FORWARDED_FOR', '').split(',')[0]
            if not client_ip:
                client_ip = request.META.get('REMOTE_ADDR')

            try:
                r = requests.get(f'https://api.ip.wayscloud.services/json/{client_ip}')
                threat_score = r.json().get('threat_intel', {}).get('risk_score', 0)

                if threat_score > 70:
                    return JsonResponse({
                        'error': 'Access denied',
                        'message': 'Please contact support'
                    }, status=403)

                request.threat_score = threat_score
            except:
                pass  # Fail open

        return get_response(request)
    return middleware

Use Case: Real-time monitoring dashboard showing threats accessing your server.

Simple Dashboard (HTML + JS):

<!DOCTYPE html>
<html>
<head>
    <title>Threat Monitor</title>
</head>
<body>
    <h1>Live Threat Monitor</h1>
    <div id="threats"></div>

    <script>
    // Read nginx access log and check each IP
    async function checkIP(ip) {
        const response = await fetch(`https://api.ip.wayscloud.services/json/${ip}`);
        const data = await response.json();

        if (data.threat_intel && data.threat_intel.risk_score > 50) {
            document.getElementById('threats').innerHTML += `
                <div style="color: red">
                    THREAT: ${ip} (score: ${data.threat_intel.risk_score})
                    Reports: ${data.threat_intel.total_reports}
                    Last seen: ${data.threat_intel.last_seen}
                </div>
            `;
        }
    }

    // Monitor recent access log entries
    setInterval(() => {
        // Parse your access log and check new IPs
        // (implementation depends on your log setup)
    }, 5000);
    </script>
</body>
</html>

Yes! Check multiple IPs in a single request.

Example: Check access log:

#!/bin/bash
# Extract unique IPs from last hour
awk '{print $1}' /var/log/nginx/access.log \
  | tail -10000 \
  | sort -u \
  | while read ip; do
      score=$(curl -s "https://api.ip.wayscloud.services/json/$ip" \
        | jq -r '.threat_intel.risk_score // 0')

      if [ "$score" -gt 70 ]; then
          echo "THREAT: $ip (score: $score)"
          # Add to firewall block list
          ufw deny from $ip
      fi
  done

Rate limits: Generous limits for legitimate use. Contributors get higher limits.

Complete guide: https://ip.wayscloud.services/integrate

Quick setup (5 minutes):

1. Register: curl -X POST https://api.ip.wayscloud.services/register ...
2. Install reporter script: /usr/local/bin/wayscloud-report.sh
3. Configure fail2ban action: /etc/fail2ban/action.d/wayscloud.conf
4. Enable in jails: wayscloud[category=ssh_bruteforce]
5. Restart: systemctl restart fail2ban

Result: Every banned IP automatically reported to global threat network. You help protect everyone while getting access to global intelligence.

Domain verification proves you own your domain using DNS TXT records (same method as Google, Microsoft).

Why verify?

• Higher trust: Your reports carry more weight in threat scoring
• Better accuracy: Verified sources improve intelligence quality for everyone
• Premium features: Access to advanced capabilities (coming soon)

How to verify:

1. Register with domain parameter
2. Add TXT record to your DNS: wayscloud-verify=YOUR-ID
3. Wait for automatic verification (runs every hour)

Complete guide: See Integration page → Domain Verification tab

REST API works with any language that can make HTTP requests.

Examples available for:

• Bash/curl (command-line scripts)
• Python (Flask, Django)
• Node.js (Express)
• PHP (Laravel, WordPress)
• Go, Rust, Java, C#

API Documentation: https://api.ip.wayscloud.services/docs

Yes! The service is production-ready.

Production features:

• Fast API response times
• SSL/TLS encryption
• Comprehensive error handling
• Rate limiting to ensure stability

Already used in production by:

• Web servers (nginx/Apache threat blocking)
• E-commerce platforms (fraud prevention)
• Security systems (fail2ban integration)
• Monitoring dashboards

For enterprise use: Organizations with high-volume requirements should contact us for dedicated infrastructure and SLA guarantees.

Free tier limits are designed for reasonable production use:

• IP Lookups: Generous limits for typical integrations (fail2ban, firewalls, web apps)
• Abuse Reporting: High limits for community contributors
• Registration: Rate-limited to prevent abuse

For high-volume operations: Organizations with enterprise-scale requirements (millions of daily lookups, bulk processing, dedicated SLA) should contact us for custom solutions and pricing.

Monitoring: API responses include X-RateLimit-* headers showing your current usage and remaining quota.

If your IP is flagged but shouldn't be, you can request removal.

Common reasons:

• Your server was compromised but is now fixed
• You got a "trash IP" from your ISP (previous owner abused it)
• False positive / misclassification
• You run a shared hosting / VPN service (legitimate use)

Dual Verification Required:

1. IP Verification: Request must come from the actual IP being delisted
2. DNS Verification: You must provide a hostname (e.g., mail.example.com, server.example.com) and add a DNS TXT record

This dual verification proves you control both the IP and the hostname pointing to it.

Step-by-step process:

1. Make request FROM the flagged IP
2. Provide hostname that points to this IP (REQUIRED)
3. Add DNS TXT record to your hostname
4. Wait for automatic DNS verification (runs hourly)
5. Our team reviews within 24-48 hours after verification

Example:

curl -X POST https://api.ip.wayscloud.services/delist \
  -H "Content-Type: application/json" \
  -d '{
    "ip_address": "YOUR.IP.ADDRESS.HERE",
    "reason": "Server was compromised on 2025-10-10 but has been cleaned and secured with new firewall rules",
    "contact_email": "admin@example.com",
    "hostname": "mail.example.com"
  }'

# Response includes DNS TXT record to add:
# wayscloud-delist=550e8400-e29b-41d4-a716-446655440000

# Add to DNS:
mail.example.com    TXT  "wayscloud-delist=550e8400-..."
# OR:
_wayscloud.mail.example.com  TXT  "wayscloud-delist=550e8400-..."

# Test DNS:
dig TXT mail.example.com +short

Important notes:

• ✅ Hostname is REQUIRED - cannot be omitted
• ✅ Request is NOT automatic - manually reviewed by our team
• ✅ Legitimate ongoing threats will not be removed
• ✅ DNS verification must be completed before review
• ✅ You may be contacted for additional verification

Response: You'll receive a request ID and DNS TXT record to add. Once DNS verifies, review begins.

Yes. We follow strict Norwegian/EU privacy standards.

What's public:

• Attacker IP addresses (the threats)
• Aggregate statistics (countries, categories)
• Threat map visualizations

What's private:

• Your reporter identity
• Your domain (if verified)
• Your API token
• Your server's IP address
• Detection details

GDPR compliant: Data minimization, purpose limitation, right to erasure. Contact us to delete your data.