Why You Need to Check IP Reputation
If you operate any internet-facing infrastructure, checking IP reputation is not optional — it is a core security practice. Here are the most common scenarios where IP checking matters:
- Suspicious IPs in server logs — You see repeated failed login attempts, unusual API calls, or requests for paths like
/wp-admin,/.env, or/phpmyadminfrom an IP you don't recognize. Is it a vulnerability scanner, a bot, or a real user who mistyped a URL? - Incident investigation — During a security incident, you need to quickly determine whether an IP is a known threat actor, part of a botnet, or associated with specific malware campaigns. Context is everything when deciding how to respond.
- Traffic validation — Your analytics show traffic from unexpected countries or IP ranges. Is this legitimate organic traffic or automated scraping? IP reputation data helps distinguish real visitors from malicious bots.
- Firewall rule management — Before adding or removing an IP from your block list, you want to verify whether it's a known threat or a false positive. Blocking a legitimate cloud service IP because of one bad report can break things; not blocking a known attacker leaves you exposed.
- Third-party risk assessment — An IP addresses associated with a potential business partner, API integration, or email sender can be checked to identify any history of abuse or compromise.
Method 1: Manual Lookup on WAYSCloud
The simplest way to check an IP is to search for it directly on WAYSCloud. Enter the IP in the search bar at the top of any page, or navigate directly to the intelligence page:
https://ip.wayscloud.services/ip-intelligence/185.220.101.1
The IP intelligence page shows you:
- Threat score (0-100) — Calculated from multiple sources with reporter trust weighting, time decay, and multi-source diversity bonuses
- Risk level — Clean, Low, Medium, High, or Critical
- Attack categories — SSH brute force, port scanning, HTTP flood, malware distribution, botnet C2, etc.
- Geolocation — Country, city, region, coordinates, and timezone
- ASN/ISP information — Which network the IP belongs to, the autonomous system number, and organization name
- Individual reports — Each abuse report with timestamp, category, severity, and confidence score
- Reverse DNS — The hostname associated with the IP, if any
Method 2: Using the WAYSCloud API
For programmatic checks, use the REST API. No API key is required for basic lookups.
Quick threat check
# Check a single IP address
curl -s https://ip.wayscloud.services/api/v1/ip/185.220.101.1
# Get just the threat intelligence section
curl -s https://ip.wayscloud.services/api/v1/ip/185.220.101.1 \
| jq '.intelligence_data | {
threat_score,
risk_level,
categories,
total_reports,
confidence,
unique_reporters
}'
Example API response
{
"ip": "185.220.101.1",
"intelligence_data": {
"threat_score": 92.5,
"risk_level": "critical",
"categories": ["ssh_bruteforce", "port_scan"],
"total_reports": 47,
"confidence": 0.89,
"unique_reporters": 4,
"unique_sources": 3,
"recommendation": "block"
},
"geo": {
"country": "Germany",
"country_code": "DE",
"city": "Frankfurt am Main",
"asn": "AS205100",
"isp": "F3 Netze e.V."
}
}
Geolocation and reverse DNS
# Get geolocation data curl -s https://ip.wayscloud.services/geo/185.220.101.1 # Get reverse DNS hostname curl -s https://ip.wayscloud.services/reverse/185.220.101.1 # Quick check from a bash script IP="185.220.101.1" SCORE=$(curl -s "https://ip.wayscloud.services/api/v1/ip/$IP" \ | jq -r '.intelligence_data.threat_score // 0') echo "IP $IP has threat score: $SCORE"
Search across all intelligence sources
# Search by IP, domain, or URL across all data sources curl -s "https://ip.wayscloud.services/search?q=185.220.101.1" # Search for a domain curl -s "https://ip.wayscloud.services/search?q=suspicious-domain.xyz&type=domain"
Method 3: Bulk IP Checking
When you have dozens or hundreds of IPs to check (from a log analysis, for example), you can script batch lookups:
#!/bin/bash
# Check multiple IPs from a file
# File format: one IP per line
INPUT_FILE="suspicious_ips.txt"
while IFS= read -r ip; do
result=$(curl -s "https://ip.wayscloud.services/api/v1/ip/$ip")
score=$(echo "$result" | jq -r '.intelligence_data.threat_score // 0')
risk=$(echo "$result" | jq -r '.intelligence_data.risk_level // "unknown"')
country=$(echo "$result" | jq -r '.geo.country_code // "??"')
printf "%-18s Score: %5s Risk: %-10s Country: %s\n" \
"$ip" "$score" "$risk" "$country"
sleep 0.2 # Rate limiting: 5 requests per second
done < "$INPUT_FILE"
For high-volume checking, the API integration guide documents batch endpoints and rate limits for each tier. The free tier supports 1,000 lookups per day, which is sufficient for manual investigations and small-scale log analysis.
Understanding Threat Score Results
The WAYSCloud threat score uses a 0-100 scale calculated from multiple data sources with time decay, reporter trust weighting, and multi-source diversity bonuses.
| Score | Risk Level | Recommended Action |
|---|---|---|
| 0 – 19 | Clean | No action needed. No reports from any threat intelligence source. |
| 20 – 39 | Low | Monitor. Few reports with low confidence. May be a false positive or a compromised device that has been cleaned. |
| 40 – 59 | Medium | Investigate. Multiple reports from different sources. Consider rate limiting or enhanced logging for this IP. |
| 60 – 79 | High | Block or heavily restrict. Confirmed malicious activity from multiple independent sources with high confidence. |
| 80 – 100 | Critical | Block immediately. Known malicious infrastructure, active attack source, or listed on expert-curated threat feeds. High confidence, multiple corroborating sources. |
The score factors include: reporter trust level (verified reporters weigh more), time decay (recent reports weigh more than old ones), severity multipliers, category weights, and a diversity bonus when multiple independent sources corroborate the same IP.
What to Do Based on Results
Critical / High risk: Block
IPs with scores above 60 should be blocked at the firewall level. These are confirmed malicious actors with high-confidence reports from multiple sources:
# Block with iptables iptables -A INPUT -s 185.220.101.1 -j DROP # Block with ufw ufw deny from 185.220.101.1 # Block with firewalld firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="185.220.101.1" drop' firewall-cmd --reload
Medium risk: Monitor and investigate
IPs scoring 40-59 deserve closer inspection. Check the specific categories and determine if the activity is relevant to your services. An IP flagged for SSH brute force is irrelevant if your server doesn't run SSH on a public interface.
Low risk / Clean: Allow but log
IPs with low scores or no reports can be allowed. Maintain normal logging so that if the IP's behavior changes, you have historical data for investigation.
Integrating IP Checking into Your Security Stack
Manual lookups are useful for investigations, but real security comes from automated, continuous checking. Here's how to integrate IP reputation into your existing tools:
- fail2ban — Configure fail2ban to report banned IPs to WAYSCloud, contributing to the shared threat intelligence network while receiving proactive blocking data in return. See the integration guide for setup instructions.
- nginx — Use a periodic script to fetch high-risk IPs and generate an nginx deny list. Refresh every 15 minutes for near-real-time protection.
- iptables / nftables — Build dynamic block lists from the WAYSCloud API. The blocking guide has complete scripts for this.
- SIEM integration — Enrich security events with IP reputation data at ingest time. When an alert fires, the analyst immediately sees whether the source IP is a known attacker.
- Custom applications — Add IP checking to your login flow, API gateway, or registration process. High-risk IPs can be challenged with CAPTCHA or blocked outright.