Integrate with WAYSCloud IP Intelligence
Join a global network of security researchers, system administrators, and threat intelligence providers. Share real-time threat data and protect your infrastructure with community-powered intelligence.
Fail2ban Integration
Automatically report SSH bruteforce, HTTP attacks, and other threats from your fail2ban installation to WAYSCloud. Help build a global threat intelligence network while protecting your servers.
Real-time Reporting
Every banned IP is instantly reported to WAYSCloud, visible on the live threat map within seconds.
Zero Maintenance
Set it up once, and forget about it. Automatic reporting runs in the background.
Community Protection
Your reports help protect other servers worldwide from the same attackers.
Free Forever
No limits, no costs. Unlimited reporting and API access for contributors.
Step-by-Step Setup
-
Register your server
Get your API token by registering as a reporter. Include your domain for higher trust score (0.4 → 1.0):curl -4 -X POST https://api.ip.wayscloud.services/register \ -H "Content-Type: application/json" \ -d '{ "name": "MyServer fail2ban", "contact": "admin@example.com", "intent": "fail2ban SSH bruteforce protection", "source_type": "automated", "domain": "example.com" }'Pro Tip: Include your
domainparameter to get domain verification instructions. Verified reporters get maximum trust score (1.0) - your reports carry more weight in the threat intelligence network!See the Domain Verification tab for complete setup instructions.
Save yourapi_tokenfrom the response! -
Install reporter script
Create/usr/local/bin/wayscloud-report.sh:Make it executable:#!/bin/bash API_TOKEN="wayscloud_YOUR_TOKEN_HERE" API_URL="https://api.ip.wayscloud.services/report" IP="$1" CATEGORY="$2" COMMENT="$3" HOSTNAME=$(hostname -s) TIMESTAMP=$(date +%Y%m%d%H%M%S) SESSION_ID="fail2ban-${HOSTNAME}-${TIMESTAMP}-${IP//[.:]/}" curl -4 -s -X POST "$API_URL" \ -H "Authorization: Bearer $API_TOKEN" \ -H "Content-Type: application/json" \ -d "{ \"ip\": \"$IP\", \"category\": \"$CATEGORY\", \"comment\": \"$COMMENT\", \"session_id\": \"$SESSION_ID\", \"severity\": \"medium\", \"confidence\": 0.9 }" > /dev/null 2>&1 & exit 0chmod +x /usr/local/bin/wayscloud-report.shNote: The
-4flag forces IPv4. WAYSCloud has both IPv4 and IPv6 endpoints, but if your server doesn't support IPv6, curl may fail without this flag. If you have native IPv6 support, you can remove-4. -
Configure fail2ban action
Create/etc/fail2ban/action.d/wayscloud.conf:[Definition] actionban = /usr/local/bin/wayscloud-report.sh <ip> <category> "Banned by fail2ban after <failures> attempts" [Init] category = ssh_bruteforce -
Enable in jails
Edit/etc/fail2ban/jail.local:[sshd] enabled = true action = %(action_mwl)s wayscloud[category=ssh_bruteforce] [nginx-auth] enabled = true action = %(action_mwl)s wayscloud[category=http_auth_bruteforce] -
Restart and verify
systemctl restart fail2ban fail2ban-client status # Test manually /usr/local/bin/wayscloud-report.sh "1.2.3.4" "ssh_bruteforce" "Test report"
Threat Categories
The system accepts any category name you need. Use whatever makes sense for your services:
# Common categories (recommended)
ssh_bruteforce - SSH login attempts
http_auth_bruteforce - HTTP basic auth attacks
http_ddos - HTTP request flooding
port_scan - Port scanning activity
cms_attack - WordPress/CMS exploits
# Email/messaging
smtp_bruteforce - Email login attempts
imap_bruteforce - IMAP/POP3 attacks
postfix_spam - Postfix spam attempts
# VoIP/telephony
sip_attack - SIP/VoIP attacks
asterisk_bruteforce - Asterisk login attempts
voip_flood - VoIP flooding
# Database/services
mysql_bruteforce - MySQL login attempts
rdp_bruteforce - Windows RDP attacks
ftp_bruteforce - FTP login attempts
# Custom categories
YOUR_SERVICE_attack - Any service you need!
Smart categorization: We normalize and group similar categories automatically
(e.g., sip_attack, asterisk_bruteforce, and voip_flood
are grouped as VoIP threats). Use descriptive names that make sense for your setup.
Domain Verification
Prove you own your domain to increase your reporter trust score from 0.4-0.8 to 1.0. Verified reporters' threat reports carry maximum weight in the global intelligence network.
Maximum Trust Score
Verified reporters get trust score 1.0 - your reports have maximum impact on threat intelligence.
Ownership Proof
DNS TXT record verification proves you control the domain - no manual approval needed.
Automatic Verification
Background worker checks your DNS every hour. Keep your TXT record active to maintain verified status and higher trust score.
Industry Standard
Same method used by Google, Microsoft, and major providers for domain ownership verification.
How It Works
Domain verification uses DNS TXT records - the same method used by Google Search Console, Microsoft 365, and other major platforms. You add a special verification code to your domain's DNS, and WAYSCloud automatically checks for it. Simple and secure.
Step-by-Step Verification
-
Register with domain parameter
When registering as a reporter, include yourdomain:curl -4 -X POST https://api.ip.wayscloud.services/register \ -H "Content-Type: application/json" \ -d '{ "name": "MyCompany Security Team", "contact": "security@example.com", "intent": "Automated threat reporting from fail2ban and honeypots", "source_type": "automated", "domain": "example.com" }'The API will return your
api_tokenand complete verification instructions including the TXT record you need to add. -
Add TXT record to DNS
You'll receive a verification code like:wayscloud-verify=550e8400-e29b-41d4-a716-446655440000
Option A: Root domain (recommended for simple setup)Option B: Subdomain (recommended for clean DNS)Type: TXT Name: @ (or leave blank for root) Value: wayscloud-verify=YOUR-REPORTER-ID TTL: 300 (5 minutes) or AutoType: TXT Name: _wayscloud Value: wayscloud-verify=YOUR-REPORTER-ID TTL: 300 (5 minutes) or AutoRecommended: Use the
_wayscloudsubdomain to keep your root domain's TXT records clean. Both methods work identically. -
DNS Provider Examples
Cloudflare
1. Log in to Cloudflare Dashboard 2. Select your domain 3. Go to DNS → Records 4. Click "Add record" 5. Fill in: - Type: TXT - Name: _wayscloud (or @) - Content: wayscloud-verify=YOUR-REPORTER-ID - TTL: Auto 6. Click "Save"CloudDNS / Google Cloud DNS
1. Open Cloud Console → Network Services → Cloud DNS 2. Select your DNS zone 3. Click "Add Record Set" 4. Fill in: - DNS Name: _wayscloud.example.com. (note the trailing dot!) - Resource Record Type: TXT - TTL: 300 - TXT data: wayscloud-verify=YOUR-REPORTER-ID 5. Click "Create"AWS Route 53
1. Open Route 53 Console 2. Select your hosted zone 3. Click "Create record" 4. Fill in: - Record name: _wayscloud - Record type: TXT - Value: "wayscloud-verify=YOUR-REPORTER-ID" (in quotes!) - TTL: 300 5. Click "Create records"cPanel / WHM
1. Log in to cPanel 2. Go to "Domains" → "Zone Editor" 3. Click "Manage" next to your domain 4. Click "Add Record" 5. Fill in: - Type: TXT - Name: _wayscloud (or leave blank) - Record: wayscloud-verify=YOUR-REPORTER-ID - TTL: 300 6. Click "Add Record" -
Wait for DNS propagation
DNS changes typically propagate within 5-15 minutes, but can take up to 24 hours in some cases.# Test if your TXT record is visible (Linux/Mac) dig TXT example.com +short dig TXT _wayscloud.example.com +short # Windows (PowerShell) nslookup -type=TXT example.com nslookup -type=TXT _wayscloud.example.com # Online tool (works everywhere) # Visit: https://mxtoolbox.com/TXTLookup.aspxYou should see your verification code in the output. If not, wait a few more minutes and try again.
-
Verify manually or wait for auto-verification
Option A: Immediate manual verificationOption B: Automatic verification (recommended)# Verify by domain curl -4 -X POST https://api.ip.wayscloud.services/verify \ -H "Content-Type: application/json" \ -d '{"domain": "example.com"}' # Or verify by reporter ID with authentication curl -4 -X POST https://api.ip.wayscloud.services/verify \ -H "Authorization: Bearer YOUR_API_TOKEN" \ -H "Content-Type: application/json" \ -d '{"reporter_id": "YOUR-REPORTER-ID"}'WAYSCloud runs a background worker every hour that automatically checks all pending domain verifications. Just add the TXT record and wait - you'll be verified within 60 minutes automatically!
Verification Response (Success)Verification Response (Not Yet Verified){ "status": "verified", "reporter_id": "550e8400-e29b-41d4-a716-446655440000", "domain": "example.com", "verified_at": "2025-10-15T14:30:00Z", "trust_score": 1.0, "message": "Domain ownership verified successfully!", "benefits": [ "Trust score increased from 0.4-0.8 to 1.0", "Your reports are now weighted at maximum trust", "Verified badge on your reporter profile" ] }{ "status": "not_verified", "reporter_id": "550e8400-e29b-41d4-a716-446655440000", "domain": "example.com", "expected_txt": "wayscloud-verify=550e8400-e29b-41d4-a716-446655440000", "found_records": ["google-site-verification=abc123", "v=spf1 ..."], "message": "Verification TXT record not found. Please ensure DNS has propagated.", "help": [ "Expected TXT record: wayscloud-verify=550e8400-...", "Add to domain: example.com (or _wayscloud.example.com)", "Test with: dig TXT example.com +short" ] } -
Verify your new trust score
Once verified, your trust score is upgraded while the TXT record remains active:# Check your reporter status curl -4 -X POST https://api.ip.wayscloud.services/verify \ -H "Content-Type: application/json" \ -d '{"domain": "example.com"}' # Expected response for verified reporter: # "trust_score": 1.0 # "verified": trueComplete! Your reports now carry maximum weight in the threat intelligence network. Keep the TXT record active to maintain 1.0 trust score. If you remove it or change servers/IPs, verification will be lost (but your past reports remain unaffected).
Trust Score Impact
Reporter Types and Trust Scores:
Before Verification:
- Automated (fail2ban, IDS): 0.4
- Hybrid (semi-automated): 0.6
- Manual (human verified): 0.8
After Domain Verification:
- ALL verified reporters: 1.0 (maximum trust)
Example Impact:
Unverified report: IP gets +4 points (0.4 × 10)
Verified report: IP gets +10 points (1.0 × 10)
Verified reports have 2.5x more impact on threat scoring!Troubleshooting
TXT record not found
Solution:
1. Wait 15-30 minutes for DNS propagation
2. Check with dig TXT example.com +short
3. Verify you added the correct verification code
4. Try adding to _wayscloud subdomain instead of root
Wrong TXT record format
Solution:
Make sure the TXT record value is EXACTLY:
wayscloud-verify=YOUR-REPORTER-ID
No quotes, no extra spaces, no "TXT" prefix in the value field.
Multiple TXT records
Note: You can have multiple TXT records on the same domain (Google verification, SPF, DMARC, etc.). WAYSCloud will find the correct one automatically.
curl fails with "Connection refused" or IPv6 errors
Problem: Your server tries to connect via IPv6 but doesn't have IPv6 support.
Solution: Add the -4 flag to all curl commands to force IPv4:
curl -4 -X POST https://api.ip.wayscloud.services/report ...
This is already included in all examples above. If you have native IPv6 support, you can remove the -4 flag.
Security & Privacy
- Your domain is never exposed publicly. Domain information is stored internally only.
- TXT record is safe. The verification code is just your reporter ID - it contains no sensitive information.
- Verification is permanent. Once verified, you can remove the TXT record if needed.
- Industry standard method. Same verification method used by Google, Microsoft, and all major internet services.
API Usage
WAYSCloud provides a simple REST API for IP lookups, threat intelligence, and abuse reporting. Below are practical examples showing how to enrich your systems with real-time threat intelligence.
Real-World Use Cases
These examples show how organizations use WAYSCloud to protect their infrastructure, prevent fraud, and enrich security systems.
Registration Protection
Check user IPs during signup to block known attackers and prevent fraud.
Infrastructure Monitoring
Monitor your own IP addresses for reputation damage and abuse reports.
Real-time Blocking
Integrate with firewalls and load balancers to auto-block high-risk IPs.
SIEM Enrichment
Enrich security logs with geolocation, ISP, and threat intelligence data.
Example 1: Registration Fraud Protection
Check user IP addresses during account registration to prevent fraud and abuse. Block high-risk IPs before they can create accounts.
// Node.js / Express - Registration endpoint with IP check
app.post('/api/register', async (req, res) => {
const userIP = req.headers['x-forwarded-for']?.split(',')[0] || req.ip;
try {
// Check IP reputation with WAYSCloud
const response = await fetch(
`https://api.ip.wayscloud.services/api/search/${userIP}`
);
const ipData = await response.json();
const abuseScore = ipData.intelligence_data?.abuse_score || 0;
const totalReports = ipData.intelligence_data?.total_reports || 0;
// Risk-based decision
if (abuseScore >= 8.0) {
// High risk - block immediately
return res.status(403).json({
error: "Registration denied",
reason: "High-risk IP address detected"
});
} else if (abuseScore >= 5.0 || totalReports > 10) {
// Medium risk - require additional verification
return res.json({
status: "verification_required",
message: "Please complete email verification",
verification_type: "email_and_phone"
});
}
// Low risk - proceed normally
// ... your registration logic here ...
res.json({
status: "success",
message: "Account created successfully"
});
} catch (error) {
console.error("IP check failed:", error);
// Fail open - don't block registration on API errors
// ... proceed with normal registration ...
}
});
/* Example response from WAYSCloud:
{
"ip": "185.220.101.45",
"intelligence_data": {
"total_reports": 142,
"abuse_score": 8.5,
"threat_level": "high",
"categories": ["ssh_bruteforce", "port_scan"],
"first_seen": "2025-09-10T08:00:00Z",
"last_seen": "2025-10-16T04:00:00Z"
}
}
*/Example 2: Monitor Your Own Infrastructure
Continuously monitor your server IPs to detect if they've been reported for abuse. Get early warning before your IP lands on blacklists.
#!/usr/bin/env python3
"""
Monitor your infrastructure IPs for abuse reports.
Run this script via cron every hour to get alerts.
"""
import requests
import json
from datetime import datetime
# Your server IPs to monitor
SERVER_IPS = [
"203.0.113.10", # Web server
"203.0.113.11", # Mail server
"203.0.113.12", # API server
]
# Slack webhook for alerts (optional)
SLACK_WEBHOOK = "https://hooks.slack.com/services/YOUR/WEBHOOK/URL"
def check_ip_reputation(ip):
"""Check IP reputation with WAYSCloud"""
url = f"https://api.ip.wayscloud.services/api/search/{ip}"
response = requests.get(url, timeout=10)
return response.json()
def send_slack_alert(message):
"""Send alert to Slack"""
if SLACK_WEBHOOK:
requests.post(SLACK_WEBHOOK, json={"text": message})
def main():
print(f"IP Reputation Monitor - {datetime.now()}")
print("=" * 60)
alerts = []
for ip in SERVER_IPS:
data = check_ip_reputation(ip)
intel = data.get('intelligence_data', {})
if not intel:
print(f"\n{ip}: Clean (no reports)")
continue
reports = intel.get('total_reports', 0)
abuse_score = intel.get('abuse_score', 0)
threat_level = intel.get('threat_level', 'low')
print(f"\n{ip}")
print(f" Reports: {reports}")
print(f" Abuse Score: {abuse_score}/10")
print(f" Threat Level: {threat_level}")
# Alert on any reports
if reports > 0:
categories = intel.get('categories', [])
alert = (
f"IP REPUTATION ALERT!\n"
f"IP: {ip}\n"
f"Reports: {reports}\n"
f"Abuse Score: {abuse_score}/10\n"
f"Threat Level: {threat_level}\n"
f"Categories: {', '.join(categories)}\n"
f"Action: Investigate immediately!"
)
alerts.append(alert)
print(f" ALERT: {reports} abuse reports found!")
# Send consolidated alert
if alerts:
send_slack_alert("\n\n".join(alerts))
print("\nAlerts sent to Slack!")
else:
print("\nAll IPs clean - no abuse reports")
if __name__ == "__main__":
main()
# Add to crontab for hourly monitoring:
# 0 * * * * /usr/local/bin/monitor-ip-reputation.py >> /var/log/ip-monitor.log 2>&1Example 3: Real-time Request Blocking (nginx)
Block high-risk IPs at the edge before they reach your application. Protect login pages, APIs, and admin panels.
# nginx configuration with threat intelligence blocking
# 1. Create blocking script at /usr/local/bin/check-ip-threat
# ===================================================
#!/bin/bash
# Returns exit code 0 for clean IPs, 1 for threats
IP="$1"
THRESHOLD=${2:-7} # Risk score threshold
# Query WAYSCloud API
RESPONSE=$(curl -4 -s "https://api.ip.wayscloud.services/api/search/$IP")
RISK_SCORE=$(echo "$RESPONSE" | jq -r '.intelligence_data.abuse_score // 0')
# Block if risk score exceeds threshold
if [ "$RISK_SCORE" -ge "$THRESHOLD" ]; then
echo "BLOCKED: Risk score $RISK_SCORE" >&2
exit 1
fi
exit 0
# 2. Make it executable
# chmod +x /usr/local/bin/check-ip-threat
# 3. nginx configuration
# ===================================================
# In your server block:
server {
listen 80;
server_name example.com;
# Protect login and admin pages
location ~ ^/(login|admin|wp-admin) {
# Check IP threat level
access_by_lua_block {
local ip = ngx.var.remote_addr
local handle = io.popen("/usr/local/bin/check-ip-threat " .. ip .. " 70")
local exit_code = handle:close()
if exit_code ~= 0 then
ngx.status = 403
ngx.say("Access denied - High risk IP")
ngx.exit(403)
end
}
proxy_pass http://backend;
}
# Normal pages - no blocking
location / {
proxy_pass http://backend;
}
}
# Result: High-risk IPs get 403 Forbidden before reaching your app!Example 4: SIEM / Log Enrichment
Enrich your security logs with geolocation, ISP, and threat intelligence. Make your logs more actionable.
#!/usr/bin/env python3
"""
Enrich security logs with WAYSCloud threat intelligence.
Reads logs, enriches IPs, outputs enriched JSON for SIEM ingestion.
"""
import requests
import json
import re
from datetime import datetime
def enrich_ip(ip):
"""Get full IP intelligence from WAYSCloud"""
try:
response = requests.get(
f"https://api.ip.wayscloud.services/api/search/{ip}",
timeout=5
)
return response.json()
except Exception as e:
print(f"Error enriching {ip}: {e}")
return None
def parse_log_line(line):
"""Extract IP from common log formats"""
# Apache/nginx combined log format
match = re.match(r'^(\S+)', line)
if match:
return match.group(1)
return None
def enrich_log_file(input_file, output_file):
"""Enrich all IPs in log file"""
seen_ips = set()
ip_cache = {}
with open(input_file, 'r') as infile, \
open(output_file, 'w') as outfile:
for line_num, line in enumerate(infile, 1):
ip = parse_log_line(line)
if not ip or ip in ['127.0.0.1', '::1']:
continue
# Cache lookups
if ip not in ip_cache:
ip_cache[ip] = enrich_ip(ip)
seen_ips.add(ip)
intel = ip_cache[ip]
if not intel:
continue
# Create enriched log entry
enriched = {
'timestamp': datetime.now().isoformat(),
'line_number': line_num,
'ip': ip,
'country': intel.get('country'),
'city': intel.get('city'),
'isp': intel.get('isp'),
'asn': intel.get('asn'),
'threat': {
'reports': intel.get('intelligence_data', {}).get('total_reports', 0),
'abuse_score': intel.get('intelligence_data', {}).get('abuse_score', 0),
'severity': intel.get('intelligence_data', {}).get('threat_level', 'low'),
'categories': intel.get('intelligence_data', {}).get('categories', [])
},
'original_log': line.strip()
}
# Write enriched JSON (one per line for easy SIEM ingestion)
outfile.write(json.dumps(enriched) + '\n')
# Alert on threats
if enriched['threat']['reports'] > 0:
print(f"Line {line_num}: Threat detected from {ip}")
print(f" {enriched['threat']['reports']} reports, "
f"risk score {enriched['threat']['abuse_score']}")
print(f"\nProcessed {len(seen_ips)} unique IPs")
print(f"Enriched logs written to {output_file}")
# Usage:
# enrich_log_file('/var/log/nginx/access.log', '/var/log/enriched/access.json')
# Example enriched output:
"""
{
"timestamp": "2025-10-15T10:30:00",
"line_number": 1234,
"ip": "185.220.101.45",
"country": "Germany",
"city": "Frankfurt",
"isp": "Hetzner Online GmbH",
"asn": "AS24940",
"threat": {
"reports": 142,
"abuse_score": 85,
"severity": "high",
"categories": ["ssh_bruteforce", "port_scan"]
},
"original_log": "185.220.101.45 - - [15/Oct/2025:10:30:00] ..."
}
"""Example 5: Bulk IP Analysis
Analyze lists of IPs from firewall logs, user databases, or threat feeds. Generate security reports.
#!/usr/bin/env python3
"""
Bulk IP analysis tool.
Reads IPs from file, checks each against WAYSCloud, generates report.
"""
import requests
import csv
from collections import defaultdict
from datetime import datetime
def analyze_ip_list(ip_file, output_csv):
"""Analyze list of IPs and generate security report"""
stats = {
'total': 0,
'clean': 0,
'low_risk': 0,
'medium_risk': 0,
'high_risk': 0,
'critical': 0
}
countries = defaultdict(int)
threats_by_category = defaultdict(int)
results = []
with open(ip_file, 'r') as f:
ips = [line.strip() for line in f if line.strip()]
print(f"Analyzing {len(ips)} IP addresses...")
for ip in ips:
stats['total'] += 1
# Query WAYSCloud
response = requests.get(
f"https://api.ip.wayscloud.services/api/search/{ip}",
timeout=10
)
data = response.json()
threat = data.get('intelligence_data', {})
abuse_score = threat.get('abuse_score', 0)
# Classify risk (0-10 scale)
if abuse_score == 0:
risk_level = 'clean'
stats['clean'] += 1
elif abuse_score < 4.0:
risk_level = 'low'
stats['low_risk'] += 1
elif abuse_score < 6.0:
risk_level = 'medium'
stats['medium_risk'] += 1
elif abuse_score < 8.0:
risk_level = 'high'
stats['high_risk'] += 1
else:
risk_level = 'critical'
stats['critical'] += 1
# Track countries and categories
country = data.get('country', 'Unknown')
countries[country] += 1
for category in threat.get('categories', []):
threats_by_category[category] += 1
# Store result
results.append({
'ip': ip,
'country': country,
'isp': data.get('isp', 'Unknown'),
'risk_level': risk_level,
'abuse_score': abuse_score,
'reports': threat.get('total_reports', 0),
'categories': ', '.join(threat.get('categories', []))
})
# Write CSV report
with open(output_csv, 'w', newline='') as csvfile:
fieldnames = ['ip', 'country', 'isp', 'risk_level',
'abuse_score', 'reports', 'categories']
writer = csv.DictWriter(csvfile, fieldnames=fieldnames)
writer.writeheader()
for result in results:
writer.writerow(result)
# Print summary report
print("\n" + "="*60)
print("SECURITY ANALYSIS REPORT")
print("="*60)
print(f"\nTotal IPs Analyzed: {stats['total']}")
print(f"\nRisk Distribution:")
print(f" Clean: {stats['clean']:4d} ({stats['clean']/stats['total']*100:.1f}%)")
print(f" Low: {stats['low_risk']:4d} ({stats['low_risk']/stats['total']*100:.1f}%)")
print(f" Medium: {stats['medium_risk']:4d} ({stats['medium_risk']/stats['total']*100:.1f}%)")
print(f" High: {stats['high_risk']:4d} ({stats['high_risk']/stats['total']*100:.1f}%)")
print(f" Critical: {stats['critical']:4d} ({stats['critical']/stats['total']*100:.1f}%)")
print(f"\nTop 5 Countries:")
for country, count in sorted(countries.items(),
key=lambda x: x[1],
reverse=True)[:5]:
print(f" {country}: {count}")
print(f"\nTop Threat Categories:")
for category, count in sorted(threats_by_category.items(),
key=lambda x: x[1],
reverse=True)[:5]:
print(f" {category}: {count}")
print(f"\nDetailed report saved to: {output_csv}")
# Usage:
# analyze_ip_list('ips.txt', 'security_report.csv')Basic API Reference
For quick lookups and basic API operations:
# Get your IP
curl https://ip.wayscloud.services/ip
# Get IP details (JSON)
curl https://api.ip.wayscloud.services/api/search/8.8.8.8
# Get geolocation
curl https://ip.wayscloud.services/geo/1.1.1.1
# Get country code
curl https://ip.wayscloud.services/country/8.8.8.8
# Search IP for threats
curl https://ip.wayscloud.services/api/search/192.0.2.1
# Get live threat feed
curl https://ip.wayscloud.services/api/threats/live?time_range=1hScripts & Tools
Ready-to-use scripts and tools for various platforms and use cases.
Bash Script - IP Lookup
#!/bin/bash
# Quick IP lookup script
ip="${1:-$(curl -4 -s https://ip.wayscloud.services/ip)}"
curl -4 -s "https://api.ip.wayscloud.services/api/search/$ip" | jq .Python - Threat Intelligence Client
import requests
class WAYSCloudClient:
def __init__(self, api_token=None):
self.base_url = "https://ip.wayscloud.services"
self.api_token = api_token
def lookup_ip(self, ip):
response = requests.get(f"{self.base_url}/json/{ip}")
return response.json()
def report_threat(self, ip, category, comment="", severity="medium"):
headers = {"Authorization": f"Bearer {self.api_token}"}
data = {
"ip": ip,
"category": category,
"comment": comment,
"severity": severity,
"confidence": 0.9
}
response = requests.post(f"{self.base_url}/report",
headers=headers, json=data)
return response.json()
# Usage
client = WAYSCloudClient(api_token="wayscloud_...")
info = client.lookup_ip("8.8.8.8")
print(f"Country: {info['country']}")
print(f"Abuse Score: {info['intelligence_data']['abuse_score']}")Node.js - Threat Check Middleware
const axios = require('axios');
// Express middleware to check visitor IPs
async function checkThreatIntel(req, res, next) {
const ip = req.headers['x-forwarded-for']?.split(',')[0] || req.ip;
try {
const response = await axios.get(
`https://api.ip.wayscloud.services/api/search/${ip}`
);
const riskScore = response.data.intelligence_data?.abuse_score || 0;
if (riskScore > 7.0) {
return res.status(403).json({
error: "Access denied - High risk IP"
});
}
req.threatIntel = response.data.intelligence_data;
next();
} catch (error) {
console.error("Threat check failed:", error);
next(); // Continue on error
}
}
// Usage in Express
app.use(checkThreatIntel);
app.get('/api/secure', (req, res) => {
res.json({ threat: req.threatIntel });
});Nginx - Block High Risk IPs
# Use nginx auth_request module
location /api/ {
auth_request /threat-check;
# ... your config
}
location = /threat-check {
internal;
proxy_pass https://api.ip.wayscloud.services/api/search/$remote_addr;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
}Webhooks (Coming Soon)
Real-time notifications for threat events relevant to your infrastructure.
Planned Features
Real-time Alerts
Get notified when IPs in your network receive abuse reports.
Custom Filters
Configure webhooks for specific countries, categories, or severity levels.
Slack Integration
Send threat alerts directly to your Slack channels.
Discord Bots
Automated threat notifications in your Discord server.
Webhook functionality is under development. Want early access? Contact us