At FraudGuard.io, we offer a comprehensive suite of APIs designed to help businesses protect their infrastructure from malicious IP addresses. For Enterprise customers, our Raw IP Lists API provides real-time access to IPs associated with threats such as anonymous activity, botnets, and more.

In this blog post, we’ll walk you through a sample script that uses Bash to fetch malicious learn more here IPs from the FraudGuard.io API, stores them in a flat file, create a fresh IP set and automatically updates an AWS WAFv2 IP Set using AWS CLI. This script can be run on an hourly basis (or any interval you prefer) to keep your WAF updated with the latest IPs flagged by FraudGuard.io.

Before You Begin

Please note: the Raw IP Lists API is only available to Enterprise customers on FraudGuard.io.

Sample Code to Get Started

Below is a sample script that demonstrates how you can integrate FraudGuard.io’s Raw IP Lists API directly into your AWS infrastructure via AWS WAFv2.

This example covers INSERTING IP addresses into an AWS WAF IP set. However, the script does not handle DELETING old IP addresses, so you will need to delete the existing IP ruleset and start with a fresh IP ruleset for each hourly cron run.

Additionally, this script only retrieves the top 1000 IPs from the FraudGuard.io Raw IP Lists API, but you can loop through the entire dataset using limit and offset parameters, as described in the API documentation.

Step 1: Fetch IPs from FraudGuard.io’s API

We use curl to fetch the list of IPs in JSON format. The IPs are stored in a flat file for processing. You’ll need to update the FraudGuard.io credentials.

#!/bin/bash

# Fraudguard.io credentials
USERNAME=""
PASSWORD=""

# Fraudguard.io API endpoint for raw IP lists
URL="https://worker.fraudguard.io/raw-lists-by-threat/honeypot_tracker?offset=0&limit=50&cidr=false&ipv6=false"

# File to store the fetched IP list
IP_FILE="fraudguard_ips.json"

# Fetch IP list from Fraudguard.io and save to file
curl -u "$USERNAME:$PASSWORD" "$URL" -o "$IP_FILE"

if [ $? -eq 0 ]; then
    echo "Successfully fetched IPs and saved to $IP_FILE"
else
    echo "Failed to fetch IPs from Fraudguard.io"
    exit 1
fi

# Extract the IPs from the JSON file and save to a flat file
jq -r '.[]' "$IP_FILE" > fraudguard_ips.txt

if [ $? -eq 0 ]; then
    echo "Successfully extracted IPs and saved to $IP_FILE"
else
    echo "Failed to extract IPs from JSON"
    exit 1
fi

Step 2: Create a New AWS WAFv2 IP Set

Now, let’s create an AWS WAFv2 IP Set using AWS CLI. You’ll need to specify the scope of the WAF, region, name and description.

#!/bin/bash

# Define the name, description, and scope of the new WAFv2 IP set
IP_SET_NAME="FraudguardIPSet"
IP_SET_DESC="IP set created with Fraudguard.io IP data"
SCOPE="REGIONAL"  # Use 'CLOUDFRONT' for CloudFront WAF, 'REGIONAL' for Regional WAF
REGION="us-east-1"  # Specify your AWS region

# Create the IP set and capture the IP set ARN
IP_SET_ARN=$(aws wafv2 create-ip-set --name "$IP_SET_NAME" \
                                     --scope "$SCOPE" \
                                     --description "$IP_SET_DESC" \
                                     --ip-address-version IPV4 \
                                     --addresses [] \
                                     --region "$REGION" \
                                     --output text --query 'Summary.ARN')

if [ -n "$IP_SET_ARN" ]; then
    echo "Successfully created IP set: $IP_SET_ARN"
else
    echo "Failed to create IP set"
    exit 1
fi

Step 3: Update AWS WAFv2 IP Set with the Fraudguard.io IPs

This step reads the IP addresses from the flat file, converts them to CIDR format, and updates the AWS WAFv2 IP set with those addresses. You’ll need to specify the scope of the WAF, WAF ID created above, region, name and description.

#!/bin/bash

# AWS WAFv2 IP set ARN
IP_SET_NAME="FraudguardIPSet"
IP_SET_ID="18f18f7f-a023-42a2-8562-a2396921615c"
SCOPE="REGIONAL"  # Use 'CLOUDFRONT' for CloudFront WAF, 'REGIONAL' for Regional WAF
REGION="us-east-1"
IP_FILE="fraudguard_ips.txt"

# Prepare the list of IPs in CIDR format
IPS_TO_ADD=()
while IFS= read -r ip; do
    IPS_TO_ADD+=("$ip/32")
done < "$IP_FILE"

#Get the AWS WAFv2 lock token (needed to update the IP set)
LOCK_TOKEN=$(aws wafv2 get-ip-set --name "$IP_SET_NAME" \
                                  --scope "$SCOPE" \
                                  --id "$IP_SET_ID" \
                                  --region "$REGION" \
                                  --query 'LockToken' --output text)

# Update the IP set with the new IPs
aws wafv2 update-ip-set \
    --name "$IP_SET_NAME" \
    --scope "$SCOPE" \
    --id "$IP_SET_ID" \
    --lock-token "$LOCK_TOKEN" \
    --addresses "${IPS_TO_ADD[@]}" \
    --region "$REGION"

echo "Successfully updated AWS WAFv2 IP set with Fraudguard.io IPs."

A Note on IP Set Management

This sample script focuses on inserting new IPs into the AWS WAF IP set, but it does not handle deleting older IPs. AWS WAF IP sets have size limits, so to prevent hitting the limit, we recommend trashing the current ruleset and starting with a new IP ruleset for each hourly cron job.

Additionally, if you want to retrieve more than 1000 IPs, you can loop through the entire dataset by using limit and offset parameters in the API request. FraudGuard.io allows up to 1000 IPs per request, and the total count of results is available via the X-Total-Count response header. You can adjust the offset parameter to paginate through the data as needed.

Conclusion

This sample script provides a foundation for integrating FraudGuard.io into your AWS infrastructure via AWS WAFv2. Using this approach, you can ensure that your web applications are protected from malicious IP addresses flagged by our system. For more advanced configurations or support, please consult our API documentation or reach out to our team.

Ready to protect your infrastructure with real-time threat data? Sign up for the FraudGuard.io Enterprise plan to gain access to the Raw IP Lists API and start integrating today!

For further reading, check out:

FraudGuard.io API Documentation

AWS WAFv2 Documentation