IRDB collects abuse reports from your web servers, mail servers and intrusion detectors, then hands every firewall and proxy a tailored block list shaped to its needs. One place to gather signal. One list per system to defend. No more copy-paste between machines.
Most teams already block bad IP addresses — but each server, each firewall, each plugin keeps its own list. Lists go stale, knowledge stays trapped in one machine, and an attack already seen by your web server walks straight through your mail gateway. IRDB turns that scattered information into one shared, up-to-date defence layer.
Web servers, mail servers, fail2ban, intrusion detectors, custom scripts — anything that spots an attack can report it through one simple endpoint.
Each report has a weight, an age and a category. IRDB turns those into a reputation score per IP that fades over time, so old noise drops away on its own.
Your edge firewall might want strict blocking, your mail relay only spam-related sources. Each consumer gets a list tailored by a named policy you control.
IRDB sits in the middle of two flows you already have: machines that see attacks, and machines that block them. Below is the same picture, in plain steps.
Every server, service or device that can detect an attack is a reporter — for example a web server seeing brute-force attempts, a mail relay spotting spam, or an intrusion detector. Each reporter gets a name, a trust weight (how much you believe its reports) and a token.
When a reporter spots a bad IP, it sends a small message to IRDB: which IP, which kind of attack, and any helpful context. The work for your operations team is one-time: drop a small script or plugin into the reporter, and it streams events from then on.
A policy describes the kind of list a system should receive — for example, "block anything with high spam score" or "block strict: anything reported for brute force, scanning, or web attacks". You design these once with your team, and adjust thresholds visually at any time.
Every firewall, proxy or load balancer that should defend itself becomes a consumer. You assign it a policy and give it a token. From then on, the consumer pulls a fresh, tailored block list at an interval you choose (typically every minute or two).
The dashboard shows what is being seen and what is being blocked. Operators can promote individual IPs to permanent blocks, allowlist trusted partners to never be blocked by mistake, and inspect the full history of any address. Every change is recorded in an audit log.
The web interface is built for daily use by ops and security teams — clear lists, fast search, visual feedback, light and dark mode. Here is what you actually see when you log in.
One glance gives you the live picture: how many reports are flowing in, which categories of attack dominate today, which sources are the busiest, and which consumers are actually pulling their lists.
Find any address by score, country, network owner or attack category. Sort, filter and drill in with one click. Useful for incident response ("did we ever see this IP before?") and for the ops team's monthly reviews.
Open any IP to see who reported it, when, for what, with what context. You see the score per category, geographical and network owner information, manual block status, and the complete timeline of events.
A policy is just a recipe: which categories matter, and how strict the threshold is. Adjust them with a slider, see immediately how many addresses would be on the resulting list, and ship the change to all matching consumers without a deploy.
Every administrative action — token created, IP allowlisted, policy edited, user role changed — is recorded with who, when and what. The audit log keeps your team aligned with internal compliance and gives security a clean trail when something needs review.
Light to run, simple to integrate, no vendor lock-in.
IRDB ships as a Docker Compose stack. If you have Docker, you have everything you need. The default storage is a small embedded database — no external services required to get started.
Three commands. Then visit http://localhost:8080 to log in.
Source code, full documentation and release notes live at git.chiapparini.org/chiappa/irdb.
# 1. clone git clone https://git.chiapparini.org/chiappa/irdb cd irdb # 2. configure (generate a few secrets) cp .env.example .env $EDITOR .env # 3. run docker compose up -d