There are several great APIs available for threat intel. AbuseIP is one of them and the big sell is that it is Free!
Running this API direct, is always an option however, for this I am going to build my own and include theirs. In doing so, I can then build on this and incorporate multiple APIs to enrich the data.
Let us start with the basics…
First, you need a host. I like to use a cloud hosting service. I use IONOS as it is cheap and cheerful. You can also get a freebie by using other cloud providers such as Azure and AWS.
On my IONOS, my “Dev” hosts cost around £3 p/m p/h. Click here
For this, I am going to use a low-spec Debian host. Once you have connected, let’s install the following:
Once you’ve done the above, create an app folder and a python file main.py (You need to create)
Then create your server.py file which can stay in the main directory.
Optional:
If you are wanting to run your FastAPI using HTTPS, you will need a certificate. CertBot is the easiest method, and instructions can be found here: https://certbot.eff.org/instructions?ws=other&os=debianbuster
Once you have your key files, you can reference them later within server.py:
Now we have the basics done, let’s get to work.
Edit your main.py file and add the following: Code on Github
Let’s break that down so we know what’s what.
In this section, I am importing all the libraries, I need:
Here I am defining the app and running a simple HTML page on the default path:
You don’t need this btw, however for example:
Here is our code for AbuseIP part. Notice @app.get(’/abuse/{abip}’). You can make this whatever, however, if this is new to you.
The @app.get is referring to a GET request.
The ‘/abuse/’ section is the URL path, so for this instance, it will run once a user has entered https://antler.xstag0.com:300/abuse/XXX
The {abip} is the variable being passed by the user. We use this to check what the user has entered.
We then pass this under async def abusescan(abip: str):
For this I’ve chosen to use httpx however there are multiple options. If you are following and implementing, you will need to change the contents to your key [Found on your AbuseIP account].
Once you’ve added or created your main.py (API), let’s run it. For this, simply run:
A simple test would be to load in your browser to confirm:
That’s it. You now have a simple API you can build upon. For this instance, you could create a Powershell function such as: Code on Github
This could allow your users to query single or multiple IPs at once without needing a central script or having the API key.
Get single IP:
Get multiple:
You could also use it to enrich data within your Security platforms. If your XDR, EDR for instance accepts “Web Hooks”, you can use your API to return necessary data to automate part of your incident response.
You will need to do some parsing and filtering on the API side, as some solutions would push a full JSON request, however once done, it could benefit you in the long run.
Just before I end, it’s worth noting that I would add some recommendations:
· Don’t run under root.
· Restrict the Firewall, if possible, for inbound requests.
· Do not store the API keys within the production code.
· Have fun with it.
The last point is the main thing. If curious enough, you might be able to build something cool. Although it may be basic, FastAPI or Flask do allow you to combine solutions to create something special.
amoran.io 
Leave a Reply