At our network edge, we used a Fortigate firewall to block malicious IPs reported daily—often hundreds addresses, suspected of hacking attempts. We faced several challenges:
-
Hosting the Blocklist
Fortigate required the Bad-IP list to be hosted on a web server (e.g., Nginx) to import and apply it. -
IP Reputation Uncertainty
Not all IPs were confirmed threats. We needed to verify them against AbuseIPDB before blacklisting. -
No Auto-Expiration
Fortigate lacked time-based blocking—once blocked, IPs remained indefinitely unless manually removed.
IPloader automates the process of validating, managing, and serving threat IP lists for Fortigate firewalls. It solves the challenges by:
- Validating IPs against AbuseIPDB to confirm threat reputation.
- Storing IPs in a SQLite database to prevent duplicates and manage expiration.
- Automatically removing expired IPs after a defined time.
- Serving the verified IP list via Nginx for Fortigate to import and block.
- Running as a systemd timer to update the list daily, with no manual effort.
IPloader is a tool that checks a list of IPs against AbuseIPDB to determine which IPs are confirmed threats. It then prepares the list for use with Fortigate firewalls and handles IP expiration automatically.
Use pip to install IPloader:
pip3 install iploaderCreate a config.ini file in /opt/ with the following content:
[DEFAULT]
Description = IPloader
Version = 1.0
[conf]
Infile = /tmp/ip_list.txt
DBPath = /opt/data.db
Outfile = /var/www/html/ip.txt
ExpirationDays = 60
LogDest = /var/log/ip_loader.log
Token = <YOUR_ABUSEIPDB_TOKEN>- Infile
CSV list of IPs to check against AbuseIPDB:
1.1.1.1
2.2.2.2
3.4.5.2
...-
Outfile File path where the validated IP list will be saved. This is server by webserve
-
LogDest File path for logging. All events are also displayed in the console.
-
ExpirationDays Set to 0 to disable expiration. IPs will remain until manually removed.
-
DBPath Location for the SQLite database.
-
Token Your ABUSEIPDB API Token
IPloader reads IPs from the input file and checks each against AbuseIPDB.
Valid IPs are stored in a SQLite database with a timestamp.
On each run, it checks for expired IPs and removes them from the output list.
To use expiration, schedule the script via cron or systemd to run daily.
1.Create the service file:
sudo vim /lib/systemd/system/iploader.service[Unit]
Description=IPloader Service
[Service]
Type=simple
ExecStart=/usr/local/bin/iploader2.Create the timer file:
sudo vim /lib/systemd/system/iploader.timer[Unit]
Description=Daily run for IPloader
[Timer]
OnCalendar=daily
RandomizedDelaySec=12h
Persistent=true
[Install]
WantedBy=timers.target3.Reload systemd and enable the timer:
sudo systemctl daemon-reload
sudo systemctl enable --now iploader.timerPull requests are welcome! For major changes, please open an issue first to discuss what you’d like to change.