Threat Intelligence

How to Share Threat Intelligence: AbuseIPDB + Cloudflare Automatic Blocking

Name: Inner Warden
Author: Inner Warden

March 18, 20267 min read

Your server blocks an attacker. Good. What happens to the next server they hit? Nothing. The attacker moves on and tries the exact same thing against someone else's infrastructure. Unless you share what you know.

Most security setups are isolated. Each server defends itself and tells no one. The attacker gets blocked once and tries a thousand more targets. Threat intelligence sharing breaks this pattern: when you report an attacker, every server that checks the database benefits.

The collective defense loop

The idea is simple but powerful: detect, block, report, protect others. When enough servers participate, attackers run out of targets fast.

1. Detect

Inner Warden identifies the attack: SSH brute-force, port scan, web scanner, credential stuffing.

2. Block

The attacker IP is blocked at the firewall (ufw, iptables, nftables, or pf) with a cleanup TTL.

3. Report

The block is reported to AbuseIPDB with attack category, evidence, and timestamp. Every server querying AbuseIPDB now knows this IP is malicious.

4. Protect others

The block is pushed to Cloudflare WAF. If you use Cloudflare, the attacker is stopped at the edge before reaching any of your domains.

Automatic AbuseIPDB reporting

AbuseIPDB is a public database of reported malicious IPs. Security tools and firewalls worldwide query it to check whether an IP has been flagged. The more reports an IP has, the higher its confidence score and the more likely other systems will preemptively block it.

Inner Warden reports every block to AbuseIPDB automatically. When the agent executes a block-ip skill, it sends a structured report with:

The attacker IP and the attack category (SSH brute-force, port scan, web attack, etc.)
A description with evidence: number of attempts, detection source, timestamps
The MITRE ATT&CK technique ID where applicable

You get a free API key from AbuseIPDB (1,000 reports/day on the free tier). Inner Warden also uses AbuseIPDB for enrichment. Before blocking, it checks the attacker's existing reputation to add context to the AI's decision.

Real example from production

The IP 203.0.113.87 was detected running an SSH brute-force attack against our production server. Here is the full chain:

detect12 failed SSH logins from 203.0.113.87 in 68 seconds

enrichAbuseIPDB check: already reported 847 times | confidence 100%

blockFirewall deny rule added | TTL 24 hours

reportReported to AbuseIPDB | category SSH brute-force, 12 attempts

pushPushed to Cloudflare WAF | blocked at edge for all domains

The AbuseIPDB report is publicly visible. Other servers querying 203.0.113.87 now see our report alongside 847 others. The Cloudflare WAF rule means this IP cannot even establish a TCP connection to our web properties.

Cloudflare WAF automatic blocking

If you use Cloudflare for any of your domains, Inner Warden can push block rules directly to your Cloudflare WAF. This adds a second layer: the attacker is blocked at the firewall on your server and at the Cloudflare edge before traffic reaches you.

This is particularly useful for web-facing services. An attacker who brute-forces SSH might also target your web application. Pushing the block to Cloudflare stops them across all your domains, not just the server that detected them.

Inner Warden uses the Cloudflare API to manage a WAF list of blocked IPs. Entries are added when an IP is blocked and removed when the cleanup TTL expires, keeping the list current and the Cloudflare dashboard clean.

Set it up

Start by installing Inner Warden if you have not already:

Install

curl -fsSL https://innerwarden.com/install | sudo bash

Enable AbuseIPDB integration. The wizard asks for your API key:

AbuseIPDB

innerwarden integrate abuseipdb

Enable Cloudflare WAF integration. You need your Cloudflare API token and zone ID:

Cloudflare

innerwarden integrate cloudflare

Both integrations work independently. You can enable one or both. After setup, every block action automatically triggers reports and WAF updates with zero manual intervention.

Why sharing matters

Security is not a single-server problem. Attackers operate at scale, scanning thousands of IPs per hour using automated tools. The only way to match that scale defensively is collective intelligence.

Every report you submit to AbuseIPDB makes the database more accurate. Every accurate report means another server blocks the attacker proactively instead of reactively. The math is straightforward: the more servers that share, the faster the internet gets safer for everyone.

Inner Warden makes this automatic. You do not need to remember to report, copy-paste IPs, or fill out forms. The agent handles it every time a block executes.

What to do next

Threat intelligence sharing is most effective when paired with strong local detection:

SSH brute-force detection - the most common attack type and the best source of high-confidence reports.
SSH honeypot - capture attacker behavior and report honeypot visitors to AbuseIPDB with detailed evidence.
All use cases - see every attack type Inner Warden detects, from port scans to sudo abuse to web scanner probes.