A read-only feed of malicious source IPs collected from multiple hosts'
logs (SSH / MySQL / web probes), aggregated per attacker IP and geolocated.
All endpoints are GET, need no auth, and send
Access-Control-Allow-Origin: *.
The main data feed: one row per (report date, IP) in the window,
ordered by date then attempts. Default format=json. By default it returns
the whole window (up to 20,000 rows); for larger
windows, page with limit + offset.
| param | type | default | meaning |
|---|---|---|---|
days | int 1–90 | 7 | look-back window (whole days) |
source | ssh | mysql | web | all | filter by source (400 if invalid) |
limit | int 1–20000 | 20000 (full window) | rows per page |
offset | int ≥0 | 0 | skip N rows (for paging) |
format | json | csv | json | response format |
fields | csv list | preset | columns for csv/json projection (see below) |
Example request: /risk-ip?days=30&source=ssh&limit=100
Example response — illustrative placeholder values, not live data:
{
"generated": "<ISO-8601 timestamp>",
"days": 7, "source": null, "count": 123, "limit": 20000, "offset": 0,
"stats": { "unique_ips": 1000, "total_attempts": 50000, "high": 50, "countries": 25 },
"countries": [ { "country_code": "XX", "country": "Example", "attempts": 9999, "ips": 100 } ],
"rows": [
{
"log_date": "YYYY-MM-DD", "ip": "203.0.113.10",
"attempts": 999, "sources": "ssh,web", "categories": "ssh_bruteforce,web_env",
"nsrc": 2, "reporters": 3, "last_seen": "YYYY-MM-DD HH:MM:SS",
"country": "Example", "country_code": "XX",
"lat": 0.0, "lon": 0.0, "risk": "HIGH", "risk_color": "#dc2626"
}
]
}
stats holds window-wide totals (computed across the whole window,
not just the returned rows): unique_ips, total_attempts,
high (count of HIGH-risk IPs), countries. The countries
array lists the top countries by attempts across the window
(country_code, country, attempts, ips).
The rows array is the top limit by date then attempts.
stats and countries are omitted for format=csv.
Field names available to fields=:
log_date, ip, attempts, sources, categories, nsrc, reporters, last_seen, country, country_code, risk.
Just the distinct attacker IPs, threat-ranked (most attempts first) — handy for blocklists / firewall imports.
| param | type | default | meaning |
|---|---|---|---|
source | ssh | mysql | web | all | filter by source |
limit | int 1–50000 | 50000 (full list) | page size |
offset | int ≥0 | 0 | page offset |
format | json | csv | json | JSON array, or one IP per line |
Example: /ip_only?format=csv&limit=5000 → ip header then one IP per line.
The HTML dashboard. It loads its data asynchronously from /risk-ip,
draws up to 500 IPs on the map, and paginates the table 50 rows per page.
Per IP: score = attempts + (sources−1)×200 + (reporters−1)×100.
If one of your addresses appears here in error and you'd like it removed, email 世界第一好吃 <admin@ivjn.us> with the IP address. Please send from an address you can prove control of.