home / mcp / abuseipdb mcp server

AbuseIPDB MCP Server

Provides up-to-date AbuseIPDB lookups for IP reputation checks, CIDR analysis, and blacklists with caching and rate limiting.

Installation

Add the following to your MCP client configuration file.

Configuration

View docs

{
  "mcpServers": {
    "alephnan-abuseipdb-mcp": {
      "command": "python",
      "args": [
        "scripts/start_mcp_server.py"
      ],
      "env": {
        "LOG_LEVEL": "INFO",
        "DAILY_QUOTA": "1000",
        "MAX_AGE_DAYS": "30",
        "CACHE_DB_PATH": "./cache.db",
        "ABUSEIPDB_API_KEY": "YOUR_API_KEY",
        "ALLOW_PRIVATE_IPS": "false",
        "CONFIDENCE_THRESHOLD": "75"
      }
    }
  }
}

You have an MCP server that provides threat intelligence lookups against AbuseIPDB. It lets clients perform IP reputation checks, CIDR block analysis, and access curated blacklists with caching and rate limiting, so you can build proactive security workflows with reliable data sources.

How to use

Use this MCP server to perform IP reputation checks, examine entire network ranges, and retrieve up-to-date AbuseIPDB blacklists. You can also analyze logs to extract IPs and run bulk checks for multiple addresses. All actions respect built-in caching and rate limiting to minimize API usage.

How to install

Prerequisites: Python 3.11 or higher and an AbuseIPDB API key.

Step 1: Set up your environment by preparing an API key file if you prefer a local configuration.

Step 2: Clone the project directory and install the package.

clone_url_placeholder
```

```bash
# Clone the project
git clone <repository-url>
cd AbuseIPDB-MCP

# Install the package
pip install -e .

# Copy and edit environment file
cp .env.example .env
# Edit .env and add your ABUSEIPDB_API_KEY

Additional configuration and usage notes

All configuration is done via environment variables. Copy .env.example to .env and customize the variables. Primary required setting is ABUSEIPDB_API_KEY. Optional settings include MAX_AGE_DAYS, CONFIDENCE_THRESHOLD, DAILY_QUOTA, CACHE_DB_PATH, LOG_LEVEL, and ALLOW_PRIVATE_IPS.

Security and performance considerations

- API key protection: never expose your AbuseIPDB API key. - Private IP filtering: private addresses are blocked by default to avoid leaking internal information. - Rate limiting: quotas are enforced to prevent abuse. - Input validation: all inputs are sanitized to reduce risk. - Caching: a SQLite-backed cache reduces API calls and improves response times.

Usage examples

Basic IP check: evaluate the reputation of a single IP like 8.8.8.8.

Log analysis: extract and analyze IPs from a log line to assess risk.

Bulk analysis: check multiple IPs in a single operation for efficiency.

Docker deployment

Build and run the server in a container to simplify deployment and isolation.

# Build the image
docker build -f docker/Dockerfile -t mcp-abuseipdb .

# Run the container
docker run -e ABUSEIPDB_API_KEY=your_key_here mcp-abuseipdb

Development

Set up the development environment and run tests to validate changes.

pip install -e ".[dev]"
pre-commit install

pytest

Available tools

check_ip

Check the reputation of a single IP address with configurable max age, verbosity, and a threshold for flagging.

check_block

Analyze the reputation of a CIDR network block and return aggregated results.

get_blacklist

Retrieve the AbuseIPDB blacklist with configurable minimum confidence and limit.

bulk_check

Check multiple IP addresses efficiently in a single operation with configurable age and threshold.

enrich_log_line

Extract and analyze IP addresses from a log line to assess risk.

triage_ip

Generate security analyst triage notes for an IP address using the check data.