This add-on is operated by Expedited Security
Check if an IP address is hosting Proxies, Bots or Malware.
IP Investigator
Last updated March 23, 2019
Table of Contents
IP Investigator is an add-on to check if an IP address is hosting Proxies, Bots or Malware.
Protect your site, identify fraudulent traffic or transactions, and improve your analytics by taking advantage of our continuously updated database of malicious web hosts.
IP Investigator exposes an API and has supported examples for Ruby, PHP, Python, Node and Java.
Provisioning the add-on
IP Investigator can be attached to a Heroku application via the CLI:
A list of all plans available can be found here.
$ heroku addons:create ipinvestigator
-----> Adding ipinvestigator to sharp-mountain-4005... done, v18 (free)
Once IP Investigator has been added a IPINVESTIGATOR_API_KEY config variable will contain your specific api key granting access to the newly provisioned IP Investigator instance. This can be confirmed using the heroku config:get command.
$ heroku config:get IPINVESTIGATOR_API_KEY
Bl4XHVbdsf5GIXQbqTfXR5IrpuuXER2kaVc2zNnA
After installing IP Investigator your application should be modified to fully integrate with the add-on.
Local setup
Environment setup
After provisioning the add-on it’s necessary to locally replicate the config vars so your development environment can operate against the service.
Use the Heroku Local command-line tool to configure, run and manage process types specified in your app’s Procfile. Heroku Local reads configuration variables from a .env file. To view all of your app’s config vars, type heroku config. Use the following command for each value that you want to add to your .env file.
$ heroku config:get IPINVESTIGATOR_API_KEY -s >> .env
Credentials and other sensitive configuration values should not be committed to source-control. In Git exclude the .env file with: echo .env >> .gitignore.
For more information, see the Heroku Local article.
Input Parameter Descriptions
All languages will follow this call structure for inputs.
| Index | Name | Example | Description |
|---|---|---|---|
| 0 | ip |
string | IPv4 or IPv6 address |
Using with Ruby
Install the Ip-Investigator gem.
# In your Gemfile
gem 'ipinvestigator', git: 'https://github.com/mbuckbee/Ip-Investigator-Gem.git'
Making a Request
$ > require 'ip_investigator'
=> true
# Note: the 'Controller' here is not a reference to Rails controllers
# but an internal structure, won't interfere with your Rails app and will
# work fine in a standalone ruby app or another framework
$ > ipi = IpInvestigator::APIController.new
$ > result = ipi.lookup("68.10.149.45")
Using Results
$ > result.is_listed
=> false
$ > result.list_count
=> false
$ > result.last_seen
=> false
$ > result.is_proxy
=> false
$ > result.is_tor
=> false
$ > result.is_vpn
=> false
$ > result.is_malware
=> false
$ > result.is_spyware
=> false
$ > result.is_dshield
=> false
$ > result.is_hijacked
=> false
$ > result.is_spider
=> false
$ > result.is_bot
=> false
$ > result.is_spam_bot
=> false
$ > result.is_exploit_bot
=> false
Using with PHP
<?php
$ch = curl_init('https://ipinvestigator.expeditedaddons.com/?api_key=' . getenv('IPINVESTIGATOR_API_KEY') . '&ip=68.10.149.45');
$response = curl_exec($ch);
curl_close($ch);
var_dump($response);
Using with Python
import os
from urllib2 import Request, urlopen
request = Request('https://ipinvestigator.expeditedaddons.com/?api_key=' + os.environ['IPINVESTIGATOR_API_KEY'] + '&ip=68.10.149.45')
response_body = urlopen(request).read()
print response_body
Using with Node
var request = require('request');
request('https://ipinvestigator.expeditedaddons.com/?api_key=' + process.env.IPINVESTIGATOR_API_KEY + '&ip=68.10.149.45', function (error, response, body) {
console.log('Status:', response.statusCode);
console.log('Headers:', JSON.stringify(response.headers));
console.log('Response:', body);
});
Using with Java
// Maven : Add these dependencies to your pom.xml (java6+)
// <dependency>
// <groupId>org.glassfish.jersey.core</groupId>
// <artifactId>jersey-client</artifactId>
// <version>2.8</version>
// </dependency>
// <dependency>
// <groupId>org.glassfish.jersey.media</groupId>
// <artifactId>jersey-media-json-jackson</artifactId>
// <version>2.8</version>
// </dependency>
import javax.ws.rs.client.Client;
import javax.ws.rs.client.ClientBuilder;
import javax.ws.rs.client.Entity;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.MediaType;
Client client = ClientBuilder.newClient();
Response response = client.target('https://ipinvestigator.expeditedaddons.com/?api_key=' + System.getenv('IPINVESTIGATOR_API_KEY') + '&ip=68.10.149.45}')
.request(MediaType.TEXT_PLAIN_TYPE)
.get();
System.out.println("status: " + response.getStatus());
System.out.println("headers: " + response.getHeaders());
System.out.println("body:" + response.readEntity(String.class));
Result Field Descriptions
| Attribute | Type | Description |
|---|---|---|
is_listed |
boolean | Is this IP on a blocklist |
list_count |
integer | The number of blocklists the IP is listed on |
last_seen |
integer | The last time this IP was seen on a blocklist (in Unix time or 0 if not listed recently) |
is_proxy |
boolean | IP has been detected as an anonymous web proxy or anonymous HTTP proxy |
is_tor |
boolean | IP is coming from a Tor node |
is_vpn |
boolean | IP has been detected as coming from a VPN hosting provider |
is_malware |
boolean | IP is involved in distributing malware |
is_spyware |
boolean | IP is being used by spyware, malware, botnets or for other malicious activities |
is_dshield |
boolean | IP has been flagged on DShield (dshield.org) |
is_hijacked |
boolean | hijacked netblocks or netblocks controlled by criminal organizations |
is_spider |
boolean | IP is a hostile spider or crawler |
is_bot |
boolean | IP is hosting a malicious bot or is part of a botnet |
is_spam_bot |
boolean | IP address is hosting a spam bot, comment spamming or other spamming software |
is_exploit_bot |
boolean | IP is hosting an exploit finding bot or exploit scanning software |
Dashboard
The IP Investigator dashboard allows you to monitor your API usage limits.
The dashboard can be accessed via the CLI:
$ heroku addons:open ipinvestigator
Opening ipinvestigator for sharp-mountain-4005
or by visiting the Heroku Dashboard and selecting the application in question. Select IP Investigator from the Add-ons menu.
Troubleshooting
As a sanity check it is sometimes useful to bypass your app stack and check the endpoint, your API Key and parameters directly.
Test with your browser
# Modify the following to use your actual API Key
https://ipinvestigator.expeditedaddons.com/?api_key=REPLACE_WITH_YOUR_IPINVESTIGATOR_API_KEY&ip=68.10.149.45
A successful call will return your requested data with a HTTP result code of 200 along with your data. We recommend the JSON Formatter extension as a useful tool.
Your API key can be found on your IP Investigator dashboard.
Migrating between plans
No downtime or disruption of service will occur as you modify your plans.
Use the heroku addons:upgrade command to migrate to a new plan.
$ heroku addons:upgrade ipinvestigator:newplan
-----> Upgrading ipinvestigator:newplan to sharp-mountain-4005... done, v18 ($49/mo)
Your plan has been updated to: ipinvestigator:newplan
Removing the add-on
IP Investigator can be removed via the CLI.
This will destroy all associated data, cannot be undone and will immediately block access to the API
$ heroku addons:destroy ipinvestigator
-----> Removing ipinvestigator from sharp-mountain-4005... done, v20 (free)
Support
All IP Investigator support and runtime issues should be submitted via one of the Heroku Support channels. Any non-support related issues or product feedback is welcome at support@expeditedaddons.com