Filtering the Noise: How I Use AbuseIPDB, Spamhaus, and Matomo to Harden My Infrastructure

One of the biggest surprises in running my own web infrastructure wasn’t the amount of traffic — it was where that traffic came from.

The moment you make a site accessible on the internet, bots and scanners will find it. Some are harmless crawlers or search engines, but many are not. They scan for vulnerabilities, try brute-force logins, or probe for exposed APIs. The majority are automated, fast, and relentless.

That’s when it hit me: if I wanted to self-host seriously, I had to filter out the noise — and start protecting my infrastructure like it was production-grade.

Meet the Blocklist Gatekeepers: AbuseIPDB and Spamhaus

Two of the most respected organizations in this space are AbuseIPDB and Spamhaus. They're both committed to identifying malicious IP addresses, but they go about it in different ways.

AbuseIPDB is a community-driven platform that collects reports from users and security professionals. Every reported IP is tagged with context: port scans, SSH brute-force attempts, spam activity, and more. Submissions are ranked by confidence levels, and developers (like me) can use their API to pull lists of high-confidence offenders.

Spamhaus, on the other hand, maintains several curated lists like the DROP (Don't Route Or Peer) list. What makes their list unique is that it includes entire netblocks that have been hijacked or are under the control of known cybercriminal operations. These aren’t just rogue individual IPs—they’re neighborhoods that have gone bad.

Together, these two organizations give developers, sysadmins, and independent hosts like me a powerful set of tools for locking out known bad actors.

Automating Blocklists: A Simple Bash Script for NGINX

With these lists available online, I wrote a Bash script that does the following:

1. Queries the AbuseIPDB API for IPs with a high confidence score.
2. Fetches the Spamhaus DROP list.
3. Combines both into a format that NGINX understands (a deny directive per line).
4. Validates the updated config and reloads NGINX only if the syntax is good.

By integrating these blocklists directly into NGINX, I can stop malicious traffic before it ever touches my web apps or backend services. This lightens the load on my firewall and ensures my WAF only deals with requests that have at least passed a basic IP sanity check.

Open Tools for Everyday Hosts

What’s remarkable is that these resources aren’t locked behind expensive enterprise firewalls. They’re available to anyone who wants to build safer infrastructure—even people like me who are just passionate about hosting their own sites securely.

And as someone who enjoys tinkering with infrastructure, I found it fascinating to learn that entire IP ranges can be hijacked and sold on underground markets. This isn’t theoretical. It’s happening all the time, and organizations like Spamhaus are constantly updating their lists to stay ahead of the curve.

Going Beyond IPs: Blocking Spam Referrers

Not all bad traffic comes from suspicious IPs. Some of it sneaks in through fake referral data, polluting your analytics and wasting resources.

While AbuseIPDB and Spamhaus help filter out abusive IP addresses, I also wanted to deal with another kind of low-value traffic: referrer spam. These are requests that show up in your analytics with fake Referer headers—often pointing to scammy domains trying to boost their SEO rankings.

To handle this, I integrated Matomo’s Referrer Spam List. It’s an open-source community-maintained list of thousands of known spam domains. I wrote a separate Bash script that pulls the latest version from GitHub, parses it into a set of NGINX rules, and reloads the config if everything checks out.

Each domain is turned into a conditional 444 rule inside NGINX. That way, bots trying to ping my site with garbage referer headers are stopped cold before they ever get counted in my analytics—or waste my bandwidth.

This kind of layered blocking—IP + domain-level—has been incredibly effective at cutting down noise. It’s not just about security; it also improves signal quality when I'm analyzing real traffic patterns.

Final Thoughts

You don’t need a SOC team or enterprise gear to protect your self-hosted websites. A bit of scripting, the right public resources, and a basic understanding of how malicious traffic behaves can go a long way.

If you're managing your own server or are curious about what happens behind the scenes when someone tries to break into a web application, I encourage you to explore AbuseIPDB and Spamhaus. It’s eye-opening.

Ready to Fortify Your Self-Hosted Stack?

Whether you're running a personal blog or managing critical client-facing services, implementing smart blocklists can drastically reduce noise, spam, and attack surface. Tools like AbuseIPDB, Spamhaus, and Matomo give you the raw data — but wiring it all together takes a little engineering.

At Packet Passport, we specialize in lightweight, practical security solutions for indie developers, small teams, and anyone serious about self-hosting.

Reach out or learn more at PacketPassport.com

You don’t need enterprise firewalls — just the right tools, smart defaults, and a strategy that fits your setup.