MOR API v2 blocked ips
These endpoints manage rows on MOR - Blocked IPs (block, list, show, unblock). They complement the read-only diagnostic GET /api/v2/ip_access/status (check whether an arbitrary IP is blocked or whitelisted). Changes apply on the server within about one minute (same iptables pipeline as the GUI).
Authentication and permissions
- Bearer JWT (same as other MOR API v2 methods).
- User must be admin or accountant with monitorings_manage (read for list/show; write for block/unblock).
- Each call also requires the matching v2_blocked_ips_* method on the user’s API permission group (see API settings in the GUI).
- When Restrict API access by IP is enabled, the client IP must be allowed on Whitelisted IPs (management endpoints are not exempt — unlike ip_access/status).
Endpoints
Base path: {Web_Dir}/api/v2/blocked_ips (for example /billing/api/v2/blocked_ips).
| Method | Path | ACL name | Description |
|---|---|---|---|
| GET | /blocked_ips |
v2_blocked_ips_index |
List blocked IPs (filters below). |
| GET | /blocked_ips/{id} |
v2_blocked_ips_show |
Show one row. Optional query fallback: ip, server_id when the numeric id is stale.
|
| POST | /blocked_ips |
v2_blocked_ips_create |
Block IP(s). Body/query: ip (required), server_id (integer or all), reason (optional; default MOR-BLOCKED-IP-FROM-API-V2).
|
| DELETE | /blocked_ips/{id} |
v2_blocked_ips_destroy |
Unblock (pending). Optional query fallback: ip, server_id.
|
There is no UPDATE method (reason cannot be changed via API; matches the GUI).
List filters (GET /blocked_ips)
ip— SQL LIKE on blocked address;%wildcard allowed.reason— SQL LIKE prefix on reason/chain.server_id— Restrict to one server.from,max_results— Pagination (same style as other v2 list APIs).
Input rules (POST)
Same rules as MOR - Blocked IPs:
- Single IPv4, CIDR (canonicalized), or range
x.x.x-xx(expanded to multiple rows). - Cannot block private, local, or server IPs.
- Duplicate block on the same server returns an error for that IP (see response below).
Example responses
List (200):
{
"blocked_ips": [
{
"id": 42,
"ip": "203.0.113.10",
"server_id": 1,
"server_label": "ID: 1, IP: 10.0.0.1",
"reason": "MOR-BLOCKED-IP-FROM-API-V2",
"country": "United States",
"status": "active",
"pending": false
}
],
"meta": { "from": 1, "max_results": 50, "returned": 1 }
}
status is active, block_pending, or unblock_pending (grey rows in the GUI while iptables catches up).
Create (201): returns blocked_ips for rows accepted. If some parsed IPs fail validation, response is still 201 with warnings (each entry has ip and error).
Create (422): when input is empty, not parseable, or every IP was rejected — errors plus warnings when per-IP messages exist.
Unblock (200): { "status": "unblock_pending", "id": 42, "message": "…" }
Not found (404): { "errors": "Blocked IP was not found" }
ACL denied (403): API method not permitted: v2_blocked_ips_*
Quick start (curl)
Replace host, credentials, and JWT flow with your environment.
# 1) Obtain JWT (example — use your deployment’s auth endpoint)
TOKEN="…"
# 2) List
curl -sS -H "Authorization: Bearer $TOKEN" \
"https://example.com/billing/api/v2/blocked_ips?max_results=10"
# 3) Block a public IP on server 1
curl -sS -X POST -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" \
-d '{"ip":"203.0.113.55","server_id":1,"reason":"SOAR-incident-42"}' \
"https://example.com/billing/api/v2/blocked_ips"
# 4) Unblock by id
curl -sS -X DELETE -H "Authorization: Bearer $TOKEN" \
"https://example.com/billing/api/v2/blocked_ips/42"
See also
- MOR - Blocked IPs — GUI, iptables timing, search wildcards
- MOR API v2 — general v2 auth and ACL
- Whitelisted IPs — client IP restriction when enabled
