IP Block Lists

IP Block Lists allows CSF/LFD to periodically download lists of IP addresses and CIDRs from published block lists. It is controlled by the file /etc/csf/csf.blocklists. Uncomment the line starting with the rule name to use it, then restart CSF and then LFD.

• After making any changes to /etc/csf/csf.blocklists you must restart CSF and then LFD.
• If you want to re-download a blocklist you must first delete /var/lib/csf/csf.block.NAME and then restart CSF and then LFD.
• Each URL is scanned for an IPv4/CIDR address per line and if found is blocked.

Format

NAME|INTERVAL|MAX|URL
Parameter Description
NAME List name with all uppercase alphabetic characters with no spaces and a maximum of 25 characters - this will be used as the iptables chain name.
INTERVAL Refresh interval to download the list, must be a minimum of 3600. seconds (an hour), but 86400 (a day) should be more than enough.
MAX This is the maximum number of IP addresses to use from the list, a value of 0 means all IPs.
URL The URL to download the list from.

• Some of these lists are very long (thousands of IP addresses) and could cause serious network and/or performance issues, so setting a value for the MAX field should be considered.
• These lists are not under the control of Danami and could have false positives.

Blocklists

Name Category Maintainer Description
ALIENVAULT_REPUTATION reputation Alien Vault IP reputation database
ALTTOR anonymizers Tor Network Status TOR Exit Nodes List
AUTOSHUN attacks Autoshun.org Autoshun Shun List
BAMBENEK_C2 malware Bambenek Consulting Master feed of known, active and non-sinkholed C&Cs IP addresses
BDE attacks Blocklist.de Blocklist.de attacking IP addresses (last hour)
BDEALL attacks Blocklist.de Blocklist.de attacking IP addresses (all)
BDS_ATIF reputation Binary Defense Systems Artillery Threat Intelligence Feed and Banlist Feed
BFB attacks Daniel Gerzo BruteForceBlocker IP List
BITCOIN_BLOCKCHAIN_INFO reputation Blockchain.info Bitcoin nodes connected to Blockchain.info.
BI_ANY_2_1D attacks BadIPs.com Bad IPs in category any with score above 2 and age less than 1d
BI_ANY_2_30D attacks BadIPs.com Bad IPs in category any with score above 2 and age less than 30d
BI_ANY_2_7D attacks BadIPs.com Bad IPs in category any with score above 2 and age less than 7d
BI_BRUTEFORCE_2_30D attacks BadIPs.com Bad IPs in category bruteforce with score above 2 and age less than 30d
BI_FTP_2_30D attacks BadIPs.com Bad IPs in category ftp with score above 2 and age less than 30d
BI_HTTP_2_30D attacks BadIPs.com Bad IPs in category http with score above 2 and age less than 30d
BI_MAIL_2_30D attacks BadIPs.com Bad IPs in category mail with score above 2 and age less than 30d
BI_PROXY_2_30D attacks BadIPs.com Bad IPs in category proxy with score above 2 and age less than 30d
BI_SQL_2_30D attacks BadIPs.com Bad IPs in category sql with score above 2 and age less than 30d
BI_SSH_2_30D attacks BadIPs.com Bad IPs in category ssh with score above 2 and age less than 30d
BI_VOIP_2_30D attacks BadIPs.com Bad IPs in category voip with score above 2 and age less than 30d
BLOCKLIST_DE attacks Blocklist.de IPs that have been detected by fail2ban in the last 48 hours
BLOCKLIST_DE_APACHE attacks Blocklist.de All IP addresses which have been reported within the last 48 hours as having run attacks on the service Apache, Apache-DDOS, RFI-Attacks.
BLOCKLIST_DE_BOTS attacks Blocklist.de All IP addresses which have been reported within the last 48 hours as having run attacks on the RFI-Attacks, REG-Bots, IRC-Bots or BadBots (BadBots = he has posted a Spam-Comment on a open Forum or Wiki) .
BLOCKLIST_DE_BRUTEFORCE attacks Blocklist.de All IPs which attacks Joomlas, Wordpress and other Web-Logins with Brute-Force Logins.
BLOCKLIST_DE_FTP attacks Blocklist.de All IP addresses which have been reported within the last 48 hours for attacks on the Service FTP.
BLOCKLIST_DE_IMAP attacks Blocklist.de All IP addresses which have been reported within the last 48 hours for attacks on the Service imap, sasl, pop3, etc.
BLOCKLIST_DE_MAIL attacks Blocklist.de All IP addresses which have been reported within the last 48 hours as having run attacks on the service Mail, Postfix.
BLOCKLIST_DE_SIP attacks Blocklist.de All IP addresses that tried to login in a SIP, VOIP or Asterisk Server and are included in the IPs list from infiltrated.net
BLOCKLIST_DE_SSH attacks Blocklist.de All IP addresses which have been reported within the last 48 hours as having run attacks on the service SSH.
BLOCKLIST_DE_STRONGIPS attacks Blocklist.de All IPs which are older then 2 month and have more then 5.000 attacks.
BLOCKLIST_NET_UA abuse blocklist.net.ua The BlockList project was created to become protection against negative influence of the harmful and potentially dangerous events on the Internet. First of all this service will help internet and hosting providers to protect subscribers sites from being hacked. BlockList will help to stop receiving a large amount of spam from dubious SMTP relays or from attempts of brute force passwords to servers and network equipment.
BM_TOR anonymizers torstatus.blutmagie.de List of all TOR network servers
BOGON unroutable Team Cymru Private and reserved addresses defined by RFC 1918, RFC 5735, and RFC 6598 and netblocks that have not been allocated to a regional internet registry
BOTSCOUT abuse BotScout.com Helps prevent automated web scripts, known as bots, from registering on forums, polluting databases, spreading spam, and abusing forms on web sites. They do this by tracking the names, IPs, and email addresses that bots use and logging them as unique signatures for future reference. They also provide a simple yet powerful API that you can use to test forms when they're submitted on your site. This list is composed of the most recently-caught bots.
BRUTEFORCEBLOCKER attacks danger.rulez.sk (fail2ban alternative for SSH on OpenBSD) . This is an automatically generated list from users reporting failed authentication attempts. An IP seems to be included if 3 or more users report it. Its retention pocily seems 30 days.
CHAOSREIGNS_IPREP spam ChaosReigns.com The iprep0 list includes all IPs that sent only spam emails. This is an automated, free, public email IP reputation system.
CIARMY reputation Collective Intelligence Network Security IPs with poor Rogue Packet score that have not yet been identified as malicious by the community
CLEANMX_VIRUSES spam Clean-MX.de IPs with viruses
CRUZIT_WEB_ATTACKS attacks CruzIt.com IPs of compromised machines scanning for vulnerabilities and DDOS attacks
CTA_CRYPTOWALL malware Cyber Threat Alliance Cyber Threat Alliance CryptoWall is one of the most lucrative and broad-reaching ransomware campaigns affecting Internet users today. Sharing intelligence and analysis resources, the CTA profiled the latest version of CryptoWall, which impacted hundreds of thousands of users, resulting in over US $325 million in damages worldwide.
DARKLIST_DE attacks darklist.de Ssh fail2ban reporting
DRAGON_HTTP attacks Dragon Research Group (DRG) IPs that have been seen sending HTTP requests to Dragon Research Pods in the last 7 days. This report lists hosts that are highly suspicious and are likely conducting malicious HTTP attacks. LEGITIMATE SEARCH ENGINE BOTS MAY BE IN THIS LIST. This report is informational. It is not a blacklist, but some operators may choose to use it to help protect their networks and hosts in the forms of automated reporting and mitigation services.
DRAGON_SSHPAUTH attacks Dragon Research Group (DRG) IP address that has been seen attempting to remotely login to a host using SSH password authentication, in the last 7 days. This report lists hosts that are highly suspicious and are likely conducting malicious SSH password authentication attacks.
DRAGON_VNCPROBE attacks Dragon Research Group (DRG) IP address that has been seen attempting to remotely connect to a host running the VNC application service, in the last 7 days. This report lists hosts that are highly suspicious and are likely conducting malicious VNC probes or VNC brute force attacks.
DSHIELD attacks DShield.org Top 20 attacking class C (/24) subnets over the last three days
ET_BLOCK attacks Emerging Threats Default blacklist (at the time of writing includes spamhaus DROP, dshield and abuse.ch trackers, which are available separately too - prefer to use the direct ipsets instead of this, they seem to lag a bit in updates)
ET_BOTCC reputation Emerging Threats These IPs are updates every 24 hours and should be considered VERY highly reliable indications that a host is communicating with a known and active Bot or Malware command and control server - (although they say this includes abuse.ch trackers, it does not - check its overlaps)
ET_COMPROMISED attacks Emerging Threats Compromised hosts
ET_DSHIELD attacks Emerging Threats Dshield blocklist
ET_SPAMHAUS attacks Emerging Threats Spamhaus blocklist
ET_TOR anonymizers Emerging Threats Of TOR network IPs
FEODO malware Abuse.ch Trojan includes IPs which are being used by Feodo (also known as Cridex or Bugat) which commits ebanking fraud
GREENSNOW attacks GreenSnow.co Is a team harvesting a large number of IPs from different computers located around the world. GreenSnow is comparable with SpamHaus.org for attacks of any kind except for spam. Their list is updated automatically and you can withdraw at any time your IP address if it has been listed. Attacks / bruteforce that are monitored are: Scan Port, FTP, POP3, mod_security, IMAP, SMTP, SSH, cPanel, etc.
HONEYPOT attacks Project Honeypot Project Honey Pot Directory of Dictionary Attacker IPs
IW_SPAMLIST spam ImproWare Antispam IPs sending spam, in the last 3 days
IW_WORMLIST spam ImproWare Antispam IPs sending emails with viruses or worms, in the last 3 days
LASHBACK_UBL spam The LashBack Unsubscribe Blacklist The Unsubscribe Blacklist (UBL) is a real-time blacklist of IP addresses which are sending email to names harvested from suppression files (this is a big list, more than 500.000 IPs)
MALC0DE malware malc0de.com Malicious IPs of the last 30 days
MALWAREDOMAINLIST malware MalwareDomainList.com List of malware active ip addresses
MAXMIND anonymizers Maxmind MaxMind GeoIP Anonymous Proxies
MYIP abuse MyIP.ms IPs identified as web bots in the last 10 days, using several sites that require human action
NT_MALWARE_DNS attacks NoThink.org Malware DNS (the original list includes hostnames and domains, which are ignored)
NT_MALWARE_HTTP attacks NoThink.org Malware HTTP
NT_MALWARE_IRC attacks NoThink.org Malware IRC
NT_SSH_7D attacks NoThink.org Last 7 days SSH attacks
OPENBL attacks OpenBL.org OpenBL.org 30 day List
OPENBL_180D attacks OpenBL.org Last 180 days IPs. OpenBL.org is detecting, logging and reporting various types of internet abuse.
OPENBL_1D attacks OpenBL.org Last 24 hours IPs. OpenBL.org is detecting, logging and reporting various types of internet abuse.
OPENBL_30D attacks OpenBL.org Last 30 days IPs. OpenBL.org is detecting, logging and reporting various types of internet abuse.
OPENBL_360D attacks OpenBL.org Last 360 days IPs. OpenBL.org is detecting, logging and reporting various types of internet abuse.
OPENBL_60D attacks OpenBL.org Last 60 days IPs. OpenBL.org is detecting, logging and reporting various types of internet abuse.
OPENBL_7D attacks OpenBL.org Last 7 days IPs. OpenBL.org is detecting, logging and reporting various types of internet abuse.
OPENBL_90D attacks OpenBL.org Last 90 days IPs. OpenBL.org is detecting, logging and reporting various types of internet abuse.
OPENBL_ALL attacks OpenBL.org Last all IPs. OpenBL.org is detecting, logging and reporting various types of internet abuse.
PACKETMAIL reputation PacketMail.net IP addresses have been detected performing TCP SYN to 206.82.85.196/30 to a non-listening service or daemon. No assertion is made, nor implied, that any of the below listed IP addresses are accurate, malicious, hostile, or engaged in nefarious acts. Use this list at your own risk.
PHP_COMMENTERS spam ProjectHoneypot.org Comment spammers (this list is composed using an RSS feed)
PHP_DICTIONARY spam ProjectHoneypot.org Directory attackers (this list is composed using an RSS feed)
PHP_HARVESTERS spam ProjectHoneypot.org Harvesters (IPs that surf the internet looking for email addresses) (this list is composed using an RSS feed)
PHP_SPAMMERS spam ProjectHoneypot.org Spam servers (IPs used by spammers to send messages) (this list is composed using an RSS feed)
PROXYLISTS anonymizers ProxyLists.net Open proxies (this list is composed using an RSS feed)
PROXYSPY anonymizers ProxySpy (spys.ru) Open proxies (updated hourly)
SBLAM abuse sblam.com IPs used by web form spammers, during the last month
SHUNLIST attacks AutoShun.org IPs identified as hostile by correlating logs from distributed snort installations running the autoshun plugin
SNORT_IPFILTER attacks Snort.org Labs Supplied IP blacklist (this list seems to be updated frequently, but we found no information about it)
SPAMDROP spam Spamhaus Do not Route Or Peer List (DROP)
SPAMEDROP spam Spamhaus Spamhaus Extended DROP List (EDROP)
SSLBL malware Abuse.ch Bad SSL traffic related to malware or botnet activities
SSLBL_AGGRESSIVE malware Abuse.ch The aggressive version of the SSL IP Blacklist contains all IPs that SSLBL ever detected being associated with a malicious SSL certificate. Since IP addresses can be reused (e.g. when the customer changes) , this blacklist may cause false positives.
STOPFORUMSPAM abuse StopForumSpam.com Banned IPs used by forum spammers
STOPFORUMSPAM_180D abuse StopForumSpam.com IPs used by forum spammers (last 180 days)
STOPFORUMSPAM_1D abuse StopForumSpam.com IPs used by forum spammers in the last 24 hours
STOPFORUMSPAM_30D abuse StopForumSpam.com IPs used by forum spammers (last 30 days)
STOPFORUMSPAM_365D abuse StopForumSpam.com IPs used by forum spammers (last 365 days)
STOPFORUMSPAM_7D abuse StopForumSpam.com IPs used by forum spammers (last 7 days)
STOPFORUMSPAM_90D abuse StopForumSpam.com IPs used by forum spammers (last 90 days)
STOPFORUMSPAM_TOXIC abuse StopForumSpam.com Networks that have large amounts of spambots and are flagged as toxic. Toxic IP ranges are infrequently changed.
TALOSINTEL_IPFILTER attacks TalosIntel.com List of known malicious network threats
TOR anonymizers Torproject TOR Exit Nodes List
TOR_EXITS anonymizers TorProject.org List of all current TOR exit points (TorDNSEL)
TRUSTEDSEC_ATIF reputation TrustedSec Artillery Threat Intelligence Feed and Banlist Feed
VIRBL spam VirBL.bit.nl Is a project of which the idea was born during the RIPE-48 meeting. The plan was to get reports of virusscanning mailservers, and put the IP-addresses that were reported to send viruses on a blacklist.
VOIPBL attacks VoIPBL.org A distributed VoIP blacklist that is aimed to protects against VoIP Fraud and minimizing abuse for network that have publicly accessible PBX's. Several algorithms, external sources and manual confirmation are used before they categorize something as an attack and determine the threat level.
XROXY anonymizers Xroxy.com Open proxies (this list is composed using an RSS feed)
ZEUS malware Abuse.ch Standard, contains the same data as the ZeuS IP blocklist (zeus_badips) but with the slight difference that it do not exclude hijacked websites (level 2) and free web hosting providers (level 3) . This means that this blocklist contains all IPv4 addresses associated with ZeuS C&Cs which are currently being tracked by ZeuS Tracker. Hence this blocklist will likely cause some false positives.
ZEUS_BADIPS malware Abuse.ch Badips includes IPv4 addresses that are used by the ZeuS trojan. It is the recommened blocklist if you want to block only ZeuS IPs. It excludes IP addresses that ZeuS Tracker believes to be hijacked (level 2) or belong to a free web hosting provider (level 3) . Hence the false postive rate should be much lower compared to the standard ZeuS IP blocklist.

References

A special thanks goes to the folks at iplists.firehol.org for all their hard work compiling the origional IP Feeds.

Related Files

File Description
/etc/csf/csf.conf LF_BOGON_SKIP URLGET configuration options
/etc/csf/csf.blocklists This file contains definitions to IP BLOCK lists.

Related Pages