IP Block Lists allows CSF/LFD to periodically download lists of IP addresses and
CIDRs from published block lists. It is controlled by the file /etc/csf/csf.blocklists.
Uncomment the line starting with the rule name to use it, then restart CSF and then LFD.
• After making any changes to
/etc/csf/csf.blocklistsyou must restart CSF and then LFD.
• If you want to re-download a blocklist you must first delete/var/lib/csf/csf.block.NAMEand then restart CSF and then LFD.
• Each URL is scanned for an IP address/CIDR address per line and if found is blocked.
NAME|INTERVAL|MAX|URL| Parameter | Description |
|---|---|
| NAME | List name with all uppercase alphabetic characters with no spaces and a maximum of 25 characters - this will be used as the iptables chain name. |
| INTERVAL | Refresh interval to download the list, must be a minimum of 3600. seconds (an hour), but 86400 (a day) should be more than enough. |
| MAX | This is the maximum number of IP addresses to use from the list, a value of 0 means all IPs. |
| URL | The URL to download the list from. |
• Make sure that your server supports IPset and that IPset is enabled under
Juggernaut Firewall -> Settings -> General Settingsbefore enabling these lists.
• For large lists remember to set the max IP address limit for the blocklist to be under 65536 (otherwise you will get ipset errors). Alternatively you can raise the ipset limit underJuggernaut Firewall -> Settings -> General Settings -> Ipset maxelem.
• These lists are not under the control of Danami and could have false positives.
| Name | Category | Maintainer | Description | Recommended |
|---|---|---|---|---|
| ABUSEIPDB | reputation | abuseipdb.com | IP reputation database of abusive IPs engaging in hacking attempts or other malicious behavior (You must sign up to their website for a free API key then replace YOUR_API_KEY with it in the source URL). | yes |
| BDE | attacks | blocklist.de | Blocklist.de attacking IP addresses (last hour). | |
| BDEALL | attacks | blocklist.de | Blocklist.de attacking IP addresses (all). | yes |
| BDS_ATIF | reputation | binarydefense.com | Artillery Threat Intelligence feed and banlist feed. | |
| BFB | attacks | Daniel Gerzo | BruteForceBlocker IP List. | |
| BLOCKLIST_NET_UA | abuse | blocklist.net.ua | This blockList will help to stop receiving a large amount of spam from dubious SMTP relays or from attempts of brute force passwords to servers and network equipment. | yes |
| BOGON | unroutable | team-cymru.org | Private and reserved addresses defined by RFC 1918, RFC 5735, and RFC 6598 and netblocks that have not been allocated to a regional internet registry. | |
| BOTSCOUT | abuse | botscout.com | Helps prevent automated web scripts, known as bots, from registering on forums, polluting databases, spreading spam, and abusing forms on web sites. | |
| CIARMY | reputation | cinsscore.com | The CINS Army list is a subset of the CINS Active Threat Intelligence ruleset, and consists of IP addresses that have a very poor rogue packet score or have tripped CINS sentinels deployed around the world. | yes |
| DARKLIST_DE | attacks | darklist.de | SSH fail2ban reporting. | |
| DSHIELD | attacks | dShield.org | Top 20 attacking class C (/24) subnets over the last three days. | yes |
| ET_BLOCK | attacks | emergingthreats.net | Default blacklist (at the time of writing includes spamhaus DROP, dshield and abuse.ch trackers, which are available separately too - prefer to use the direct ipsets instead of this, they seem to lag a bit in updates). | |
| ET_COMPROMISED | attacks | emergingthreats.net | Compromised hosts. | |
| ET_TOR | anonymizers | emergingthreats.net | TOR network IPs. | yes |
| FEODO | malware | abuse.ch | Trojan includes IPs which are being used by Feodo (also known as Cridex or Bugat) which commits ebanking fraud. | |
| GREENSNOW | attacks | greenSnow.co | GreenSnow is comparable with SpamHaus.org for attacks of any kind except for spam. Attacks / bruteforce that are monitored are: Scan Port, FTP, POP3, mod_security, IMAP, SMTP, SSH, cPanel, etc. | yes |
| HONEYPOT | attacks | projecthoneypot.org | Dictionary attacker IPs. | |
| INTERSERVER_2D | attacks | interserver.net | InterServers InterShield protection system includes IPs which have brute forced (ssh, ftp, pop, imap, passwords), spammed, or mark as malicious due to mod_security (last 2 days). | |
| INTERSERVER_7D | attacks | interserver.net | InterServers InterShield protection system includes IPs which have brute forced (ssh, ftp, pop, imap, passwords), spammed, or mark as malicious due to mod_security (last 7 days). | |
| INTERSERVER_ALL | attacks | interserver.net | InterServers InterShield protection system includes IPs which have brute forced (ssh, ftp, pop, imap, passwords), spammed, or mark as malicious due to mod_security (all IPs). | yes |
| MAXMIND | anonymizers | maxmind.com | MaxMind GeoIP anonymous proxies. | yes |
| SBLAM | abuse | sblam.com | IPs used by web form spammers, during the last month. | |
| SPAMDROP | spam | spamhaus.org | Do not Route Or Peer List (DROP). | yes |
| SPAMDROPV6 | spam | spamhaus.org | IPv6 do not Route Or Peer List (DROPv6). | yes |
| SPAMEDROP | spam | spamhaus.org | Spamhaus Extended DROP List (EDROP). | yes |
| SSLBL | malware | abuse.ch | Bad SSL traffic related to malware or botnet activities. | |
| SSLBL_AGGRESSIVE | malware | abuse.ch | The aggressive version of the SSL IP Blacklist contains all IPs that SSLBL ever detected being associated with a malicious SSL certificate. This blacklist may cause false positives. | |
| STOPFORUMSPAM | abuse | stopforumspam.com | Banned IPs used by forum spammers. | yes |
| STOPFORUMSPAM_180D | abuse | stopforumspam.com | IPs used by forum spammers (last 180 days). | |
| STOPFORUMSPAM_1D | abuse | stopforumspam.com | IPs used by forum spammers in the last 24 hours | |
| STOPFORUMSPAM_30D | abuse | stopforumspam.com | IPs used by forum spammers (last 30 days) | |
| STOPFORUMSPAM_365D | abuse | stopforumspam.com | IPs used by forum spammers (last 365 days) | |
| STOPFORUMSPAM_7D | abuse | stopforumspam.com | IPs used by forum spammers (last 7 days) | |
| STOPFORUMSPAM_90D | abuse | stopforumspam.com | IPs used by forum spammers (last 90 days) | |
| STOPFORUMSPAM_TOXIC | abuse | stopforumspam.com | Networks that have large amounts of spambots and are flagged as toxic. Toxic IP ranges are infrequently changed. | yes |
| TOR | anonymizers | torproject.org | TOR exit node list. | yes |
A special thanks goes to the folks at iplists.firehol.org for all their hard work compiling the original IP Feeds.
| File | Description |
|---|---|
/etc/csf/csf.conf |
LF_BOGON_SKIP URLGET configuration options |
/etc/csf/csf.blocklists |
This file contains definitions to IP BLOCK lists. |