Introduction
[FR]
- Agrégation de listes d'adresses IP malveillantes scindée en fichiers de 131 072 entrées au maximum pour être intégrées dans des pare-feux : Fortinet FortiGate, Palo Alto, pfSense, OPNsense, IPtables ...
- Adresses IP malveillantes de type scanners et bruteforce, donc à bloquer UNIQUEMENT en entrée : dans le sens WAN > LAN
- Adresses IP ordonnées en fonction du nombre de sources dans lesquelles elles apparaissent (IP malveillantes apparaissant dans le plus de sources dans le premier fichier full-aa.txt)
- Mise à jour toutes les heures
Fichiers à utiliser (liens dans la partie "Links" ci-dessous) :
- full-aa.txt : 131 072 adresses IP les plus malveillantes
- full-a*.txt : toutes les adresses IP malveillantes en fichiers de 131 072 IP (pour FortiOS < 7.4.4)
- full-40k.txt : 40 000 adresses IP les plus malveillantes
- full-300k-a*.txt : toutes les adresses IP malveillantes en fichiers de 300 000 IP (pour FortiOS > 7.4.4)
- malicious-ip-by-country/full-*.txt : toutes les adresses IP malveillantes d'un pays (si vous avez besoin du fichier d'un pays manquant, envoyez moi un message)
Liste blanche : les adresses IP des services suivants sont retirées des fichiers : Google Bot, Bing Bot.
[EN]
- Aggregation of lists of malicious IP addresses split into files of a maximum of 131,072 entries to be integrated into firewalls: Fortinet FortiGate, Palo Alto, pfSense, OPNsense, IPtables ...
- Malicious IP addresses such as scanners and bruteforce, therefore ONLY to be blocked in the WAN > LAN direction
- IP addresses ordered by the number of sources they appear in (malicious IPs appearing in most sources in the first file full-aa.txt)
- Updated every hour
Files to use (links in the "Links" section below):
- full-aa.txt: 131,072 most malicious IP addresses
- full-a*.txt: all malicious IP addresses in 131,072 IP files (for FortiOS < 7.4.4)
- full-40k.txt: 40,000 most malicious IP addresses
- full-300k-a*.txt : all malicious IP addresses in 300,000 IP files (for FortiOS > 7.4.4)
- malicious-ip-by-country/full-*.txt : all malicious IP addresses of a country (if you need a missing country file, send me a message)
Whitelist: IP addresses of the following services are removed from the files: Google Bot, Bing Bot.
Menu:
Statistics
Update of the following table: 2024-11-29 11:44 CEST
| Malicious IP addresses in full-* | % | Number of IPs |
|---|---|---|
| Present in 6 sources and more | 3.04 % | 19 683 |
| Present in 5 sources | 2.27 % | 14 689 |
| Present in 4 sources | 3.53 % | 22 873 |
| Present in 3 sources | 4.77 % | 30 892 |
| Present in 2 sources | 13.52 % | 87 515 |
| Present in 1 source | 72.84 % | 471 290 |
| Total | 100 % | 646 942 |
Update of the common IP table with the FortiGate ISDB Malicious-Malicious.Server: 2024-11-29 01:30 CEST
| FortiGate models | full-* IPs common with ISDB |
|---|---|
| 100F and below | 3.98 % |
| 200F and above | 21.45 % |
History of statistics here.
Classification by country and organizations of malicious IP addresses present in at least 2 sources.
Implementation
[FR]
Comment intégrer ces listes dans un pare-feu ?
- FortiGate
- C'est un complément de la base de données ISDB "Malicious-Malicious.Server" des FortiGate (statistiques d'IP communes entre la liste full-* et l'ISDB ici).
- Menu "Security Fabric → External Connectors → Create New → IP Address"
- Prendre une URL dans la partie "Links" ci-dessous
- Après, les listes peuvent être utilisées dans les "Firewall Policy" avec les objets "IP Address Threat Feed"
- Implémentation de la liste full validée même sur le plus petit boitier FortiGate 40F
- Plus d'informations : mon tutorial et cette page de l'aide Fortinet
- Palo Alto : lien. Modèle PA-3200 et supérieurs limités à 150k IP (utilisez uniquement full-aa.txt), modèles inférieurs limités à 50k IP (utilisez le fichier full-40k.txt)
- pfSense : via ce repo GitHub qui permet d'implémenter une API dans pfSense. Attention, par défaut le nombre maximal d'objets est de 400k. Possibilité d'augmenter cette valeur si votre pfSense a beaucoup de RAM. Plus d'infos ici.
- OPNsense : via API (doc. Modifier le nombre maximal d'entrées d'un alias : "Firewall -> Settings -> Advanced -> Firewall Maximum Table Entries".
- IPTables avec le paquet "ipset" : tutorial 1 tutorial 2
[EN]
How to integrate these lists into a firewall?
- FortiGate
- It is a complement to the FortiGate ISDB "Malicious-Malicious.Server" database (common IP address statistics between the full-* list and the ISDB here).
- Menu "Security Fabric → External Connectors → Create New → IP Address"
- Take a URL in the "Links" section below
- Then, the lists can be used in "Firewall Policy" as "IP Address Threat Feed" objects.
- Implementation of the full list validated even on the smallest FortiGate 40F appliance
- More information: my tutorial and this Fortinet help page
- Palo Alto: here. PA-3200 model and above limited to 150k IP (use full-aa.txt only), lower models limited to 50k IP (use full-40k.txt file)
- pfSense: via this GitHub repo which allows you to implement an API in pfSense. Be careful, by default the maximum number of objects is 400k. Possibility to increase this value if your pfSense has a lot of RAM. More info here here.
- OPNsense : via API (doc. Change the maximum number of entries for an alias: "Firewall -> Settings -> Advanced -> Firewall Maximum Table Entries".
- IPTables with the "ipset" package: tutorial 1 tutorial 2
Files URLs
Files URLs with all malicious IP addresses split in 131,072 IP files (especially for FortiOS < 7.4.4):
https://raw.githubusercontent.com/romainmarcoux/malicious-ip/main/full-aa.txt
https://raw.githubusercontent.com/romainmarcoux/malicious-ip/main/full-ab.txt
https://raw.githubusercontent.com/romainmarcoux/malicious-ip/main/full-ac.txt
https://raw.githubusercontent.com/romainmarcoux/malicious-ip/main/full-ad.txt
https://raw.githubusercontent.com/romainmarcoux/malicious-ip/main/full-ae.txt
https://raw.githubusercontent.com/romainmarcoux/malicious-ip/main/full-af.txt
https://raw.githubusercontent.com/romainmarcoux/malicious-ip/main/full-ag.txt
https://raw.githubusercontent.com/romainmarcoux/malicious-ip/main/full-ah.txt
https://raw.githubusercontent.com/romainmarcoux/malicious-ip/main/full-ai.txt
https://raw.githubusercontent.com/romainmarcoux/malicious-ip/main/full-aj.txt
https://raw.githubusercontent.com/romainmarcoux/malicious-ip/main/full-ak.txtFiles URLs with all malicious IP addresses split in 300,000 IP files (especially for FortiOS > 7.4.4):
https://raw.githubusercontent.com/romainmarcoux/malicious-ip/main/full-300k-aa.txt
https://raw.githubusercontent.com/romainmarcoux/malicious-ip/main/full-300k-ab.txt
https://raw.githubusercontent.com/romainmarcoux/malicious-ip/main/full-300k-ac.txtFile URL of the 40,000 most malicious IPs (for small firewall or Palo-Alto < PA-3200):
https://raw.githubusercontent.com/romainmarcoux/malicious-ip/main/full-40k.txtURL example of a country file
https://raw.githubusercontent.com/romainmarcoux/malicious-ip/main/malicious-ip-by-country/full-fr-aa.txtSources
| Filename | Source | History | Description |
|---|---|---|---|
| abuseipdb-* | link | 120d | Collaborative blocklist |
| akamai.com-* | link | 30d | IP Block List maintained by Akamai |
| alienvault-fakelabs-* | link | 30d | SSH Brute-Force Honeypot |
| alienvault-georgs-* | link | 30d | RDP/SSH/VNC intrustion and Trojan request |
| alienvault-ssh-bruteforce-* | link | 30d | SSH Brute-Force Honeypot |
| binarydefense.com-* | link | 30d | IP Block List maintained by Binary Defense |
| blocklist.de-* | link | 30d | Collaborative blocklist (6k sensors) (stats) |
| cinsscore.com-* | link | 30d | IP Block List maintained by CINS |
| emergingthreats.net-* | link | 30d | IP Block List maintained by Proofpoint |
| greensnow.co-* | link | 30d | IP Block List maintained by greensnow.co |
| isc.sans.edu-* | link | 20d | Collaborative blocklist (500k sensors): false positives removed |
| malicious-ip-* | link | - | Private honeypots and other sources |
| projecthoneypot.org-* | link | 30d | Collaborative blocklist |
| sekio-* | - | 30d | Malicious IPs sent by my customers |
| snort.org-* | link | 30d | IP Block List maintained by snort.org (owned by Cisco Talos) |
| stamparm-* | link | 30d | Aggregation of lists of malicious IP addresses |
Release Notes
- 2024-08-23: Added 300k malicious IP files and malicious IP by country files
- 2024-07-05: New source: projecthoneypot.org
- 2024-06-05: Whitelisting of IP addresses used by Cloudflare
- 2024-05-26: New source: binarydefense.com. Improved exploitation of isc.sans.edu with low signal IPs. Moving historical source files to the source folder.
- 2024-01-20: New sources: alienvault-ssh-bruteforce, alienvault-georgs, alienvault-fakelabs.
- 2024-01-19: New sources: stamparm, akamai.
- 2024-01-16: Whitelisting of IP addresses used by French mobile operators.
- 2023-12-26: New sources: cinsscore.com, emergingthreats.net, greensnow.co, snort.org.
- 2023-10-05: New source: isc.sans.edu.
- 2023-09-26: New sources: blocklist.de, abuseipdb.com.
- 2023-09-20: Initial release with first source: malicious-ip (github.com/duggytuxy/malicious_ip_addresses).
To support me
Contact
[FR]
Contactez-moi via LinkedIn (mon profil) pour :
- m'indiquer des faux positifs
- être notifié quand un nouveau segment de fichier est créé (pour l'ajouter dans votre pare-feu)
- me proposer d'ajouter une autre source d'adresses IP malveillantes (voir sources actuelles)
[EN]
Contact me via LinkedIn (my profile) to:
- notify me false positives
- be notified when a new file segment is created (to add it to your firewall)
- suggest I add another source of malicious IP addresses (see current sources