stamparm / ipsum

Daily feed of bad IPs (with blacklist hit scores)
The Unlicense
1.61k stars 146 forks source link
blacklist ipset iptables security threats

Logo

License

About

IPsum is a threat intelligence feed based on 30+ different publicly available lists of suspicious and/or malicious IP addresses. All lists are automatically retrieved and parsed on a daily (24h) basis and the final result is pushed to this repository. List is made of IP addresses together with a total number of (black)list occurrence (for each). Greater the number, lesser the chance of false positive detection and/or dropping in (inbound) monitored traffic. Also, list is sorted from most (problematic) to least occurent IP addresses.

As an example, to get a fresh and ready-to-deploy auto-ban list of "bad IPs" that appear on at least 3 (black)lists you can run:

curl --compressed https://raw.githubusercontent.com/stamparm/ipsum/master/ipsum.txt 2>/dev/null | grep -v "#" | grep -v -E "\s[1-2]$" | cut -f 1

If you want to try it with ipset, you can do the following:

sudo su
apt-get -qq install iptables ipset
ipset -q flush ipsum
ipset -q create ipsum hash:ip
for ip in $(curl --compressed https://raw.githubusercontent.com/stamparm/ipsum/master/ipsum.txt 2>/dev/null | grep -v "#" | grep -v -E "\s[1-2]$" | cut -f 1); do ipset add ipsum $ip; done
iptables -D INPUT -m set --match-set ipsum src -j DROP 2>/dev/null
iptables -I INPUT -m set --match-set ipsum src -j DROP

In directory levels you can find preprocessed raw IP lists based on number of blacklist occurrences (e.g. levels/3.txt holds IP addresses that can be found on 3 or more blacklists).

Wall of Shame (2024-12-05)

IP DNS lookup Number of (black)lists
218.92.0.218 - 9
218.92.0.223 - 9
218.92.0.226 - 9
218.92.0.227 - 9
218.92.0.230 - 9
218.92.0.232 - 9
218.92.0.233 - 9
37.44.238.68 ssd5-5196.9995 8
45.148.10.203 - 8
79.137.202.88 flippant-love.aeza.network 8
218.92.0.111 - 8
218.92.0.198 - 8
218.92.0.216 - 8
218.92.0.217 - 8
218.92.0.219 - 8
218.92.0.220 - 8
218.92.0.221 - 8
218.92.0.222 - 8
218.92.0.225 - 8
218.92.0.228 - 8
218.92.0.229 - 8
218.92.0.231 - 8
218.92.0.235 - 8
218.92.0.236 - 8
218.92.0.237 - 8
195.178.110.6 - 8
203.81.86.34 - 8
47.236.115.10 - 8
2.57.122.32 - 7
2.57.122.33 - 7
45.148.10.46 - 7
92.255.85.188 - 7
92.255.85.189 - 7
141.98.10.198 1rja.talonted.eu.com 7
157.230.83.38 - 7
162.142.125.212 scanner-05.ch1.censys-scanner.com 7
178.160.195.60 - 7
202.95.12.147 - 7
218.92.0.112 - 7
218.92.0.114 - 7
103.164.9.147 - 7
14.103.165.154 - 7
182.215.66.232 - 7
36.138.238.230 - 7
47.237.24.160 - 7