Free Blocklists of Recently Malicious IP Addresses
Keeping a server safe and secure against hacking, cracking, hijacking, data breaches, and other forms of cybercrime is a vital part of Internet security.
One of the many ways we approach this responsibility is by maintaining lists of IP addresses that have recently been used by hackers, crackers, script kiddies, identity thieves, and other Internet miscreants, and loading them into our firewalls to prevent those bad actors from accessing our systems. These lists are commonly referred to as blocklists.
This site provides several free blocklists of malicious IP addresses compiled from data collected by servers that I personally own or manage. Simply stated, when an IP address engages in malicious conduct against any of the machines, the event is recorded in the database and the IP address is added to the blocklist.
This endeavor began as a way for all of my computers and servers to share with each other information about misbehaving IP addresses that they had collected from their firewalls, spam filters, and other sources. Originally, only the machines in that cohort had access to the lists.
After years of fending off thousands of human and robotic miscreants every day, I decided to do make the malicious IP addresses public so others could add them to their firewalls. Originally there were two sets of lists: one free set, and one set available by paid subscription.
More recently, in the face of ever-increasing frequency and severity of malicious Internet activity, I decided to make all of my blocklists free. It just seemed like the right thing to do. If you find my blocklists useful, however, please consider buying me a coffee.
Which Firewalls Can Use These Lists?
The collection scripts, the blocklists, and this site were all written with ConfigServer Security and Firewall (CSF) in mind because that's the one I use most often. The lists should work fine with any firewall that's capable of importing IP addresses from plain text files, however.
How Are These Blocklists Compiled?
The addresses on the lists were caught red-handed, as it were, engaging in malicious activity against this and other servers that I personally manage, including the following kinds of behaviors:
- Port scanning for vulnerable service ports.
- Multiple failed attempts to access password-protected pages.
- Multiple failed attempts to access password-protected services (SSH, FTP, SMTP, MS SQL, etc.).
- Multiple failed cPanel or Webmin login attempts.
- Attempts to sniff out and access common CMS login pages (wp-admin.php, xmlrpc.php, etc.).
Please be advised that because many of these addresses are public proxies or hacked machines, they are highly ephemeral and should be purged or updated often. If you don't, then eventually you will wind up blocking legitimate traffic.
All of these IP addresses are gathered from servers, computers, and routers that I personally own or manage, using three methods.
1. CSF Firewall
The first method is by using a CSF feature that can execute an external script when an IP address is blocked for malicious behavior. I wrote a simple PHP script that captures the details of every block event and stores them in a database. It also reports blocked IP addresses in real time to AbuseIPDB, who also maintain lists of IP addresses that are being used maliciously.
2. CMS Honeypots
The second way the IP addresses in my lists are gathered is by a large number of honeypots that I've placed on sites that I own or manage. These honeypots intercept requests made to commonly-used CMS (Content Management System) and forum login and administration pages that don't exist on the sites on which they're installed, as well as on pages with current vulnerabilities.
Because the pages don't exist on the sites where the honeypots are installed, requests for those pages are redirected to scripts that record the IP addresses and add them to the database with the reports generated by CSF. They're also reported to AbuseIPDB in real time.
My army of honeypots is one of the things that makes my blocklists different. Because I install them only on sites that I personally hand-coded and manage (and which I therefore know will never contain legitimate CMS login pages), they trap a great many malicious IP addresses that otherwise wouldn not have been caught.
3. Form Mail Honeypots
I have sites that exist for the sole purpose of hosting Web forms to trap spammers. These sites have graphics that actually warn humans that the forms are spam traps. Any submission on the forms, therefore, are from spambots. They're recorded and added to the database, and also reported in real time to AbuseIPDB.
4. Spam Filters on Production Web Forms
The last method by which these lists are compiled are spam filters on actual Web sites that I own or maintain. When the filters determine with a high degree of confidence that a form submission is spam, the IP address of the submitter is added to the database and reported in real time to AbuseIPDB.
What Makes My Blocklists Different?
In a nutshell, it's because my blocklists are fresh, have very low false-positive rates, and are self-rehabilitating. All of the IP addresses in my lists were caught in the act by machines that I control, so I know they were guilty. But if they cease and desist from malicious activity for 96 hours, they will automatically be removed from the lists.
It's been my experience that recency is very important when using IP blocklists. Most malicious Internet activity is committed by individuals who have hijacked servers and computers that don't belong to them. Once the malicious activity is detected by the machine's owner, they fix the problem so the machine isn't carrying out mischief anymore.
Unfortunately, some blocklist maintainers leave IP addresses on their lists forever (or at least until a persuasive case is made for their removal). That means that even after the problem has been fixed, the IP's user (or another person down the line who inherits the IP) will still be treated like a hacker, spammer, scammer, etc.
I've inherited a few of those IP addresses with bad reputations; so I coded my scripts to automatically remove and rehabilitate IP addresses once they no longer are acting maliciously. If an IP address behaves itself for 96 hours, it will be rehabilitated and automatically disappear from my lists. (If it keeps misbehaving, on the other hand, it will stay on the lists.)
Free Internet Firewall Blocklists
At this time, I offer four free IP blocklists that are available to anyone in the Interwebs-connected world, with no registration required.
You can learn more about how to use these lists with CSF Firewall here. These lists may also work with some freestanding firewall routers, but you'll have to consult the documentation or check with the router's manufacturer about how to do it.
1. Fresh IP's List
The Fresh IP's list is the largest and most-current list. It is generated once every hour at 15 minutes past the hour. It contains up to the most recent 5,000 malicious IP addresses as of the time it was generated, sorted in order of recency (newest first). Most of the IP's in this list will have been guilty of SSH or distributed SSH attacks, but it also includes attacks on FTP, SMTP, Web apps, and more. You can download or view the Fresh IP's list at https://rjmblocklist.com/sizzling/freships.txt.
Most servers should not download all 5,000 entries. That's an awful lot of IP addresses for the firewall to run through. A limit of 500 to 1,000 is probably more reasonable. But that's up to you to decide.
This used to be a paid list. If you choose to use the Fresh IP's list, please consider buying me a cup of coffee. Please do not download this list more than once every hour.
2. Worst IP's List
The Worst IP's List is updated every hour on the half-hour. It contains the IP addresses of up to 50 of the worst IP addresses as measured by number of attacks on my servers since the last list was generated. It is sorted by the number of attacks (most attacks first) without regard to what kinds of attacks were attempted. These IP's have the highest degree of certainty of malicious activity and include no false positives. You can download or view the Fresh IP's list at https://rjmblocklist.com/sizzling/worst.txt.
Like the Fresh IP's list, this used to be a paid list, but now it is free.
3. Web App Attack List
The Web App Attack List also has always been a free list. It is a deduplicated list of the most-recent IP addresses that engaged specifically in attacks targeting Web apps like WordPress and other CMS systems. Most of these IP addresses were sniffing for WordPress, cPanel, Webmin, or other well-known CMS login pages or other sensitive files, and hit one of my honeypots or hacker traps instead. This list is updated hourly and can be viewed or downloaded at https://rjmblocklist.com/free/webattack.txt. Because it's compiled from targeted attack attempts, it's probably the most-useful of my lists if your site(s) use WordPress or other content-management systems.
4. Consolidated Bad IP List
The Consolidated Bad IP List has always been a free blocklist. It is generated once daily at 18:00 UTC and contains the 250 most recent IP addresses that engaged in confirmed malicious activities of any kind toward one of my servers as of the time the list was generated. It uses the same inclusion bases as the Fresh IP's List, but is shorter and is only updated once a day. You can download or view this list at https://rjmblocklist.com/free/badips.txt.
Please don't download the first three lists more often than once per hour (3600 seconds), nor the last list more than once a day (86400 seconds). That's as often as they update, so downloading them more frequently is just a waste of my server resources.
As mentioned previously, all of the above lists are self-rehabilitating. IP addresses that behave themselves for a few days are automatically removed and given a fresh start.