RJM Blocklist: Recently Malicious IP Addresses
Keeping a server safe and secure against hacking, cracking, hijacking, data breaches, and other forms of cybercrime is a vital part of Internet security. One of the many ways we approach this responsibility is by maintaining lists of IP addresses that have recently been used by hackers, crackers, script kiddies, identity thieves, and other Internet miscreants, and loading them into our firewalls to prevent those bad actors from accessing our systems. These lists are commonly referred to as blocklists.
This site offers a set of malicious IP address blocklists that I assemble from data collected from servers that I personally manage. After years of fending off thousands of human and robotic miscreants every day, I decided to do something useful with the data by making the malicious IP addresses public so others could add them to their firewalls.
This site was designed with CSF Firewall in mind specifically because that's the one I use most often, but the lists should work with any firewall that's capable of importing IP addresses from plain text files.
The addresses on the lists were caught red-handed, as it were, engaging in malicious activity against this and other servers that I personally manage, including the following kinds of behaviors:
- Port scanning for vulnerable service ports.
- Multiple failed attempts to access password-protected pages.
- Multiple failed attempts to access password-protected services (SSH, FTP, SMTP, MS SQL, etc.).
- Multiple failed cPanel login attempts.
- Attempts to sniff out and access common CMS login pages (wp-admin.php, xmlrpc.php, etc.).
Please be advised that because many of these addresses are public proxies or hacked machines, they are highly ephemeral and should be purged or updated often. If you don't, then eventually you will wind up blocking legitimate traffic.
How Are These Blocklists Compiled?
All of these IP addresses are gathered from servers that I personally own or manage, using two methods.
The first method (and the source of most of the IP's on these lists) is by using a CSF feature by which it can execute an external script when an IP address is blocked for malicious behavior. I wrote a simple script that captures the details of every block event and stores them in a database. It also reports blocked IP addresses in real time to AbuseIPDB, who also maintain lists of IP addresses that are being used maliciously.
The second way the IP addresses in my lists are gathered is by a large number of honeypots that I've placed on sites that I own or manage. These honeypots intercept requests made to commonly-used CMS and forum login and administration pages that don't exist on the sites on which they're installed, as well as on currently-popular hacking targets. Because the pages don't really exist, anyone sniffing around for them is up to no good. I record all those hits, store them in the database with the reports generated by CSF, and use them to compile the lists on this site (in addition to reporting them to AbuseIPDB).
My army of honeypots is one of the things that makes my blocklists different. Because I install them only on sites that I personally hand-coded and manage (and which I therefore know will never contain legitimate CMS login pages), they trap a great many miscreants who otherwise wouldn't have been caught.
Why Another Blocklist Site?
It's been my experience that recency is very important when using IP blocklists, so I wanted to build lists where recency was the focus. Every day, the database that feeds this site is pruned of all entries more than a few days old. That means that if an IP address behaves itself, it will soon be rehabilitated and will automatically disappear from my lists. (If it keeps misbehaving, on the other hand, it will stay on the lists.)
This is very important because most IP addresses used for malicious activities are either public proxies or hijacked addresses (for example, an IP belonging to a computer that's infected with a virus). Because of this, an IP address that's being abused today may be acting honorably tomorrow.
IP addresses also change owners regularly. Many business and most residential IP addresses are dynamically assigned and may change at any time. Even static server IP addresses change (for example, when the server is moved to a new provider or datacenter). As someone who has had to clean up bad reputations earned by previous users of my IP addresses, I understand the value of automatic rehabilitation. That's another reason why IP addresses don't stay on my lists for very long if they behave themselves.
At this time, I offer two free IP blocklists that are available to anyone in the Interwebs-connected world, with no registration required.
Consolidated Bad IP List
The first free list is the Consolidated Bad IP List. It is generated once daily at 18:00 UTC and contains the 250 most recent IP addresses that engaged in confirmed malicious activities of any kind toward one of my servers as of the time the list was generated. Note that these are not necessarily the "worst" attackers, just the most recent. Most of these IP's engaged in SSH attacks or distributed SSH attacks. You can download or view the free list at https://www.rjmblocklist.com/free/badips.txt.
Web App Attack List
The Web App Attack List consists of all the IP addresses that engaged in Web-based attacks against my servers within the past 48 hours, sorted by recency. These IP addresses either were sniffing for a non-existent WordPress, cPanel, Webmin, or other well-known login page and hit one of my honeypots instead; or tried to brute-force their way into actual login pages. This list is updated once a day at 00:00 UTC. You can download or view the Web Attack List at https://www.rjmblocklist.com/free/webattack.txt.
Please don't download the free lists more than once a day (86400 seconds). They only change once a day, so downloading them more often than that would be silly and a waste of my server resources.
You can learn more about how to use these lists with CSF Firewall here. These lists may also work with some freestanding firewall routers, but you'll have to consult the documentation or check with the router's manufacturer about how to do it.
I also offer paid blocklists that are intended for use by servers with static IP addresses and running CSF Firewall or other firewalls that are able to import text files of IP addresses.
Fresh IP's List
The Fresh IP's list is generated once every hour at 15 minutes past the hour. It contains up to the most recent 2,000 malicious IP addresses as of the time it was generated, sorted in order of recency (newest first). The emphasis is on freshness, not the type of attack. Most of the IP's in this list will have been guilty of SSH or distributed SSH attacks, but it also includes attacks on FTP, SMTP, and Web apps.
Worst IP's List
The Worst IP's List is updated every hour on the half-hour. It contains the IP addresses of up to 50 of the worst IP addresses as measured by number of attacks on my servers since the last list was generated. It is sorted by the number of attacks (most attacks first) without regard to what kinds of attacks were attempted. These IP's have the highest degree of certainty of malicious activity and almost no false positives as determined by checking them against other blocklists.
The cost for access to the paid lists is USD $20.00 / year per server IP address. Once your server's IP is approved to access the list, you can set it as a blocklist in CSF similarly to the example given for the free list, except with a different URL that will be given to you when your account is set up. You also will be free to have the licensed server download the text files using cURL or wget and to then redistribute them to other servers in your organization once they're downloaded.
Paid subscribers will also receive access to any other specialized blocklists that I may introduce.
If you want access to the paid lists, I will need the static IP address of the server that will be making the requests. Please send a payment of USD $20.00 to https://paypal.me/RJMWebDesign/20 with the server's IP address in the "Add a Note" field. This is very important. I cannot enable access for you without the server's IP address.
Upon receipt of your payment, I will set up your access and send you the links to the paid lists by email within one business day. Your access will expire 12 months from the date of activation.
What Makes The Paid Blocklists Different?
Basically, two things.
The first difference is freshness. The freshest IP addresses on the paid lists will have been blocked by my server's firewall within minutes or seconds from when the list was generated.
The second difference is that the list will contain IP addresses that hit on any of more than a hundred honeypots scattered about my servers. These honeypots include common login pages for CMS scripts or server admin GUI's, as well as currently-popular targets for miscreants sniffing out vulnerabilities. These bad actors are placed on the list after a single attempt. There's no legitimate reason to be sniffing out a login or administration page on a site or server that one doesn't own.
Finally, as mentioned previously, an IP address doesn't stay on these lists for long if it behaves itself. That helps avoid blocking legitimate traffic.
If you would like a free trial of the paid lists, please send me an email with your server's IP address. Address the email to webmaster [at] this domain [dot] com. Thank you for your interest.