Help Support this Site
RJM Blocklist: Recently Malicious IP Addresses
Keeping a server safe and secure against hacking, cracking, hijacking, data breaches, and other forms of cybercrime is a vital part of Internet security. One of the many ways we approach this responsibility is by maintaining lists of IP addresses that have recently been used by hackers, crackers, script kiddies, identity thieves, and other Internet miscreants, and loading them into our firewalls to prevent those bad actors from accessing our systems. These lists are commonly referred to as blocklists.
This site offers a set of malicious IP address blocklists that I assemble from data collected from servers that I personally manage. After years of fending off thousands of human and robotic miscreants every day, I decided to do something useful with the data by making the malicious IP addresses public so others could add them to their firewalls.
This site was designed with CSF Firewall in mind specifically because that's the one I use most often, but the lists should work with any firewall that's capable of importing IP addresses from plain text files.
The addresses on the lists were caught red-handed, as it were, engaging in malicious activity against this and other servers that I personally manage, including the following kinds of behaviors:
- Port scanning for vulnerable service ports.
- Multiple failed attempts to access password-protected pages.
- Multiple failed attempts to access password-protected services (SSH, FTP, SMTP, MS SQL, etc.).
- Multiple failed cPanel or Webmin login attempts.
- Attempts to sniff out and access common CMS login pages (wp-admin.php, xmlrpc.php, etc.).
Please be advised that because many of these addresses are public proxies or hacked machines, they are highly ephemeral and should be purged or updated often. If you don't, then eventually you will wind up blocking legitimate traffic.
How Are These Blocklists Compiled?
All of these IP addresses are gathered from servers that I personally own or manage, using two methods.
The first method (and the source of most of the IP's on these lists) is by using a CSF feature by which it can execute an external script when an IP address is blocked for malicious behavior. I wrote a simple script that captures the details of every block event and stores them in a database. It also reports blocked IP addresses in real time to AbuseIPDB, who also maintain lists of IP addresses that are being used maliciously.
The second way the IP addresses in my lists are gathered is by a large number of honeypots that I've placed on sites that I own or manage. These honeypots intercept requests made to commonly-used CMS and forum login and administration pages that don't exist on the sites on which they're installed, as well as on currently-popular hacking targets. Because the pages don't really exist, anyone sniffing around for them is up to no good. I record all those hits, store them in the database with the reports generated by CSF, and use them to compile the lists on this site (in addition to reporting them to AbuseIPDB).
My army of honeypots is one of the things that makes my blocklists different. Because I install them only on sites that I personally hand-coded and manage (and which I therefore know will never contain legitimate CMS login pages), they trap a great many miscreants who otherwise wouldn't have been caught.
Why Another Blocklist Site?
It's been my experience that recency is very important when using IP blocklists, so I wanted to build lists where recency was the focus. Every day, the database that feeds this site is pruned of all entries more than a few days old. That means that if an IP address behaves itself, it will soon be rehabilitated and will automatically disappear from my lists. (If it keeps misbehaving, on the other hand, it will stay on the lists.)
This is very important because most IP addresses used for malicious activities are either public proxies or hijacked addresses (for example, an IP belonging to a computer that's infected with a virus). Because of this, an IP address that's being abused today may be acting honorably tomorrow.
IP addresses also change owners regularly. Many business and most residential IP addresses are dynamically assigned and may change at any time. Even static server IP addresses change (for example, when the server is moved to a new provider or datacenter). As someone who has had to clean up bad reputations earned by previous users of my IP addresses, I understand the value of automatic rehabilitation. That's another reason why IP addresses don't stay on my lists for very long if they behave themselves.
At this time, I offer four free IP blocklists that are available to anyone in the Interwebs-connected world, with no registration required.
You can learn more about how to use these lists with CSF Firewall here. These lists may also work with some freestanding firewall routers, but you'll have to consult the documentation or check with the router's manufacturer about how to do it.
Consolidated Bad IP List
The first free list is the Consolidated Bad IP List. It is generated once daily at 18:00 UTC and contains the 250 most recent IP addresses that engaged in confirmed malicious activities of any kind toward one of my servers as of the time the list was generated. Note that these are not necessarily the "worst" attackers, just the most recent. Most of these IP's engaged in SSH attacks or distributed SSH attacks. You can download or view the free list at https://rjmblocklist.com/free/badips.txt.
Web App Attack List
The Web App Attack List consists of all the IP addresses that engaged in Web-based attacks against my servers within the past 48 hours, sorted by recency. These IP addresses either were sniffing for a non-existent WordPress, cPanel, Webmin, or other well-known login page and hit one of my honeypots instead; or tried to brute-force their way into actual login pages. This list is updated once a day at 00:00 UTC. You can download or view the Web Attack List at https://rjmblocklist.com/free/webattack.txt.
Please don't download the above lists more than once a day (86400 seconds). They only change once a day, so downloading them more often than that would be silly and a waste of my server resources.
Fresh IP's List
The Fresh IP's list is generated once every hour at 15 minutes past the hour. It contains up to the most recent 2,500 malicious IP addresses as of the time it was generated, sorted in order of recency (newest first). The emphasis is on freshness, not the type of attack. Most of the IP's in this list will have been guilty of SSH or distributed SSH attacks, but it also includes attacks on FTP, SMTP, Web apps, and more. You can download or view the Fresh IP's list at https://rjmblocklist.com/sizzling/freships.txt.
This used to be a paid list; but in the interest of Internet safety in the face of increased malicious activity, I have decided to make it free for the time being. If you choose to use the Fresh IP's list, please consider making a contribution. Also, please do not download this list more than once every hour.
Worst IP's List
The Worst IP's List is updated every hour on the half-hour. It contains the IP addresses of up to 50 of the worst IP addresses as measured by number of attacks on my servers since the last list was generated. It is sorted by the number of attacks (most attacks first) without regard to what kinds of attacks were attempted. These IP's have the highest degree of certainty of malicious activity and almost no false positives as determined by checking them against other blocklists. You can download or view the Fresh IP's list at https://rjmblocklist.com/sizzling/worst.txt.
Like the Fresh IP's list, this used to be a paid list. In the interest of Internet safety in the face of increased malicious activity, I have decided to make it free for the time being. If you choose to use the Worst IP's list, please consider making a contribution. Also, please do not download this list more than once every hour.
As mentioned previously, all of the above lists are self-rehabilitating. IP addresses that behave themselves for a few days are automatically removed and given a fresh start.