🕙 Last Sync: 03/27/2025 12:14 UTC
- About
- Main Lists
- Privacy Lists
- Spam Lists
- Geographical (Continents & Countries)
- Transmission (BitTorrent Client)
- Install
This repository contains a collection of dynamically updated blocklists which can be utilized to filter out traffic from communicating with your server.
These blocklists can be used with:
- ConfigServer Firewall
- FireHOL
- Crowdsec
- Transmission (BitTorrent Client)
- OPNsense
- Many others
Blocklist and statistics are updated daily, and some are updated multiple times a day depending on the category of blocklist. Others may only update once per day depending on how often they refresh.
The Severity Rating is a column shown below for each blocklist. This score is calculated depending on how many "abusive" IP addresses exist within that ipset file.
As an example, the Cloudflare CDN has a score of ★★★⚝⚝ 3 or higher, due to the fact that many people are reporting that servers hosted by Cloudflare seem to be involved in a lot of abusive activity such as port scanning and SSH bruteforce attacks. The more reports that the Ips in the Cloudflare file have, the higher the severity rating will rise. This score is based on the mean (average) report history of all IPs in the list.
This rating is calculated once a day.
These are the primary lists that most people will be interested in. They contain a large list of IP addresses which have been reported recently for abusive behavior. These statistics are gathered from numerous websites such as AbuseIPDB and IPThreat. IPs on this list have a 100% confidence level, which means you should get no false-positives from any of the IPs in these lists. IP addresses in these lists have been flagged for engaging in the following:
- SSH Bruteforcing
- Port Scanning
- DDoS Attacks
- IoT Targeting
- Phishing
For the majority of people, using the blocklists master.ipset and highrisk.ipset will be all you need. It is a massive collection, all with a 100% confidence level, which means you should get none or minimal false positives.
| Set Name | Description | Severity | View |
|---|---|---|---|
master.ipset |
Abusive IP addresses which have been reported for port scanning and SSH brute-forcing. HIGHLY recommended. Includes AbuseIPDB, IPThreat, CinsScore, GreensNow |
★★★★★ | view |
highrisk.ipset |
IPs with highest risk to your network and have a possibility that the activity which comes from them are going to be fraudulent. | ★★★★★ | view |
These blocklists give you more control over what 3rd party services can access your server, and allows you to remove bad actors or services hosting such services.
| Set | Description | Severity | View |
|---|---|---|---|
privacy_general.ipset |
Servers which scan ports for data collection and research purposes. List includes Censys, Shodan, Project25499, InternetArchive, Cyber Resilience, Internet Measurement, probe.onyphe.net, Security Trails | ★★★★⚝ | view |
privacy_ahrefs.ipset |
Ahrefs SEO and services | ★★⚝⚝⚝ | view |
privacy_amazon_aws.ipset |
Amazon AWS | ★★⚝⚝⚝ | view |
privacy_amazon_ec2.ipset |
Amazon EC2 | ★★⚝⚝⚝ | view |
privacy_applebot.ipset |
Apple Bots | ★★★⚝⚝ | view |
privacy_bing.ipset |
Microsoft Bind and Bing Crawlers / Bots | ★★⚝⚝⚝ | view |
privacy_bunnycdn.ipset |
Bunny CDN | ★★⚝⚝⚝ | view |
privacy_cloudflarecdn.ipset |
Cloudflare CDN | ★★⚝⚝⚝ | view |
privacy_cloudfront.ipset |
Cloudfront DNS | ★⚝⚝⚝⚝ | view |
privacy_duckduckgo.ipset |
DuckDuckGo Web Crawlers / Bots | ★★⚝⚝⚝ | view |
privacy_facebook.ipset |
Facebook Bots & Trackers | ★★★⚝⚝ | view |
privacy_fastly.ipset |
Fastly CDN | ★⚝⚝⚝⚝ | view |
privacy_google.ipset |
Google Crawlers | ★★⚝⚝⚝ | view |
privacy_pingdom.ipset |
Pingdom Monitoring Service | ★★⚝⚝⚝ | view |
privacy_rssapi.ipset |
RSS API Reader | ★★⚝⚝⚝ | view |
privacy_stripe_api.ipset |
Stripe Payment Gateway API | ★★⚝⚝⚝ | view |
privacy_stripe_armada_gator.ipset |
Stripe Armada Gator | ★★⚝⚝⚝ | view |
privacy_stripe_webhooks.ipset |
Stripe Webhook Service | ★★⚝⚝⚝ | view |
privacy_telegram.ipset |
Telegram Trackers and Crawlers | ★★★⚝⚝ | view |
privacy_uptimerobot.ipset |
Uptime Robot Monitoring Service | ★⚝⚝⚝⚝ | view |
privacy_webpagetest.ipset |
Webpage Test Services | ★★⚝⚝⚝ | view |
These blocklists allow you to remove the possibility of spam sources accessing your server.
| Set | Description | Severity | View |
|---|---|---|---|
spam_forums.ipset |
List of known forum / blog spammers and bots | ★★★⚝⚝ | view |
spam_spamhaus.ipset |
Bad actor IP addresses registered with Spamhaus | ★★★★⚝ | view |
These blocklists allow you to determine what geographical locations can access your server. These can be used as either a whitelist or a blacklist. Includes both continents and countries.
| Set | Description | Severity | View |
|---|---|---|---|
GeoLite2 Database |
Lists IPs by continent and country from GeoLite2 database. Contains both IPv4 and IPv6 subnets | ★★★★★ | view |
Ip2Location Database |
Coming soon | ★★★★★ | view |
This section includes blocklists which you can import into the bittorrent client Transmission.
- In this repo, copy the direct URL to the Transmission blocklist, provided below:
- Open your Transmission application; depending on the version you run, do ONE of the follow two choices:
- Paste the link to Transmission > Settings > Peers > Blocklist
- Paste the link to Transmission > Edit > Preferences > Privacy > Enable Blocklist
| Set | Description | Severity | View | Website |
|---|---|---|---|---|
bt-transmission |
A large blocklist for the BitTorrent client Transmission | ★★★★★ | view | view |
This section explains how to use these blocklists within particular software titles.
This repository contains a set of ipsets which are automatically updated every 6 hours. You may add these sets to your ConfigServer Firewall /etc/csf/csf.blocklists with the following new line:
CSF_MASTER|86400|0|https://raw.githubusercontent.com/Aetherinox/blocklists/main/blocklists/master.ipset
CSF_HIGHRISK|86400|0|https://raw.githubusercontent.com/Aetherinox/blocklists/main/blocklists/highrisk.ipset
The format for the above lines are NAME|INTERVAL|MAX_IPS|URL:
- NAME: List name with all uppercase alphabetic characters with no spaces and a maximum of 25 characters - this will be used as the iptables chain name
- INTERVAL: Refresh interval to download the list, must be a minimum of 3600 seconds (an hour).
86400(one day / 24 hours) should be more than enough
- MAX_IPS: This is the maximum number of IP addresses to use from the list, a value of 0 means all IPs.
- If you add an ipset with 50,000 IPs, and you set this value to 20,000; then you will only block the first 20,000.
- URL: The URL to download the ipset from
Note
If you have not modified the settings of ConfigServer Firewall; the MAX_IPS value is limited by the setting LF_IPSET_MAXELEM which has a maximum value of 65536 IPs; even if you set the value in your lists above to 0, or anything above 65536.
To allow for higher numbers of blocked IPs in an ipset; you must edit your CSF config file located in /etc/csf/csf.conf and set the setting LF_IPSET_MAXELEM to something higher than 65536:
# old value
# LF_IPSET_MAXELEM = "65536"
LF_IPSET_MAXELEM = "4000000"This setting can also be modified through the ConfigServer Firewall Admin WebUI if you have it installed.
Once you have added the line(s) above; you will need to give ConfigServer Firewall and LFD a restart.
sudo csf -raYou can confirm that the ipset is installed by running the command:
sudo ipset --list -nThe above command will list all existing ipsets running on your firewall. As you can see in the list below; we have bl_CSF_HIGHRISK, bl_6_CSF_HIGHRISK, bl_CSF_MASTER, and bl_6_CSF_MASTER. Which are the lists we loaded above.
chain_DENY
chain_6_DENY
chain_ALLOW
chain_6_ALLOW
bl_CSF_HIGHRISK
bl_6_CSF_HIGHRISK
bl_CSF_MASTER
bl_6_CSF_MASTERTo view all of the IPs in a specified ipset / list, run:
$ sudo ipset --list bl_CSF_HIGHRISK
Name: bl_CSF_HIGHRISK
Type: hash:net
Revision: 7
Header: family inet hashsize 1024 maxelem 4000000 bucketsize 12 initval 0x5f263e28
Size in memory: 24024
References: 1
Number of entries: 630
Members:
XX.XX.XX.XXX
XX.XX.XX.XXX
[ ... ]If you modified the ConfigServer Firewall setting LF_IPSET_MAXELEM (explained in the note above), you will see the new max limit value listed next to maxelem.
Header: family inet hashsize 1024 maxelem 4000000 Note
If you decide to use the blocklist master.ipset, you must ensure you increase the value of the setting LF_IPSET_MAXELEM in the file /etc/csf/csf.conf to at least 400000.
On average, the master.ipset list normally contains 392,000 blocked IP addresses.