Skip to main content
Topic: Malicious IPs or IP ranges (Read 478 times) previous topic - next topic

Malicious IPs or IP ranges

They are in different formats.

General/Combined
https://www.binarydefense.com/banlist.txt
https://rules.emergingthreats.net/blockrules/compromised-ips.txt
https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level2.netset
https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level3.netset
https://lists.blocklist.de/lists/all.txt

Botnets
https://sslbl.abuse.ch/blacklist/sslipblacklist.txt
https://feodotracker.abuse.ch/downloads/ipblocklist.txt

Spamhause DROP lists (Dont Route Or Peer)
https://www.spamhaus.org/drop/drop.txt
https://www.spamhaus.org/drop/edrop.txt
https://www.spamhaus.org/drop/dropv6.txt

Allegedly missing IPs in other lists
https://ozgur.kazancci.com/ban-me.txt

SSH attackers
https://lists.blocklist.de/lists/22.txt
https://lists.blocklist.de/lists/ssh.txt
https://lists.blocklist.de/lists/bruteforcelogin.txt

FTP attackers
https://lists.blocklist.de/lists/21.txt
https://lists.blocklist.de/lists/ftp.txt
https://lists.blocklist.de/lists/proftpd.txt

HTTP/Apache attackers
https://lists.blocklist.de/lists/80.txt
https://lists.blocklist.de/lists/443.txt
https://lists.blocklist.de/lists/apache.txt

SMTP/E-Mail Attackers
https://lists.blocklist.de/lists/25.txt
https://lists.blocklist.de/lists/110.txt
https://lists.blocklist.de/lists/143.txt
https://lists.blocklist.de/lists/993.txt
https://lists.blocklist.de/lists/email.txt
https://lists.blocklist.de/lists/mail.txt
https://lists.blocklist.de/lists/imap.txt
https://lists.blocklist.de/lists/courierimap.txt
https://lists.blocklist.de/lists/courierpop3.txt
https://lists.blocklist.de/lists/pop3.txt
https://lists.blocklist.de/lists/postfix.txt

VOIP/SIP Attackers
https://lists.blocklist.de/lists/asterisk.txt
https://lists.blocklist.de/lists/sip.txt

IRC / Bots
https://lists.blocklist.de/lists/ircbot.txt
https://lists.blocklist.de/lists/bots.txt

Shodan
https://isc.sans.edu/api/threatlist/shodan/ (add ?json or ?csv for a different format than xml)

Per country/continent
https://github.com/firehol/blocklist-ipsets/tree/master/geolite2_country
https://github.com/firehol/blocklist-ipsets/tree/master/ip2location_country
https://github.com/firehol/blocklist-ipsets/tree/master/ipdeny_country
https://github.com/firehol/blocklist-ipsets/tree/master/ipip_country

Datacenters
https://github.com/firehol/blocklist-ipsets/blob/master/datacenters.netset (old)

Tor exit nodes
https://github.com/firehol/blocklist-ipsets/blob/master/tor_exits.ipset
https://isc.sans.edu/api/threatlist/torexit (add ?json or ?csv for a different format than xml)
https://check.torproject.org/exit-addresses

Some other feeds:
https://isc.sans.edu/api/threatfeeds/
Make sure to only pick ones that have had updates recently. Rest will return an error that they are not maintained.
When you choose a feed, for example "Scanners Operated by Onyphe.io", you open the url with the type at the end, for example: https://isc.sans.edu/api/threatlist/onyphe or for "Rapid 7 Project Sonar" - https://isc.sans.edu/api/threatlist/rapid7sonar

And some IPs from one of the links with the title "Top Attackers" (selectel, ipvolume, novogara, digitalocean, clouvider, etc.)

194.147.140.0/24
92.63.197.0/24
45.155.205.0/24
94.232.46.0/24
45.146.165.0/24
167.248.133.0/24
89.248.165.0/24
45.143.200.0/24
185.193.91.0/24
185.236.11.0/24
195.54.161.0/24
79.124.62.0/24
195.54.160.0/24
192.241.223.0/24
89.248.168.0/24
92.118.161.0/24
192.241.224.0/24
46.161.27.0/24
5.180.211.0/24
192.241.222.0/24