IPsum is a threat intelligence feed based on 30+ different publicly available lists of suspicious and/or malicious IP addresses. All lists are automatically retrieved and parsed on a daily (24h) basis and the final result is pushed to this repository. List is made of IP addresses together with a total number of (black)list occurrence (for each). Greater the number, lesser the chance of false positive detection and/or dropping in (inbound) monitored traffic. Also, list is sorted from most (problematic) to least occurent IP addresses.
As an example, to get a fresh and ready-to-deploy auto-ban list of "bad IPs" that appear on at least 3 (black)lists you can run:
curl --compressed https://raw.githubusercontent.com/stamparm/ipsum/master/ipsum.txt 2>/dev/null | grep -v "#" | grep -v -E "\s[1-2]$" | cut -f 1
If you want to try it with ipset, you can do the following:
sudo su
apt-get -qq install iptables ipset
ipset -q flush ipsum
ipset -q create ipsum hash:ip
for ip in $(curl --compressed https://raw.githubusercontent.com/stamparm/ipsum/master/ipsum.txt 2>/dev/null | grep -v "#" | grep -v -E "\s[1-2]$" | cut -f 1); do ipset add ipsum $ip; done
iptables -D INPUT -m set --match-set ipsum src -j DROP 2>/dev/null
iptables -I INPUT -m set --match-set ipsum src -j DROP
In directory levels you can find preprocessed raw IP lists based on number of blacklist occurrences (e.g. levels/3.txt holds IP addresses that can be found on 3 or more blacklists).
| IP | DNS lookup | Number of (black)lists |
|---|---|---|
| 194.50.16.221 | - | 9 |
| 218.92.0.34 | - | 9 |
| 218.92.0.31 | - | 9 |
| 218.92.0.76 | - | 9 |
| 61.177.172.160 | - | 9 |
| 218.92.0.112 | - | 9 |
| 218.92.0.113 | - | 9 |
| 218.92.0.118 | - | 9 |
| 180.101.88.197 | - | 9 |
| 180.101.88.196 | - | 9 |
| 218.92.0.107 | - | 9 |
| 218.92.0.56 | - | 9 |
| 218.92.0.29 | - | 9 |
| 218.92.0.22 | - | 9 |
| 218.92.0.24 | - | 9 |
| 218.92.0.27 | - | 9 |
| 194.169.175.36 | - | 9 |
| 194.169.175.35 | - | 9 |
| 45.148.10.202 | - | 9 |
| 212.76.27.39 | - | 8 |
| 23.95.248.83 | 23-95-248-83-host.colocrossing.com | 8 |
| 61.177.172.136 | - | 8 |
| 178.20.55.16 | marcuse.nos-oignons.net | 8 |
| 66.66.116.251 | syn-066-066-116-251.res.spectrum.com | 8 |
| 144.217.180.194 | ns541144.ip-144-217-180.net | 8 |
| 92.118.39.133 | - | 8 |
| 83.222.191.62 | - | 8 |
| 61.177.172.179 | - | 8 |
| 85.209.11.27 | - | 8 |
| 103.142.86.221 | - | 8 |
| 61.177.172.140 | - | 8 |
| 180.101.88.205 | - | 8 |
| 95.214.27.253 | - | 8 |
| 85.209.11.254 | - | 8 |
| 80.82.77.33 | sky.census.shodan.io | 7 |
| 111.59.56.6 | - | 7 |
| 220.82.166.157 | - | 7 |
| 101.43.93.18 | - | 7 |
| 200.105.183.118 | static-200-105-183-118.acelerate.net | 7 |
| 211.224.41.185 | - | 7 |
| 213.109.202.127 | - | 7 |
| 140.246.28.249 | - | 7 |
| 54.37.10.124 | vps-1e3810b9.vps.ovh.net | 7 |
| 112.160.137.225 | - | 7 |
| 202.165.24.77 | - | 7 |
| 185.165.191.26 | - | 7 |
| 80.82.77.202 | rnd.group-ib.com | 7 |
| 192.42.116.208 | 11.tor-exit.nothingtohide.nl | 7 |
| 212.113.102.130 | server2.aeza.network | 7 |
| 89.97.218.142 | 89-97-218-142.ip19.fastwebnet.it | 7 |
| 193.32.162.83 | - | 7 |
| 182.229.10.141 | - | 7 |
| 211.253.10.96 | - | 7 |
| 171.25.193.78 | tor-exit-read-me.dfri.se | 7 |
| 51.89.153.112 | ns3145504.ip-51-89-153.eu | 7 |
| 104.248.194.114 | - | 7 |
| 183.81.169.238 | - | 7 |
| 45.148.10.251 | - | 7 |
| 219.138.108.82 | - | 7 |
| 93.174.95.106 | battery.census.shodan.io | 7 |
| 71.6.134.231 | - | 7 |
| 125.76.228.194 | - | 7 |
| 103.162.36.154 | - | 7 |
| 82.151.65.155 | - | 7 |