Robot
/
blocklist-ipsets
mirror of https://github.com/firehol/blocklist-ipsets.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Mon Nov 21 01:22:02 UTC 2016 update

This commit is contained in:
Costa Tsaousis 2016-11-21 01:22:02 +00:00
parent 1452a40b47
commit efbfa9174c
1 changed files with 23 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
README.md
View File

@ -220,7 +220,7 @@ This script will update each ipset and call firehol to update the ipset while th
# List of ipsets included
The following list was automatically generated on Mon Nov 21 01:17:41 UTC 2016.
The following list was automatically generated on Mon Nov 21 01:22:02 UTC 2016.
The update frequency is the maximum allowed by internal configuration. A list will never be downloaded sooner than the update frequency stated. A list may also not be downloaded, after this frequency expired, if it has not been modified on the server (as reported by HTTP `IF_MODIFIED_SINCE` method).
@ -251,7 +251,7 @@ name|info|type|entries|update|
[atlas_scans_7d](http://iplists.firehol.org/?ipset=atlas_scans_7d)|[ATLAS Scans](https://atlas.arbor.net/summary/scans) - Host scanning is a process whereby automated network sweeps are initiated in search of hosts running a particular service. This may be indicative of either legitimate host scanners (including network management systems and authorized vulnerability scanners) or an attacker (or automated malicious code, such as a worm) trying to enumerate potential hosts for subsequent compromise. Scans are often the prelude to an attack, and services scanned by attackers usually indicate known vulnerabilities for those services. Types of port scans include connect() scans, SYN scans, stealth scans, bounce scans, XMAS and Null scans. All reveal to the attacker which services on what hosts are listening for connections. Scans may be launched from compromised hosts, and their sources may be forged.|ipv4 hash:ip|33 unique IPs|updated every 1 day from [this link](https://atlas.arbor.net/summary/scans.csv)
[bambenek_banjori](http://iplists.firehol.org/?ipset=bambenek_banjori)|[Bambenek Consulting](http://osint.bambenekconsulting.com/feeds/) feed of current IPs of banjori C&Cs with 90 minute lookback|ipv4 hash:ip|0 unique IPs|updated every 30 mins from [this link](http://osint.bambenekconsulting.com/feeds/banjori-iplist.txt)
[bambenek_bebloh](http://iplists.firehol.org/?ipset=bambenek_bebloh)|[Bambenek Consulting](http://osint.bambenekconsulting.com/feeds/) feed of current IPs of bebloh C&Cs with 90 minute lookback|ipv4 hash:ip|0 unique IPs|updated every 30 mins from [this link](http://osint.bambenekconsulting.com/feeds/bebloh-iplist.txt)
[bambenek_c2](http://iplists.firehol.org/?ipset=bambenek_c2)|[Bambenek Consulting](http://osint.bambenekconsulting.com/feeds/) master feed of known, active and non-sinkholed C&Cs IP addresses|ipv4 hash:ip|245 unique IPs|updated every 30 mins from [this link](http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txt)
[bambenek_c2](http://iplists.firehol.org/?ipset=bambenek_c2)|[Bambenek Consulting](http://osint.bambenekconsulting.com/feeds/) master feed of known, active and non-sinkholed C&Cs IP addresses|ipv4 hash:ip|256 unique IPs|updated every 30 mins from [this link](http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txt)
[bambenek_cl](http://iplists.firehol.org/?ipset=bambenek_cl)|[Bambenek Consulting](http://osint.bambenekconsulting.com/feeds/) feed of current IPs of cl C&Cs with 90 minute lookback|ipv4 hash:ip|0 unique IPs|updated every 30 mins from [this link](http://osint.bambenekconsulting.com/feeds/cl-iplist.txt)
[bambenek_cl](http://iplists.firehol.org/?ipset=bambenek_cl)|[Bambenek Consulting](http://osint.bambenekconsulting.com/feeds/) feed of current IPs of cl C&Cs with 90 minute lookback|ipv4 hash:ip|0 unique IPs|updated every 30 mins from [this link](http://osint.bambenekconsulting.com/feeds/cl-iplist.txt)
[bambenek_cryptowall](http://iplists.firehol.org/?ipset=bambenek_cryptowall)|[Bambenek Consulting](http://osint.bambenekconsulting.com/feeds/) feed of current IPs of cryptowall C&Cs with 90 minute lookback|ipv4 hash:ip|0 unique IPs|updated every 30 mins from [this link](http://osint.bambenekconsulting.com/feeds/cryptowall-iplist.txt)
@ -291,22 +291,22 @@ bambenek_p2pgoz|[Bambenek Consulting](http://osint.bambenekconsulting.com/feeds/
[bitcoin_blockchain_info](http://iplists.firehol.org/?ipset=bitcoin_blockchain_info)|[Blockchain.info](https://blockchain.info/en/connected-nodes) Bitcoin nodes connected to Blockchain.info.|ipv4 hash:ip|181 unique IPs|updated every 10 mins from [this link](https://blockchain.info/en/connected-nodes)
[bitcoin_blockchain_info_1d](http://iplists.firehol.org/?ipset=bitcoin_blockchain_info_1d)|[Blockchain.info](https://blockchain.info/en/connected-nodes) Bitcoin nodes connected to Blockchain.info.|ipv4 hash:ip|192 unique IPs|updated every 10 mins from [this link](https://blockchain.info/en/connected-nodes)
[bitcoin_blockchain_info_30d](http://iplists.firehol.org/?ipset=bitcoin_blockchain_info_30d)|[Blockchain.info](https://blockchain.info/en/connected-nodes) Bitcoin nodes connected to Blockchain.info.|ipv4 hash:ip|4404 unique IPs|updated every 10 mins from [this link](https://blockchain.info/en/connected-nodes)
[bitcoin_blockchain_info_7d](http://iplists.firehol.org/?ipset=bitcoin_blockchain_info_7d)|[Blockchain.info](https://blockchain.info/en/connected-nodes) Bitcoin nodes connected to Blockchain.info.|ipv4 hash:ip|1738 unique IPs|updated every 10 mins from [this link](https://blockchain.info/en/connected-nodes)
[bitcoin_nodes](http://iplists.firehol.org/?ipset=bitcoin_nodes)|[BitNodes](https://getaddr.bitnodes.io/) Bitcoin connected nodes, globally.|ipv4 hash:ip|4276 unique IPs|updated every 10 mins from [this link](https://getaddr.bitnodes.io/api/v1/snapshots/latest/)
[bitcoin_nodes_1d](http://iplists.firehol.org/?ipset=bitcoin_nodes_1d)|[BitNodes](https://getaddr.bitnodes.io/) Bitcoin connected nodes, globally.|ipv4 hash:ip|5457 unique IPs|updated every 10 mins from [this link](https://getaddr.bitnodes.io/api/v1/snapshots/latest/)
[bitcoin_nodes_30d](http://iplists.firehol.org/?ipset=bitcoin_nodes_30d)|[BitNodes](https://getaddr.bitnodes.io/) Bitcoin connected nodes, globally.|ipv4 hash:ip|21290 unique IPs|updated every 10 mins from [this link](https://getaddr.bitnodes.io/api/v1/snapshots/latest/)
[bitcoin_nodes_7d](http://iplists.firehol.org/?ipset=bitcoin_nodes_7d)|[BitNodes](https://getaddr.bitnodes.io/) Bitcoin connected nodes, globally.|ipv4 hash:ip|9055 unique IPs|updated every 10 mins from [this link](https://getaddr.bitnodes.io/api/v1/snapshots/latest/)
[bitcoin_blockchain_info_7d](http://iplists.firehol.org/?ipset=bitcoin_blockchain_info_7d)|[Blockchain.info](https://blockchain.info/en/connected-nodes) Bitcoin nodes connected to Blockchain.info.|ipv4 hash:ip|1737 unique IPs|updated every 10 mins from [this link](https://blockchain.info/en/connected-nodes)
[bitcoin_nodes](http://iplists.firehol.org/?ipset=bitcoin_nodes)|[BitNodes](https://getaddr.bitnodes.io/) Bitcoin connected nodes, globally.|ipv4 hash:ip|4275 unique IPs|updated every 10 mins from [this link](https://getaddr.bitnodes.io/api/v1/snapshots/latest/)
[bitcoin_nodes_1d](http://iplists.firehol.org/?ipset=bitcoin_nodes_1d)|[BitNodes](https://getaddr.bitnodes.io/) Bitcoin connected nodes, globally.|ipv4 hash:ip|5455 unique IPs|updated every 10 mins from [this link](https://getaddr.bitnodes.io/api/v1/snapshots/latest/)
[bitcoin_nodes_30d](http://iplists.firehol.org/?ipset=bitcoin_nodes_30d)|[BitNodes](https://getaddr.bitnodes.io/) Bitcoin connected nodes, globally.|ipv4 hash:ip|21287 unique IPs|updated every 10 mins from [this link](https://getaddr.bitnodes.io/api/v1/snapshots/latest/)
[bitcoin_nodes_7d](http://iplists.firehol.org/?ipset=bitcoin_nodes_7d)|[BitNodes](https://getaddr.bitnodes.io/) Bitcoin connected nodes, globally.|ipv4 hash:ip|9054 unique IPs|updated every 10 mins from [this link](https://getaddr.bitnodes.io/api/v1/snapshots/latest/)
[blocklist_de](http://iplists.firehol.org/?ipset=blocklist_de)|[Blocklist.de](https://www.blocklist.de/) IPs that have been detected by fail2ban in the last 48 hours|ipv4 hash:ip|22023 unique IPs|updated every 15 mins from [this link](http://lists.blocklist.de/lists/all.txt)
[blocklist_de_apache](http://iplists.firehol.org/?ipset=blocklist_de_apache)|[Blocklist.de](https://www.blocklist.de/) All IP addresses which have been reported within the last 48 hours as having run attacks on the service Apache, Apache-DDOS, RFI-Attacks.|ipv4 hash:ip|9324 unique IPs|updated every 15 mins from [this link](http://lists.blocklist.de/lists/apache.txt)
[blocklist_de_bots](http://iplists.firehol.org/?ipset=blocklist_de_bots)|[Blocklist.de](https://www.blocklist.de/) All IP addresses which have been reported within the last 48 hours as having run attacks on the RFI-Attacks, REG-Bots, IRC-Bots or BadBots (BadBots = he has posted a Spam-Comment on a open Forum or Wiki).|ipv4 hash:ip|1733 unique IPs|updated every 15 mins from [this link](http://lists.blocklist.de/lists/bots.txt)
[blocklist_de_bruteforce](http://iplists.firehol.org/?ipset=blocklist_de_bruteforce)|[Blocklist.de](https://www.blocklist.de/) All IPs which attacks Joomlas, Wordpress and other Web-Logins with Brute-Force Logins.|ipv4 hash:ip|276 unique IPs|updated every 15 mins from [this link](http://lists.blocklist.de/lists/bruteforcelogin.txt)
[blocklist_de_ftp](http://iplists.firehol.org/?ipset=blocklist_de_ftp)|[Blocklist.de](https://www.blocklist.de/) All IP addresses which have been reported within the last 48 hours for attacks on the Service FTP.|ipv4 hash:ip|1814 unique IPs|updated every 15 mins from [this link](http://lists.blocklist.de/lists/ftp.txt)
[blocklist_de_imap](http://iplists.firehol.org/?ipset=blocklist_de_imap)|[Blocklist.de](https://www.blocklist.de/) All IP addresses which have been reported within the last 48 hours for attacks on the Service imap, sasl, pop3, etc.|ipv4 hash:ip|1337 unique IPs|updated every 15 mins from [this link](http://lists.blocklist.de/lists/imap.txt)
[blocklist_de_mail](http://iplists.firehol.org/?ipset=blocklist_de_mail)|[Blocklist.de](https://www.blocklist.de/) All IP addresses which have been reported within the last 48 hours as having run attacks on the service Mail, Postfix.|ipv4 hash:ip|14696 unique IPs|updated every 15 mins from [this link](http://lists.blocklist.de/lists/mail.txt)
[blocklist_de_sip](http://iplists.firehol.org/?ipset=blocklist_de_sip)|[Blocklist.de](https://www.blocklist.de/) All IP addresses that tried to login in a SIP, VOIP or Asterisk Server and are included in the IPs list from infiltrated.net|ipv4 hash:ip|132 unique IPs|updated every 15 mins from [this link](http://lists.blocklist.de/lists/sip.txt)
[blocklist_de_ssh](http://iplists.firehol.org/?ipset=blocklist_de_ssh)|[Blocklist.de](https://www.blocklist.de/) All IP addresses which have been reported within the last 48 hours as having run attacks on the service SSH.|ipv4 hash:ip|2865 unique IPs|updated every 15 mins from [this link](http://lists.blocklist.de/lists/ssh.txt)
[blocklist_de_strongips](http://iplists.firehol.org/?ipset=blocklist_de_strongips)|[Blocklist.de](https://www.blocklist.de/) All IPs which are older then 2 month and have more then 5.000 attacks.|ipv4 hash:ip|141 unique IPs|updated every 15 mins from [this link](http://lists.blocklist.de/lists/strongips.txt)
[blocklist_net_ua](http://iplists.firehol.org/?ipset=blocklist_net_ua)|[blocklist.net.ua](https://blocklist.net.ua) The BlockList project was created to become protection against negative influence of the harmful and potentially dangerous events on the Internet. First of all this service will help internet and hosting providers to protect subscribers sites from being hacked. BlockList will help to stop receiving a large amount of spam from dubious SMTP relays or from attempts of brute force passwords to servers and network equipment.|ipv4 hash:ip|10921 unique IPs|updated every 10 mins from [this link](https://blocklist.net.ua/blocklist.csv)
[blocklist_de_apache](http://iplists.firehol.org/?ipset=blocklist_de_apache)|[Blocklist.de](https://www.blocklist.de/) All IP addresses which have been reported within the last 48 hours as having run attacks on the service Apache, Apache-DDOS, RFI-Attacks.|ipv4 hash:ip|9329 unique IPs|updated every 15 mins from [this link](http://lists.blocklist.de/lists/apache.txt)
[blocklist_de_bots](http://iplists.firehol.org/?ipset=blocklist_de_bots)|[Blocklist.de](https://www.blocklist.de/) All IP addresses which have been reported within the last 48 hours as having run attacks on the RFI-Attacks, REG-Bots, IRC-Bots or BadBots (BadBots = he has posted a Spam-Comment on a open Forum or Wiki).|ipv4 hash:ip|1724 unique IPs|updated every 15 mins from [this link](http://lists.blocklist.de/lists/bots.txt)
[blocklist_de_bruteforce](http://iplists.firehol.org/?ipset=blocklist_de_bruteforce)|[Blocklist.de](https://www.blocklist.de/) All IPs which attacks Joomlas, Wordpress and other Web-Logins with Brute-Force Logins.|ipv4 hash:ip|280 unique IPs|updated every 15 mins from [this link](http://lists.blocklist.de/lists/bruteforcelogin.txt)
[blocklist_de_ftp](http://iplists.firehol.org/?ipset=blocklist_de_ftp)|[Blocklist.de](https://www.blocklist.de/) All IP addresses which have been reported within the last 48 hours for attacks on the Service FTP.|ipv4 hash:ip|1807 unique IPs|updated every 15 mins from [this link](http://lists.blocklist.de/lists/ftp.txt)
[blocklist_de_imap](http://iplists.firehol.org/?ipset=blocklist_de_imap)|[Blocklist.de](https://www.blocklist.de/) All IP addresses which have been reported within the last 48 hours for attacks on the Service imap, sasl, pop3, etc.|ipv4 hash:ip|1336 unique IPs|updated every 15 mins from [this link](http://lists.blocklist.de/lists/imap.txt)
[blocklist_de_mail](http://iplists.firehol.org/?ipset=blocklist_de_mail)|[Blocklist.de](https://www.blocklist.de/) All IP addresses which have been reported within the last 48 hours as having run attacks on the service Mail, Postfix.|ipv4 hash:ip|14713 unique IPs|updated every 15 mins from [this link](http://lists.blocklist.de/lists/mail.txt)
[blocklist_de_sip](http://iplists.firehol.org/?ipset=blocklist_de_sip)|[Blocklist.de](https://www.blocklist.de/) All IP addresses that tried to login in a SIP, VOIP or Asterisk Server and are included in the IPs list from infiltrated.net|ipv4 hash:ip|133 unique IPs|updated every 15 mins from [this link](http://lists.blocklist.de/lists/sip.txt)
[blocklist_de_ssh](http://iplists.firehol.org/?ipset=blocklist_de_ssh)|[Blocklist.de](https://www.blocklist.de/) All IP addresses which have been reported within the last 48 hours as having run attacks on the service SSH.|ipv4 hash:ip|2875 unique IPs|updated every 15 mins from [this link](http://lists.blocklist.de/lists/ssh.txt)
[blocklist_de_strongips](http://iplists.firehol.org/?ipset=blocklist_de_strongips)|[Blocklist.de](https://www.blocklist.de/) All IPs which are older then 2 month and have more then 5.000 attacks.|ipv4 hash:ip|140 unique IPs|updated every 15 mins from [this link](http://lists.blocklist.de/lists/strongips.txt)
[blocklist_net_ua](http://iplists.firehol.org/?ipset=blocklist_net_ua)|[blocklist.net.ua](https://blocklist.net.ua) The BlockList project was created to become protection against negative influence of the harmful and potentially dangerous events on the Internet. First of all this service will help internet and hosting providers to protect subscribers sites from being hacked. BlockList will help to stop receiving a large amount of spam from dubious SMTP relays or from attempts of brute force passwords to servers and network equipment.|ipv4 hash:ip|10918 unique IPs|updated every 10 mins from [this link](https://blocklist.net.ua/blocklist.csv)
[blueliv_crimeserver_last](http://iplists.firehol.org/?ipset=blueliv_crimeserver_last)|[blueliv.com](https://www.blueliv.com/) Last 6 hours Cybercrime IPs, in all categories: BACKDOOR, C_AND_C, EXPLOIT_KIT, MALWARE and PHISHING (to download the source data you need an API key from blueliv.com)|ipv4 hash:ip|88 unique IPs|updated every 6 hours from [this link](https://freeapi.blueliv.com/v1/crimeserver/last)
[blueliv_crimeserver_last_1d](http://iplists.firehol.org/?ipset=blueliv_crimeserver_last_1d)|[blueliv.com](https://www.blueliv.com/) Last 6 hours Cybercrime IPs, in all categories: BACKDOOR, C_AND_C, EXPLOIT_KIT, MALWARE and PHISHING (to download the source data you need an API key from blueliv.com)|ipv4 hash:ip|332 unique IPs|updated every 6 hours from [this link](https://freeapi.blueliv.com/v1/crimeserver/last)
[blueliv_crimeserver_last_2d](http://iplists.firehol.org/?ipset=blueliv_crimeserver_last_2d)|[blueliv.com](https://www.blueliv.com/) Last 6 hours Cybercrime IPs, in all categories: BACKDOOR, C_AND_C, EXPLOIT_KIT, MALWARE and PHISHING (to download the source data you need an API key from blueliv.com)|ipv4 hash:ip|512 unique IPs|updated every 6 hours from [this link](https://freeapi.blueliv.com/v1/crimeserver/last)
@ -659,12 +659,12 @@ esentire_burmundisoul_ru|Ursnif Variant CnC|ipv4 hash:ip|disabled|updated every
[firehol_abusers_1d](http://iplists.firehol.org/?ipset=firehol_abusers_1d)|An ipset made from blocklists that track abusers in the last 24 hours. (includes: botscout_1d cleantalk_new_1d cleantalk_updated_1d php_commenters_1d php_dictionary_1d php_harvesters_1d php_spammers_1d stopforumspam_1d)|ipv4 hash:net|12107 subnets, 12655 unique IPs|
[firehol_abusers_30d](http://iplists.firehol.org/?ipset=firehol_abusers_30d)|An ipset made from blocklists that track abusers in the last 30 days. (includes: cleantalk_new_30d cleantalk_updated_30d php_commenters_30d php_dictionary_30d php_harvesters_30d php_spammers_30d stopforumspam sblam)|ipv4 hash:net|199905 subnets, 212710 unique IPs|
[firehol_anonymous](http://iplists.firehol.org/?ipset=firehol_anonymous)|An ipset that includes all the anonymizing IPs of the world. (includes: anonymous bm_tor dm_tor firehol_proxies tor_exits)|ipv4 hash:net|39610 subnets, 46657 unique IPs|
[firehol_level1](http://iplists.firehol.org/?ipset=firehol_level1)|A firewall blacklist composed from IP lists, providing maximum protection with minimum false positives. Suitable for basic protection on all internet facing servers, routers and firewalls. (includes: bambenek_c2 dshield feodo fullbogons palevo spamhaus_drop spamhaus_edrop sslbl zeus_badips ransomware_rw)|ipv4 hash:net|17219 subnets, 662542736 unique IPs|
[firehol_level1](http://iplists.firehol.org/?ipset=firehol_level1)|A firewall blacklist composed from IP lists, providing maximum protection with minimum false positives. Suitable for basic protection on all internet facing servers, routers and firewalls. (includes: bambenek_c2 dshield feodo fullbogons palevo spamhaus_drop spamhaus_edrop sslbl zeus_badips ransomware_rw)|ipv4 hash:net|17231 subnets, 662542747 unique IPs|
[firehol_level2](http://iplists.firehol.org/?ipset=firehol_level2)|An ipset made from blocklists that track attacks, during about the last 48 hours. (includes: blocklist_de dshield_1d greensnow openbl_1d virbl)|ipv4 hash:net|14988 subnets, 32099 unique IPs|
[firehol_level3](http://iplists.firehol.org/?ipset=firehol_level3)|An ipset made from blocklists that track attacks, spyware, viruses. It includes IPs than have been reported or detected in the last 30 days. (includes: bruteforceblocker ciarmy dragon_http dragon_sshpauth dragon_vncprobe dshield_30d dshield_top_1000 malc0de maxmind_proxy_fraud myip openbl_30d shunlist snort_ipfilter sslbl_aggressive talosintel_ipfilter zeus vxvault)|ipv4 hash:net|23796 subnets, 128650 unique IPs|
[firehol_level4](http://iplists.firehol.org/?ipset=firehol_level4)|An ipset made from blocklists that track attacks, but may include a large number of false positives. (includes: cleanmx_viruses blocklist_net_ua botscout_30d cruzit_web_attacks cybercrime haley_ssh iblocklist_hijacked iblocklist_spyware iblocklist_webexploit ipblacklistcloud_top iw_wormlist malwaredomainlist)|ipv4 hash:net|75353 subnets, 9571082 unique IPs|
[firehol_level4](http://iplists.firehol.org/?ipset=firehol_level4)|An ipset made from blocklists that track attacks, but may include a large number of false positives. (includes: cleanmx_viruses blocklist_net_ua botscout_30d cruzit_web_attacks cybercrime haley_ssh iblocklist_hijacked iblocklist_spyware iblocklist_webexploit ipblacklistcloud_top iw_wormlist malwaredomainlist)|ipv4 hash:net|75349 subnets, 9571078 unique IPs|
[firehol_proxies](http://iplists.firehol.org/?ipset=firehol_proxies)|An ipset made from all sources that track open proxies. It includes IPs reported or detected in the last 30 days. (includes: iblocklist_proxies maxmind_proxy_fraud proxylists_30d proxyrss_30d proxz_30d proxyspy_30d ri_connect_proxies_30d ri_web_proxies_30d socks_proxy_30d sslproxies_30d xroxy_30d)|ipv4 hash:net|32869 subnets, 33684 unique IPs|
[firehol_webclient](http://iplists.firehol.org/?ipset=firehol_webclient)|An IP blacklist made from blocklists that track IPs that a web client should never talk to. This list is to be used on top of firehol_level1. (includes: ransomware_online sslbl_aggressive cybercrime atlas_phishing_2d atlas_fastflux_2d dyndns_ponmocup maxmind_proxy_fraud)|ipv4 hash:net|11892 subnets, 11972 unique IPs|
[firehol_webclient](http://iplists.firehol.org/?ipset=firehol_webclient)|An IP blacklist made from blocklists that track IPs that a web client should never talk to. This list is to be used on top of firehol_level1. (includes: ransomware_online sslbl_aggressive cybercrime atlas_phishing_2d atlas_fastflux_2d dyndns_ponmocup maxmind_proxy_fraud)|ipv4 hash:net|11891 subnets, 11971 unique IPs|
[firehol_webserver](http://iplists.firehol.org/?ipset=firehol_webserver)|A web server IP blacklist made from blocklists that track IPs that should never be your web users. (This list includes IPs that are servers hosting malware, bots, etc or users having a long criminal history. This list is to be used on top of firehol_level1, firehol_level2, firehol_level3 and possibly firehol_proxies or firehol_anonymous). (includes: hphosts_emd hphosts_exp hphosts_fsa hphosts_hjk hphosts_psh hphosts_wrz maxmind_proxy_fraud myip pushing_inertia_blocklist stopforumspam_toxic)|ipv4 hash:net|50583 subnets, 50960158 unique IPs|
[fullbogons](http://iplists.firehol.org/?ipset=fullbogons)|[Team-Cymru.org](http://www.team-cymru.org) IP space that has been allocated to an RIR, but not assigned by that RIR to an actual ISP or other end-user|ipv4 hash:net|3760 subnets, 636477992 unique IPs|updated every 1 day from [this link](http://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt)
[geolite2_country](https://github.com/firehol/blocklist-ipsets/tree/master/geolite2_country)|[MaxMind GeoLite2](http://dev.maxmind.com/geoip/geoip2/geolite2/) databases are free IP geolocation databases comparable to, but less accurate than, MaxMinds GeoIP2 databases. They include IPs per country, IPs per continent, IPs used by anonymous services (VPNs, Proxies, etc) and Satellite Providers.|ipv4 hash:net|All the world|updated every 7 days from [this link](http://geolite.maxmind.com/download/geoip/database/GeoLite2-Country-CSV.zip)
@ -1289,10 +1289,10 @@ php_bad|[projecthoneypot.org](http://www.projecthoneypot.org/?rf=192670) bad web
[proxz_7d](http://iplists.firehol.org/?ipset=proxz_7d)|[proxz.com](http://www.proxz.com) open proxies (this list is composed using an RSS feed)|ipv4 hash:ip|964 unique IPs|updated every 1 hour from [this link](http://www.proxz.com/proxylists.xml)
[pushing_inertia_blocklist](http://iplists.firehol.org/?ipset=pushing_inertia_blocklist)|[Pushing Inertia](https://github.com/pushinginertia/ip-blacklist) IPs of hosting providers that are known to host various bots, spiders, scrapers, etc. to block access from these providers to web servers.|ipv4 hash:net|864 subnets, 50729096 unique IPs|updated every 1 day from [this link](https://raw.githubusercontent.com/pushinginertia/ip-blacklist/master/ip_blacklist.conf)
[ransomware_cryptowall_ps](http://iplists.firehol.org/?ipset=ransomware_cryptowall_ps)|[Abuse.ch Ransomware Tracker](https://ransomwaretracker.abuse.ch) Ransomware Tracker tracks and monitors the status of domain names, IP addresses and URLs that are associated with Ransomware, such as Botnet C&C servers, distribution sites and payment sites. By using data provided by Ransomware Tracker, hosting- and internet service provider (ISPs), as well as national CERTs/CSIRTs, law enforcement agencies (LEA) and security researchers can receive an overview on infrastructure used by Ransomware and whether these are actively being used by miscreant to commit fraud. This list is CW_PS_IPBL: CryptoWall Ransomware Payment Sites IP blocklist.|ipv4 hash:ip|0 unique IPs|updated every 5 mins from [this link](https://ransomwaretracker.abuse.ch/downloads/CW_PS_IPBL.txt)
[ransomware_feed](http://iplists.firehol.org/?ipset=ransomware_feed)|[Abuse.ch Ransomware Tracker](https://ransomwaretracker.abuse.ch) Ransomware Tracker tracks and monitors the status of domain names, IP addresses and URLs that are associated with Ransomware, such as Botnet C&C servers, distribution sites and payment sites. By using data provided by Ransomware Tracker, hosting- and internet service provider (ISPs), as well as national CERTs/CSIRTs, law enforcement agencies (LEA) and security researchers can receive an overview on infrastructure used by Ransomware and whether these are actively being used by miscreant to commit fraud. The IPs in this list have been extracted from the tracker data feed.|ipv4 hash:ip|4034 unique IPs|updated every 5 mins from [this link](https://ransomwaretracker.abuse.ch/feeds/csv/)
[ransomware_feed](http://iplists.firehol.org/?ipset=ransomware_feed)|[Abuse.ch Ransomware Tracker](https://ransomwaretracker.abuse.ch) Ransomware Tracker tracks and monitors the status of domain names, IP addresses and URLs that are associated with Ransomware, such as Botnet C&C servers, distribution sites and payment sites. By using data provided by Ransomware Tracker, hosting- and internet service provider (ISPs), as well as national CERTs/CSIRTs, law enforcement agencies (LEA) and security researchers can receive an overview on infrastructure used by Ransomware and whether these are actively being used by miscreant to commit fraud. The IPs in this list have been extracted from the tracker data feed.|ipv4 hash:ip|4033 unique IPs|updated every 5 mins from [this link](https://ransomwaretracker.abuse.ch/feeds/csv/)
[ransomware_locky_c2](http://iplists.firehol.org/?ipset=ransomware_locky_c2)|[Abuse.ch Ransomware Tracker](https://ransomwaretracker.abuse.ch) Ransomware Tracker tracks and monitors the status of domain names, IP addresses and URLs that are associated with Ransomware, such as Botnet C&C servers, distribution sites and payment sites. By using data provided by Ransomware Tracker, hosting- and internet service provider (ISPs), as well as national CERTs/CSIRTs, law enforcement agencies (LEA) and security researchers can receive an overview on infrastructure used by Ransomware and whether these are actively being used by miscreant to commit fraud. This list is LY_C2_IPBL: Locky Ransomware C2 URL blocklist.|ipv4 hash:ip|212 unique IPs|updated every 5 mins from [this link](https://ransomwaretracker.abuse.ch/downloads/LY_C2_IPBL.txt)
[ransomware_locky_ps](http://iplists.firehol.org/?ipset=ransomware_locky_ps)|[Abuse.ch Ransomware Tracker](https://ransomwaretracker.abuse.ch) Ransomware Tracker tracks and monitors the status of domain names, IP addresses and URLs that are associated with Ransomware, such as Botnet C&C servers, distribution sites and payment sites. By using data provided by Ransomware Tracker, hosting- and internet service provider (ISPs), as well as national CERTs/CSIRTs, law enforcement agencies (LEA) and security researchers can receive an overview on infrastructure used by Ransomware and whether these are actively being used by miscreant to commit fraud. This list is LY_PS_IPBL: Locky Ransomware Payment Sites IP blocklist.|ipv4 hash:ip|6 unique IPs|updated every 5 mins from [this link](https://ransomwaretracker.abuse.ch/downloads/LY_PS_IPBL.txt)
[ransomware_online](http://iplists.firehol.org/?ipset=ransomware_online)|[Abuse.ch Ransomware Tracker](https://ransomwaretracker.abuse.ch) Ransomware Tracker tracks and monitors the status of domain names, IP addresses and URLs that are associated with Ransomware, such as Botnet C&C servers, distribution sites and payment sites. By using data provided by Ransomware Tracker, hosting- and internet service provider (ISPs), as well as national CERTs/CSIRTs, law enforcement agencies (LEA) and security researchers can receive an overview on infrastructure used by Ransomware and whether these are actively being used by miscreant to commit fraud. The IPs in this list have been extracted from the tracker data feed, filtering only online IPs.|ipv4 hash:ip|952 unique IPs|updated every 5 mins from [this link](https://ransomwaretracker.abuse.ch/feeds/csv/)
[ransomware_online](http://iplists.firehol.org/?ipset=ransomware_online)|[Abuse.ch Ransomware Tracker](https://ransomwaretracker.abuse.ch) Ransomware Tracker tracks and monitors the status of domain names, IP addresses and URLs that are associated with Ransomware, such as Botnet C&C servers, distribution sites and payment sites. By using data provided by Ransomware Tracker, hosting- and internet service provider (ISPs), as well as national CERTs/CSIRTs, law enforcement agencies (LEA) and security researchers can receive an overview on infrastructure used by Ransomware and whether these are actively being used by miscreant to commit fraud. The IPs in this list have been extracted from the tracker data feed, filtering only online IPs.|ipv4 hash:ip|951 unique IPs|updated every 5 mins from [this link](https://ransomwaretracker.abuse.ch/feeds/csv/)
[ransomware_rw](http://iplists.firehol.org/?ipset=ransomware_rw)|[Abuse.ch Ransomware Tracker](https://ransomwaretracker.abuse.ch) Ransomware Tracker tracks and monitors the status of domain names, IP addresses and URLs that are associated with Ransomware, such as Botnet C&C servers, distribution sites and payment sites. By using data provided by Ransomware Tracker, hosting- and internet service provider (ISPs), as well as national CERTs/CSIRTs, law enforcement agencies (LEA) and security researchers can receive an overview on infrastructure used by Ransomware and whether these are actively being used by miscreant to commit fraud. This list includes TC_PS_IPBL, LY_C2_IPBL, TL_C2_IPBL, TL_PS_IPBL and it is the recommended blocklist. It might not catch everything, but the false positive rate should be low. However, false positives are possible, especially with regards to RW_IPBL. IP addresses associated with Ransomware Payment Sites (*_PS_IPBL) or Locky botnet C&Cs (LY_C2_IPBL) stay listed on RW_IPBL for a time of 30 days after the last appearence. This means that an IP address stays listed on RW_IPBL even after the threat has been eliminated (e.g. the VPS / server has been suspended by the hosting provider) for another 30 days.|ipv4 hash:ip|11462 unique IPs|updated every 5 mins from [this link](https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt)
[ransomware_teslacrypt_ps](http://iplists.firehol.org/?ipset=ransomware_teslacrypt_ps)|[Abuse.ch Ransomware Tracker](https://ransomwaretracker.abuse.ch) Ransomware Tracker tracks and monitors the status of domain names, IP addresses and URLs that are associated with Ransomware, such as Botnet C&C servers, distribution sites and payment sites. By using data provided by Ransomware Tracker, hosting- and internet service provider (ISPs), as well as national CERTs/CSIRTs, law enforcement agencies (LEA) and security researchers can receive an overview on infrastructure used by Ransomware and whether these are actively being used by miscreant to commit fraud. This list is TC_PS_IPBL: TeslaCrypt Ransomware Payment Sites IP blocklist.|ipv4 hash:ip|10998 unique IPs|updated every 5 mins from [this link](https://ransomwaretracker.abuse.ch/downloads/TC_PS_IPBL.txt)
[ransomware_torrentlocker_c2](http://iplists.firehol.org/?ipset=ransomware_torrentlocker_c2)|[Abuse.ch Ransomware Tracker](https://ransomwaretracker.abuse.ch) Ransomware Tracker tracks and monitors the status of domain names, IP addresses and URLs that are associated with Ransomware, such as Botnet C&C servers, distribution sites and payment sites. By using data provided by Ransomware Tracker, hosting- and internet service provider (ISPs), as well as national CERTs/CSIRTs, law enforcement agencies (LEA) and security researchers can receive an overview on infrastructure used by Ransomware and whether these are actively being used by miscreant to commit fraud. This list is TL_C2_IPBL: TorrentLocker Ransomware C2 IP blocklist.|ipv4 hash:ip|27 unique IPs|updated every 5 mins from [this link](https://ransomwaretracker.abuse.ch/downloads/TL_C2_IPBL.txt)
@ -1342,7 +1342,7 @@ sorbs_block|[Sorbs.net](https://www.sorbs.net/) List of hosts demanding that the
[stopforumspam_7d](http://iplists.firehol.org/?ipset=stopforumspam_7d)|[StopForumSpam.com](http://www.stopforumspam.com) IPs used by forum spammers (last 7 days)|ipv4 hash:ip|19941 unique IPs|updated every 1 day from [this link](http://www.stopforumspam.com/downloads/listed_ip_7.zip)
[stopforumspam_90d](http://iplists.firehol.org/?ipset=stopforumspam_90d)|[StopForumSpam.com](http://www.stopforumspam.com) IPs used by forum spammers (last 90 days)|ipv4 hash:ip|148906 unique IPs|updated every 1 day from [this link](http://www.stopforumspam.com/downloads/listed_ip_90.zip)
[stopforumspam_toxic](http://iplists.firehol.org/?ipset=stopforumspam_toxic)|[StopForumSpam.com](http://www.stopforumspam.com) Networks that have large amounts of spambots and are flagged as toxic. Toxic IP ranges are infrequently changed.|ipv4 hash:net|82 subnets, 553047 unique IPs|updated every 1 day from [this link](http://www.stopforumspam.com/downloads/toxic_ip_cidr.txt)
[taichung](http://iplists.firehol.org/?ipset=taichung)|[Taichung Education Center](https://www.tc.edu.tw/net/netflow/lkout/recent/30) Blocked IP Addresses (attacks and bots).|ipv4 hash:ip|11506 unique IPs|updated every 1 day from [this link](https://www.tc.edu.tw/net/netflow/lkout/recent/30)
[taichung](http://iplists.firehol.org/?ipset=taichung)|[Taichung Education Center](https://www.tc.edu.tw/net/netflow/lkout/recent/30) Blocked IP Addresses (attacks and bots).|ipv4 hash:ip|11530 unique IPs|updated every 1 day from [this link](https://www.tc.edu.tw/net/netflow/lkout/recent/30)
[talosintel_ipfilter](http://iplists.firehol.org/?ipset=talosintel_ipfilter)|[TalosIntel.com](http://talosintel.com/additional-resources/) List of known malicious network threats|ipv4 hash:ip|2343 unique IPs|updated every 15 mins from [this link](http://talosintel.com/feeds/ip-filter.blf)
[threatcrowd](http://iplists.firehol.org/?ipset=threatcrowd)|[Crowdsourced IP feed from ThreatCrowd](http://threatcrowd.blogspot.gr/2016/02/crowdsourced-feeds-from-threatcrowd.html). These feeds are not a substitute for the scale of auto-extracted command and control domains or the quality of some commercially provided feeds. But crowd-sourcing does go some way towards the quick sharing of threat intelligence between the community.|ipv4 hash:ip|6383 unique IPs|updated every 1 hour from [this link](https://www.threatcrowd.org/feeds/ips.txt)
[tor_exits](http://iplists.firehol.org/?ipset=tor_exits)|[TorProject.org](https://www.torproject.org) list of all current TOR exit points (TorDNSEL)|ipv4 hash:ip|1036 unique IPs|updated every 5 mins from [this link](https://check.torproject.org/exit-addresses)