IPsum is a threat intelligence feed based on 30+ different publicly available lists of suspicious and/or malicious IP addresses. All lists are automatically retrieved and parsed on a daily (24h) basis and the final result is pushed to this repository. List is made of IP addresses together with a total number of (black)list occurrence (for each). Greater the number, lesser the chance of false positive detection and/or dropping in (inbound) monitored traffic. Also, list is sorted from most (problematic) to least occurent IP addresses.
As an example, to get a fresh and ready-to-deploy auto-ban list of "bad IPs" that appear on at least 3 (black)lists you can run:
curl --compressed https://raw.githubusercontent.com/stamparm/ipsum/master/ipsum.txt 2>/dev/null | grep -v "#" | grep -v -E "\s[1-2]$" | cut -f 1
If you want to try it with ipset, you can do the following:
sudo su
apt-get -qq install iptables ipset
ipset -q flush ipsum
ipset -q create ipsum hash:ip
for ip in $(curl --compressed https://raw.githubusercontent.com/stamparm/ipsum/master/ipsum.txt 2>/dev/null | grep -v "#" | grep -v -E "\s[1-2]$" | cut -f 1); do ipset add ipsum $ip; done
iptables -D INPUT -m set --match-set ipsum src -j DROP 2>/dev/null
iptables -I INPUT -m set --match-set ipsum src -j DROP
In directory levels you can find preprocessed raw IP lists based on number of blacklist occurrences (e.g. levels/3.txt holds IP addresses that can be found on 3 or more blacklists).
| IP | DNS lookup | Number of (black)lists |
|---|---|---|
| 92.118.39.72 | - | 8 |
| 134.209.120.69 | - | 8 |
| 136.27.51.200 | 136-27-51-200.cab.webpass.net | 8 |
| 167.94.145.106 | - | 8 |
| 178.160.211.111 | - | 8 |
| 194.0.234.38 | - | 8 |
| 218.92.0.112 | - | 8 |
| 218.92.0.216 | - | 8 |
| 218.92.0.218 | - | 8 |
| 218.92.0.219 | - | 8 |
| 218.92.0.223 | - | 8 |
| 218.92.0.226 | - | 8 |
| 218.92.0.227 | - | 8 |
| 218.92.0.228 | - | 8 |
| 218.92.0.229 | - | 8 |
| 218.92.0.231 | - | 8 |
| 218.92.0.236 | - | 8 |
| 97.107.177.139 | - | 8 |
| 80.82.77.139 | dojo.census.shodan.io | 7 |
| 2.57.122.189 | - | 7 |
| 75.178.99.71 | syn-075-178-099-071.res.spectrum.com | 7 |
| 83.222.191.62 | - | 7 |
| 92.118.39.75 | - | 7 |
| 92.255.85.188 | - | 7 |
| 92.255.85.189 | - | 7 |
| 93.126.53.41 | - | 7 |
| 162.142.125.217 | scanner-05.ch1.censys-scanner.com | 7 |
| 167.94.145.96 | - | 7 |
| 167.94.145.98 | - | 7 |
| 167.94.145.99 | - | 7 |
| 167.94.145.109 | - | 7 |
| 167.94.146.49 | - | 7 |
| 181.225.140.68 | - | 7 |
| 185.165.191.27 | red.census.shodan.io | 7 |
| 193.32.162.130 | - | 7 |
| 193.32.162.132 | - | 7 |
| 193.32.162.135 | - | 7 |
| 193.32.162.136 | - | 7 |
| 195.178.110.76 | - | 7 |
| 206.168.34.82 | - | 7 |
| 207.90.244.5 | - | 7 |
| 218.92.0.111 | - | 7 |
| 218.92.0.114 | - | 7 |
| 218.92.0.198 | - | 7 |
| 218.92.0.217 | - | 7 |
| 218.92.0.220 | - | 7 |
| 218.92.0.221 | - | 7 |
| 218.92.0.222 | - | 7 |
| 218.92.0.225 | - | 7 |
| 218.92.0.230 | - | 7 |
| 218.92.0.232 | - | 7 |
| 218.92.0.233 | - | 7 |
| 218.92.0.235 | - | 7 |
| 218.92.0.237 | - | 7 |
| 101.36.231.233 | - | 7 |
| 115.91.91.182 | - | 7 |
| 119.252.143.6 | - | 7 |
| 167.94.146.60 | - | 7 |
| 186.96.151.198 | fixed-186-96-151-198.totalplay.net | 7 |
| 187.49.152.10 | ns1.entertelecom.com.br | 7 |
| 207.231.111.207 | - | 7 |
| 213.55.85.202 | - | 7 |
| 218.150.246.42 | - | 7 |
| 51.254.101.166 | 166.ip-51-254-101.eu | 7 |
| 74.73.241.225 | syn-074-073-241-225.res.spectrum.com | 7 |
| 79.3.96.178 | host-79-3-96-178.business.telecomitalia.it | 7 |
| 80.82.77.202 | rnd.group-ib.com | 7 |
| 102.211.152.45 | 45.152.211.102.angolacables.ao | 7 |
| 103.226.248.206 | - | 7 |
| 111.67.194.206 | - | 7 |
| 129.146.67.131 | - | 7 |
| 164.152.61.233 | - | 7 |
| 164.92.227.178 | - | 7 |
| 185.213.174.118 | - | 7 |
| 193.32.162.131 | - | 7 |
| 193.32.162.134 | - | 7 |
| 36.213.197.7 | - | 7 |
| 50.201.154.234 | - | 7 |
| 89.168.18.25 | - | 7 |
| 92.118.39.71 | - | 7 |