Skip to main content
Get 17% off the OpenPanel Enterprise Annual License with a lifetime fixed price guarantee.Get Started Now
OpenPanelDocumentation
Version: 1.5.6

CSF Blocklists

CSF/LFD supports downloading and applying blocklists of IPs and CIDRs from public sources.

OpenPanel does not enable any IP blocklists by default upon installation.

from OpenAdmin

To enable a blocklist from OpenAdmin interface, navigate to Security > Firewall then scroll down and click on the 'LFD Blocklists':

2025-07-22-17-06.png

Uncomment the line that starts with the desired blocklist, by removing the # before it, then click on 'Change':

2025-07-22-17-06-1.png

Finally click on 'Restart csf+lfd':

2025-07-22-17-07.png

from Terminal

To enable a specific blocklist:

  1. Open file /etc/csf/csf.blocklists
  2. Uncomment the line that starts with the desired blocklist.
  3. Save the file.
  4. Restart CSF, then restart LFD: csf -ra && serfice lfd restart

Format

ParameterDescription
NAMEList name with all uppercase alphabetic characters, no spaces, and a maximum of 25 characters. This will be used as the iptables chain name.
INTERVALRefresh interval (in seconds) to download the list. Must be at least 3600 (1 hour), but 86400 (1 day) is generally sufficient.
MAXMaximum number of IP addresses to use from the list. A value of 0 means all IPs will be included.
URLURL of the IP list source.

Blocklists

NameCategoryMaintainerDescriptionEnabled by Default
ABUSEIPDBreputationabuseipdb.comIP reputation database of abusive IPs engaging in hacking attempts or other malicious behavior (You must sign up to their website for a free API key then replace YOUR_API_KEY with it in the source URL).
UNLIMITED_RSreputationunlimited.rsUNLIMITED.RS attacking IP addresses (all).
BDEattacksblocklist.deBlocklist.de attacking IP addresses (last hour).
BDEALLattacksblocklist.deBlocklist.de attacking IP addresses (all).
BDS_ATIFreputationbinarydefense.comArtillery Threat Intelligence feed and banlist feed.
BFBattacksDaniel GerzoBruteForceBlocker IP List.
BLOCKLIST_NET_UAabuseblocklist.net.uaHelps stop spam and brute force attacks from dubious sources.
BOGONunroutableteam-cymru.orgPrivate/reserved IPs and unallocated netblocks.
BOTSCOUTabusebotscout.comPrevents bots from abusing forms, spamming, etc.
CIARMYreputationcinsscore.comPoor rogue packet score IPs from the CINS Army list.
DARKLIST_DEattacksdarklist.deSSH fail2ban reporting.
DSHIELDattacksdShield.orgTop 20 attacking class C (/24) subnets over 3 days.
ET_BLOCKattacksemergingthreats.netDefault blacklist; better to use individual ipsets.
ET_COMPROMISEDattacksemergingthreats.netCompromised hosts.
ET_TORanonymizersemergingthreats.netTOR network IPs.
FEODOmalwareabuse.chFeodo (Cridex/Bugat) trojan IPs.
GREENSNOWattacksgreenSnow.coMonitors brute force, FTP, SMTP, SSH, etc.
HONEYPOTattacksprojecthoneypot.orgDictionary attacker IPs.
INTERSERVER_2Dattacksinterserver.netBrute force/spam/malicious IPs (last 2 days).
INTERSERVER_7Dattacksinterserver.netSame as above (last 7 days).
INTERSERVER_ALLattacksinterserver.netAll known malicious IPs.
SBLAMabusesblam.comWeb form spammers.
SPAMDROPspamspamhaus.orgDROP - Do not Route Or Peer List.
SPAMDROPV6spamspamhaus.orgDROPv6 for IPv6.
SPAMEDROPspamspamhaus.orgExtended DROP List (EDROP).
SSLBLmalwareabuse.chSSL traffic related to malware/botnets.
SSLBL_AGGRESSIVEmalwareabuse.chAggressive SSL blacklist (may cause false positives).
STOPFORUMSPAMabusestopforumspam.comForum spammer IPs.
STOPFORUMSPAM_180Dabusestopforumspam.comLast 180 days.
STOPFORUMSPAM_1Dabusestopforumspam.comLast 24 hours.
STOPFORUMSPAM_30Dabusestopforumspam.comLast 30 days.
STOPFORUMSPAM_365Dabusestopforumspam.comLast 365 days.
STOPFORUMSPAM_7Dabusestopforumspam.comLast 7 days.
STOPFORUMSPAM_90Dabusestopforumspam.comLast 90 days.
STOPFORUMSPAM_TOXICabusestopforumspam.comNetworks with heavy bot activity.
TORanonymizerstorproject.orgTOR exit node list.

NOTE: These lists are not under the control of OpenPanel and could have false positives.

Previous
Security
Next
Limiting Connections with CSF
Was this helpful?