Version: 1.4.9
CSF Blocklists
CSF/LFD supports downloading and applying blocklists of IPs and CIDRs from public sources. These are managed in the file: /etc/csf/csf.blocklists
To enable a specific blocklist:
- Uncomment the line that starts with the rule name.
- Restart CSF, then restart LFD.
OpenPanel does not enable any IP blocklists by default upon installation.
Format
| Parameter | Description |
|---|---|
| NAME | List name with all uppercase alphabetic characters, no spaces, and a maximum of 25 characters. This will be used as the iptables chain name. |
| INTERVAL | Refresh interval (in seconds) to download the list. Must be at least 3600 (1 hour), but 86400 (1 day) is generally sufficient. |
| MAX | Maximum number of IP addresses to use from the list. A value of 0 means all IPs will be included. |
| URL | URL of the IP list source. |
Blocklists
| Name | Category | Maintainer | Description | Enabled by Default |
|---|---|---|---|---|
| ABUSEIPDB | reputation | abuseipdb.com | IP reputation database of abusive IPs engaging in hacking attempts or other malicious behavior (You must sign up to their website for a free API key then replace YOUR_API_KEY with it in the source URL). | |
| UNLIMITED_RS | reputation | unlimited.rs | UNLIMITED.RS attacking IP addresses (all). | |
| BDE | attacks | blocklist.de | Blocklist.de attacking IP addresses (last hour). | |
| BDEALL | attacks | blocklist.de | Blocklist.de attacking IP addresses (all). | |
| BDS_ATIF | reputation | binarydefense.com | Artillery Threat Intelligence feed and banlist feed. | |
| BFB | attacks | Daniel Gerzo | BruteForceBlocker IP List. | |
| BLOCKLIST_NET_UA | abuse | blocklist.net.ua | Helps stop spam and brute force attacks from dubious sources. | |
| BOGON | unroutable | team-cymru.org | Private/reserved IPs and unallocated netblocks. | |
| BOTSCOUT | abuse | botscout.com | Prevents bots from abusing forms, spamming, etc. | |
| CIARMY | reputation | cinsscore.com | Poor rogue packet score IPs from the CINS Army list. | |
| DARKLIST_DE | attacks | darklist.de | SSH fail2ban reporting. | |
| DSHIELD | attacks | dShield.org | Top 20 attacking class C (/24) subnets over 3 days. | |
| ET_BLOCK | attacks | emergingthreats.net | Default blacklist; better to use individual ipsets. | |
| ET_COMPROMISED | attacks | emergingthreats.net | Compromised hosts. | |
| ET_TOR | anonymizers | emergingthreats.net | TOR network IPs. | |
| FEODO | malware | abuse.ch | Feodo (Cridex/Bugat) trojan IPs. | |
| GREENSNOW | attacks | greenSnow.co | Monitors brute force, FTP, SMTP, SSH, etc. | |
| HONEYPOT | attacks | projecthoneypot.org | Dictionary attacker IPs. | |
| INTERSERVER_2D | attacks | interserver.net | Brute force/spam/malicious IPs (last 2 days). | |
| INTERSERVER_7D | attacks | interserver.net | Same as above (last 7 days). | |
| INTERSERVER_ALL | attacks | interserver.net | All known malicious IPs. | |
| SBLAM | abuse | sblam.com | Web form spammers. | |
| SPAMDROP | spam | spamhaus.org | DROP - Do not Route Or Peer List. | |
| SPAMDROPV6 | spam | spamhaus.org | DROPv6 for IPv6. | |
| SPAMEDROP | spam | spamhaus.org | Extended DROP List (EDROP). | |
| SSLBL | malware | abuse.ch | SSL traffic related to malware/botnets. | |
| SSLBL_AGGRESSIVE | malware | abuse.ch | Aggressive SSL blacklist (may cause false positives). | |
| STOPFORUMSPAM | abuse | stopforumspam.com | Forum spammer IPs. | |
| STOPFORUMSPAM_180D | abuse | stopforumspam.com | Last 180 days. | |
| STOPFORUMSPAM_1D | abuse | stopforumspam.com | Last 24 hours. | |
| STOPFORUMSPAM_30D | abuse | stopforumspam.com | Last 30 days. | |
| STOPFORUMSPAM_365D | abuse | stopforumspam.com | Last 365 days. | |
| STOPFORUMSPAM_7D | abuse | stopforumspam.com | Last 7 days. | |
| STOPFORUMSPAM_90D | abuse | stopforumspam.com | Last 90 days. | |
| STOPFORUMSPAM_TOXIC | abuse | stopforumspam.com | Networks with heavy bot activity. | |
| TOR | anonymizers | torproject.org | TOR exit node list. |
NOTE: These lists are not under the control of OpenPanel and could have false positives.
Was this helpful?