CSF Blocklists

CSF/LFD supports downloading and applying blocklists of IPs and CIDRs from public sources.

OpenPanel does not enable any IP blocklists by default upon installation.

from OpenAdmin

To enable a blocklist from OpenAdmin interface, navigate to Security > Firewall then scroll down and click on the 'LFD Blocklists':

Uncomment the line that starts with the desired blocklist, by removing the # before it, then click on 'Change':

Finally click on 'Restart csf+lfd':

from Terminal

To enable a specific blocklist:

Open file /etc/csf/csf.blocklists
Uncomment the line that starts with the desired blocklist.
Save the file.
Restart CSF, then restart LFD: csf -ra && service lfd restart

Format

Parameter	Description
NAME	List name with all uppercase alphabetic characters, no spaces, and a maximum of 25 characters. This will be used as the iptables chain name.
INTERVAL	Refresh interval (in seconds) to download the list. Must be at least `3600` (1 hour), but `86400` (1 day) is generally sufficient.
MAX	Maximum number of IP addresses to use from the list. A value of `0` means all IPs will be included.
URL	URL of the IP list source.

Blocklists

Name	Category	Maintainer	Description
ABUSEIPDB	reputation	abuseipdb.com	IP reputation database of abusive IPs engaging in hacking attempts or other malicious behavior (You must sign up to their website for a free API key then replace YOUR_API_KEY with it in the source URL).
UNLIMITED_RS	reputation	unlimited.rs	UNLIMITED.RS attacking IP addresses (all).
BDE	attacks	blocklist.de	Blocklist.de attacking IP addresses (last hour).
BDEALL	attacks	blocklist.de	Blocklist.de attacking IP addresses (all).
BDS_ATIF	reputation	binarydefense.com	Artillery Threat Intelligence feed and banlist feed.
BFB	attacks	Daniel Gerzo	BruteForceBlocker IP List.
BLOCKLIST_NET_UA	abuse	blocklist.net.ua	Helps stop spam and brute force attacks from dubious sources.
BOGON	unroutable	team-cymru.org	Private/reserved IPs and unallocated netblocks.
BOTSCOUT	abuse	botscout.com	Prevents bots from abusing forms, spamming, etc.
CIARMY	reputation	cinsscore.com	Poor rogue packet score IPs from the CINS Army list.
DARKLIST_DE	attacks	darklist.de	SSH fail2ban reporting.
DSHIELD	attacks	dShield.org	Top 20 attacking class C (/24) subnets over 3 days.
ET_BLOCK	attacks	emergingthreats.net	Default blacklist; better to use individual ipsets.
ET_COMPROMISED	attacks	emergingthreats.net	Compromised hosts.
ET_TOR	anonymizers	emergingthreats.net	TOR network IPs.
FEODO	malware	abuse.ch	Feodo (Cridex/Bugat) trojan IPs.
GREENSNOW	attacks	greenSnow.co	Monitors brute force, FTP, SMTP, SSH, etc.
HONEYPOT	attacks	projecthoneypot.org	Dictionary attacker IPs.
INTERSERVER_2D	attacks	interserver.net	Brute force/spam/malicious IPs (last 2 days).
INTERSERVER_7D	attacks	interserver.net	Same as above (last 7 days).
INTERSERVER_ALL	attacks	interserver.net	All known malicious IPs.
SBLAM	abuse	sblam.com	Web form spammers.
SPAMDROP	spam	spamhaus.org	DROP - Do not Route Or Peer List.
SPAMDROPV6	spam	spamhaus.org	DROPv6 for IPv6.
SPAMEDROP	spam	spamhaus.org	Extended DROP List (EDROP).
SSLBL	malware	abuse.ch	SSL traffic related to malware/botnets.
SSLBL_AGGRESSIVE	malware	abuse.ch	Aggressive SSL blacklist (may cause false positives).
STOPFORUMSPAM	abuse	stopforumspam.com	Forum spammer IPs.
STOPFORUMSPAM_180D	abuse	stopforumspam.com	Last 180 days.
STOPFORUMSPAM_1D	abuse	stopforumspam.com	Last 24 hours.
STOPFORUMSPAM_30D	abuse	stopforumspam.com	Last 30 days.
STOPFORUMSPAM_365D	abuse	stopforumspam.com	Last 365 days.
STOPFORUMSPAM_7D	abuse	stopforumspam.com	Last 7 days.
STOPFORUMSPAM_90D	abuse	stopforumspam.com	Last 90 days.
STOPFORUMSPAM_TOXIC	abuse	stopforumspam.com	Networks with heavy bot activity.
TOR	anonymizers	torproject.org	TOR exit node list.