IPsum is a threat intelligence feed based on 30+ different publicly available lists of suspicious and/or malicious IP addresses. All lists are automatically retrieved and parsed on a daily (24h) basis and the final result is pushed to this repository. List is made of IP addresses together with a total number of (black)list occurrence (for each). Greater the number, lesser the chance of false positive detection and/or dropping in (inbound) monitored traffic. Also, list is sorted from most (problematic) to least occurent IP addresses.
As an example, to get a fresh and ready-to-deploy auto-ban list of "bad IPs" that appear on at least 3 (black)lists you can run:
curl --compressed https://raw.githubusercontent.com/stamparm/ipsum/master/ipsum.txt 2>/dev/null | grep -v "#" | grep -v -E "\s[1-2]$" | cut -f 1
If you want to try it with ipset
, you can do the following:
sudo su
apt-get -qq install iptables ipset
ipset -q flush ipsum
ipset -q create ipsum hash:net
for ip in $(curl --compressed https://raw.githubusercontent.com/stamparm/ipsum/master/ipsum.txt 2>/dev/null | grep -v "#" | grep -v -E "\s[1-2]$" | cut -f 1); do ipset add ipsum $ip; done
iptables -I INPUT -m set --match-set ipsum src -j DROP
In directory levels you can find preprocessed raw IP lists based on number of blacklist occurrences (e.g. levels/3.txt holds IP addresses that can be found on 3 or more blacklists).
Important: If you are planning to use git
to get the content of this repository do it like git clone --depth 1 https://github.com/stamparm/ipsum.git
IP | DNS lookup | Number of (black)lists |
---|---|---|
178.73.215.171 | 178-73-215-171-static.glesys.net | 11 |
171.25.193.77 | tor-exit1-readme.dfri.se | 10 |
80.82.77.139 | dojo.census.shodan.io | 10 |
171.25.193.20 | tor-exit0-readme.dfri.se | 10 |
205.185.125.6 | - | 10 |
104.244.76.190 | - | 10 |
80.82.77.33 | sky.census.shodan.io | 9 |
167.99.38.73 | - | 9 |
165.227.180.210 | - | 9 |
171.25.193.78 | tor-exit4-readme.dfri.se | 9 |
198.98.60.66 | 9 | |
202.40.190.13 | ritt-190-13.ranksitt.net | 9 |
134.209.48.133 | - | 9 |
134.209.182.204 | - | 9 |
109.201.133.100 | 9 | |
166.70.207.2 | this.is.a.tor.node.xmission.com | 9 |
171.25.193.235 | tor-exit3-readme.dfri.se | 9 |
171.25.193.25 | tor-exit5-readme.dfri.se | 9 |
104.248.81.157 | - | 9 |
139.59.42.211 | - | 9 |
37.187.129.166 | ns316491.ip-37-187-129.eu | 9 |
159.65.145.206 | - | 9 |
142.93.139.119 | - | 9 |
104.236.122.193 | - | 9 |
62.210.105.116 | 62-210-105-116.rev.poneytelecom.eu | 9 |
128.199.55.17 | - | 9 |
134.209.183.233 | - | 9 |
51.15.53.83 | 83-53-15-51.rev.cloud.scaleway.com | 8 |
59.36.132.222 | - | 8 |
142.93.149.119 | - | 8 |
192.160.102.170 | ogopogo.relay.coldhak.com | 8 |
142.93.219.227 | - | 8 |
164.132.51.91 | 91.ip-164-132-51.eu | 8 |
89.234.157.254 | marylou.nos-oignons.net | 8 |
142.93.221.103 | - | 8 |
134.209.84.42 | - | 8 |
162.213.3.221 | tor-exit1.sjc02.svwh.net | 8 |
62.231.7.221 | runet-sovintel.ru-net.ru | 8 |
46.165.245.154 | - | 8 |
221.12.100.170 | - | 8 |
192.42.116.16 | tor-exit.hartvoorinternetvrijheid.nl | 8 |
185.220.102.8 | - | 8 |
134.209.199.82 | - | 8 |
198.98.62.146 | - | 8 |
68.183.80.186 | - | 8 |
68.183.80.185 | - | 8 |
176.10.104.240 | tor1e1.digitale-gesellschaft.ch | 8 |
185.220.101.46 | - | 8 |
49.207.5.158 | broadband.actcorp.in | 8 |
207.244.70.35 | - | 8 |
221.216.212.35 | - | 8 |
5.199.130.188 | tor.piratenpartei-nrw.de | 8 |
106.12.138.251 | - | 8 |
35.0.127.52 | tor-exit.eecs.umich.edu | 8 |
64.113.32.29 | tor.t-3.net | 8 |
185.35.138.173 | 185-35-138-173.v4.as62454.net | 8 |
142.93.211.234 | - | 8 |
62.102.148.67 | - | 8 |
89.248.172.16 | house.census.shodan.io | 8 |
104.244.76.13 | mrkrabs.exit.tor4us.net | 8 |
134.209.82.3 | - | 8 |
68.183.80.224 | - | 8 |
85.248.227.165 | - | 8 |
66.153.194.203 | 203.194-pool-nas8-sc.sccoast.net | 8 |
138.197.133.232 | - | 8 |
178.62.16.52 | - | 8 |
68.183.88.131 | - | 8 |
68.183.95.97 | - | 8 |