IPsum is a threat intelligence feed based on 30+ different publicly available lists of suspicious and/or malicious IP addresses. All lists are automatically retrieved and parsed on a daily (24h) basis and the final result is pushed to this repository. List is made of IP addresses together with a total number of (black)list occurrence (for each). Greater the number, lesser the chance of false positive detection and/or dropping in (inbound) monitored traffic. Also, list is sorted from most (problematic) to least occurent IP addresses.
As an example, to get a fresh and ready-to-deploy auto-ban list of "bad IPs" that appear on at least 3 (black)lists you can run:
curl --compressed https://raw.githubusercontent.com/stamparm/ipsum/master/ipsum.txt 2>/dev/null | grep -v "#" | grep -v -E "\s[1-2]$" | cut -f 1
If you want to try it with ipset, you can do the following:
sudo su
apt-get -qq install iptables ipset
ipset -q flush ipsum
ipset -q create ipsum hash:net
for ip in $(curl --compressed https://raw.githubusercontent.com/stamparm/ipsum/master/ipsum.txt 2>/dev/null | grep -v "#" | grep -v -E "\s[1-2]$" | cut -f 1); do ipset add ipsum $ip; done
iptables -I INPUT -m set --match-set ipsum src -j DROP
In directory levels you can find preprocessed raw IP lists based on number of blacklist occurrences (e.g. levels/3.txt holds IP addresses that can be found on 3 or more blacklists).
| IP | DNS lookup | Number of (black)lists |
|---|---|---|
| 89.234.157.254 | marylou.nos-oignons.net | 8 |
| 107.189.11.11 | - | 8 |
| 107.189.10.174 | - | 8 |
| 82.64.185.26 | 82-64-185-26.subs.proxad.net | 8 |
| 69.158.207.141 | - | 8 |
| 46.165.245.154 | - | 8 |
| 125.17.228.202 | - | 8 |
| 107.189.10.141 | - | 8 |
| 62.102.148.68 | - | 8 |
| 209.141.42.150 | - | 8 |
| 61.155.127.173 | - | 8 |