A comprehensive, automatically maintained IP blacklist compiled from multiple trusted threat intelligence sources to help protect servers, firewalls, and network infrastructure against malicious traffic.
| Metric | Value |
|---|---|
| Blocked IP Addresses | 239957 |
| Update Frequency | Every 6 hours |
| Security Sources | 15 |
| Duplicates | Automatically Removed |
| Private IPs | Filtered Out |
| Format | Plain Text |
π₯ The blacklist currently contains 239957 unique malicious IP addresses, aggregated from 15 trusted security feeds and refreshed every 6 hours.
curl -O https://raw.githubusercontent.com/ufukart/Blacklist/main/blacklist.txtor
wget https://raw.githubusercontent.com/ufukart/Blacklist/main/blacklist.txtThis repository provides a continuously updated blacklist of malicious IPv4 addresses aggregated from multiple reputable threat intelligence providers.
At a glance:
- Total IPs: 239957 (varies with updates)
- Update Frequency: Every 6 hours
- Sources: 15 trusted security feeds
- Format: Plain text, one IP per line
- Duplicates: Automatically removed
- Private IPs: Filtered out (RFC 1918)
The blacklist is designed for use with:
- Firewalls
- Intrusion Prevention Systems (IPS)
- Intrusion Detection Systems (IDS)
- Web Application Firewalls (WAF)
- Reverse Proxies
- Security Appliances
- Custom Security Scripts
The list includes addresses associated with:
- Malicious bots
- Brute-force attacks
- Spam sources
- Tor exit nodes
- Known attackers
- Threat intelligence feeds
- iptables
- ipset
- nftables
- Fail2Ban
- CSF
- UFW
- pfSense
- OPNsense
- MikroTik
1.2.3.4
8.8.8.8
203.0.113.0/24
...
- Plain text
- One IP/CIDR per line
- UTF-8
- IPv4 only
- No comments
- Ready for automation
This project aggregates, deduplicates, and merges IP blacklist feeds from the following trusted open-source threat intelligence sources:
| Source | Description |
|---|---|
| Zumbo Threat Intelligence | IP addresses detected in real time by the Zumbo server infrastructure for malicious activities such as brute-force attacks, vulnerability scanning, exploit attempts, and other abusive behavior. |
| AbuseIPDB (Borestad Mirror) | IP addresses reported for abuse within the last 30 days with a 100% confidence score. |
| RTBH Blocklist | A Remote Triggered Black Hole (RTBH) blacklist of IP addresses associated with malicious traffic, maintained in TΓΌrkiye. |
| Blocklist.de | Aggregated IP addresses detected attacking SSH, mail, web, and other Internet services. |
| CINS Score β Bad Guys | Malicious IP addresses identified by the CINS Army and assigned a poor reputation score. |
| FireHOL β StopForumSpam (7d) | IP addresses involved in forum and comment spam activity during the past 7 days. |
| GreenSnow | IP addresses observed performing brute-force attacks, port scanning, and other malicious activities. |
| FireHOL Level 1 | A low false-positive, general-purpose blacklist covering widely recognized malicious IPs. |
| Spamhaus DROP | Network ranges that are fully controlled by cybercriminals or allocated exclusively for malicious activity. |
| Tor Bulk Exit List | The current list of Tor exit node IP addresses. |
| BruteForceBlocker | IP addresses observed conducting SSH brute-force attacks. |
| Project Honey Pot | IP addresses detected engaging in malicious activity by the Project Honey Pot network. |
| Emerging Threats β Compromised IPs | IP addresses of known compromised servers and devices. |
| Feodo Tracker | IP addresses associated with command-and-control (C2) infrastructure used by malware families such as Feodo, Dridex, and Emotet. |
| ThreatView β High Confidence Feed | High-confidence threat intelligence feed containing verified malicious IP addresses. |
| IPsum | A reputation-ranked IP list compiled from numerous threat intelligence sources. |
β Multiple trusted sources
β Duplicate removal
β Private IP filtering
β Ready for production
β Free forever
β Updated every 6 hours
The blacklist is automatically regenerated every 6 hours.
Each update performs the following:
- Downloads all source lists
- Removes duplicates
- Filters private IP ranges
- Removes localhost addresses
- Removes invalid entries
- Generates the final blacklist
The following entries are automatically excluded:
- RFC1918 Private Networks
- Localhost
- Link-local addresses
- Multicast ranges
- Duplicate entries
- Invalid records
while read ip; do
iptables -A INPUT -s "$ip" -j DROP
done < blacklist.txtwhile read ip; do
nft add element inet blacklist blocked_ips { $ip }
done < blacklist.txtContributions are welcome.
You can help by:
- Reporting false positives
- Suggesting new security feeds
- Improving documentation
- Submitting pull requests
Released under the MIT License.
If this project helps protect your infrastructure, consider:
- β Starring the repository
- π΄ Forking the project
- π Supporting via PayPal
blacklist ip-blacklist iptables firewall security malware botnet threat-intelligence cybersecurity network-security