[TOOL] IP BlackHole

edited April 2023 in General

Just a new project. Nothing big.

IP.blackhole.monster

Is an IP blacklist that uses multiple sensors to identify network attacks (e.g. SSH brute force) and spam incidents. All reports are evaluated and in case of too many incidents the responsible IP holder is informed to solve the problem.

P.S.: If you have some idle servers or can sponsor us a server, please mail us at [email protected]

https://github.com/BlackHoleMonster/IP-BlackHole

🚫 ALL IPs:
https://ip.blackhole.monster/blackhole

🚫 TODAY IPs:
https://ip.blackhole.monster/blackhole-today

How to use?

To get a fresh and ready-to-deploy auto-ban list of "bad IPs" you can run:

sudo su
apt-get -qq install iptables ipset
ipset -q flush blackhole
ipset -q create blackhole hash:net
for ip in $(curl --compressed https://ip.blackhole.monster/blackhole-today 2>/dev/null | grep -v "#" | grep -v -E "\s[1-2]$" | cut -f 1); do ipset add blackhole $ip; done
iptables -D INPUT -m set --match-set blackhole src -j DROP 2>/dev/null
iptables -I INPUT -m set --match-set blackhole src -j DROP
«1

Comments

  • how do you release the hash:net list safely? last time I tried similar method using maltrail, it refuses to drop the list until i reboot the machine.

    after some times if the stuck list is too big, it'll start screwing with your network (timed outs, not responding, packet dropped in the interface). but this is a non-issue if the machine has more than 256mb RAM

    Fuck this 24/7 internet spew of trivia and celebrity bullshit.

  • @Encoders
    https://ipset.netfilter.org/ipset.man.html

    flush [ SETNAME ]
    Flush all entries from the specified set or flush all sets if none is given.

  • This looks like a nice project. Good luck!

    Thanked by (1)xVPSx

    Talistech.com — ICT Consultancy and NVMe web hosting solutions.

  • edited April 2023

    @Talistech
    thanks :) soon we will add live tcpdump output from attacked servers listening on every ports, just to see whats happening in real-time

  • cool project, will use the 'All IPs' on my pfsense with pfblockerng. What update interval do you suggest 8hrs, 24hrs, weekly?

    Thanked by (1)xVPSx
  • @xyphos10
    i am glad you like it :)

    about that update, hmm, ip lists are re-generated every 20min. so depend on you how much freq. you wanna update

  • Update:
    Added #5 new server - 🇵🇱 Poland

    :)

  • ehabehab Content Writer

    i liked this if you continue updates and the fact you use ipset, its clean.
    Thank you B)

    Thanked by (1)xVPSx
  • edited April 2023

    @ehab
    enjoy, yeah i will be keeping this updating, adding more server too :)

    btw footer also have dynamic generated image with stats:

    Thanked by (1)ehab
  • Version: 0.3-βeta 🔥

    • Added special live tcpdump page to see in realtime whats going on (for now its output from one server)

  • c1vhostingc1vhosting Hosting Provider

    wow nice project!!

    Thanked by (1)xVPSx

    C1V Hosting is a leading data center, cloud, hosting, and connectivity provider based in Italy. Our state-of-the-art datacenter is located in Pomezia (Rome) and offers a range of services including VPS, dedicated servers, colocation, and connectivity solutions.

  • looks very interesting, thanks

    Thanked by (1)xVPSx
  • Version: 0.4-βeta 🔥
    Added #6 new server - 🇳🇱 Netherlands

  • Version: 0.5-βeta 🔥
    Added #7 new server - 🇩🇪 Germany

  • Whats the best way to use your script? By making a cron job and running it daily by updating the daily-IP addresses?

    Thanked by (1)xVPSx

    Talistech.com — ICT Consultancy and NVMe web hosting solutions.

  • edited April 2023

    @Talistech
    that depend how you want to use it, if you want to block only daily ips only then as the example in first post - run it in cron and you are set for daily ips.

    also you can parse the ips as you want, for example transform them in to iptables rules or ip route add blackhole ...

    Thanked by (1)Talistech
  • @xVPSx said:
    @Talistech
    that depend how you want to use it, if you want to block only daily ips only then as the example in first post - run it in cron and you are set for daily ips.

    also you can parse the ips as you want, for example transform them in to iptables rules or ip route add blackhole ...

    I'll try that out, thanks!

    Thanked by (1)xVPSx

    Talistech.com — ICT Consultancy and NVMe web hosting solutions.

  • Version: 0.6-βeta 🔥
    Added #8 new server - 🇸🇬 Singapore

    Thanked by (1)Ganonk
  • @xVPSx said:
    Version: 0.6-βeta 🔥
    Added #8 new server - 🇸🇬 Singapore

    <3

    Thanked by (1)xVPSx
  • Version: 0.7-βeta 🔥
    Added #9 new server - 🇦🇺 Australia

    Thanked by (1)Talistech
  • Version: 0.8-βeta 🔥
    Added #10 new server - 🇫🇷 France

  • 2023 April 16
    Version: 0.15-βeta 🔥
    - Added #11 new server - 🇬🇧 Great Britain
    - Added #12 new server - 🇨🇦 Canada
    - Added #13 new server - 🇳🇱 Netherlands
    - Added #14 new server - 🇺🇸 United States

    2023 April 15
    Version: 0.14-βeta 🔥
    - When searching now the output is sorted properly, newest attacks at the top

    2023 April 15
    Version: 0.13-βeta 🔥
    - When searching for IP you can now see which server is sponsored
    - Clicking to the sponsor favicon will take you to our page /sponsors

    2023 April 15
    Version: 0.12-βeta 🔥
    - Created new page for Sponsors
    -> /sponsors
    - Got our first sponsor - IncogNet.io
    -> Server #13 - 🇳🇱 Netherlands
    -> Server #14 - 🇺🇸 United States

    2023 April 15
    Version: 0.11-βeta 🔥
    - Page ASNs moved to IPs
    -> /ips
    - Created new page for ASNs
    -> /asns
    -> Possible to filter the ASN by name to get all the IPs logged

    2023 April 15
    Version: 0.10-βeta 🔥
    - Created this changelog page 😊
    -> /changelog

    2023 April 15
    Version: 0.9-βeta 🔥
    - Upgraded the main server
    -> 2 CPU cores to 4 CPU cores
    -> 4 GB RAM to 8 GB RAM
    -> HDD to SSD
    - Search for IP should also be little faster

    Thanked by (1)dosai
  • 2023 April 16
    Version: 0.16-βeta 🔥

    Got our second sponsor - Albanian Hosting SH.P.K.
    -> Server #15 - 🇦🇱 Albania
    

    Thanks goes out to @AlbaHost :)

    Thanked by (1)AlbaHost
  • 2023 April 18
    Version: 0.20-βeta 🔥

    • Removed /tcpdump old page
    • Created new TcpDump page
      -> Logging the network to see what is going on.
      -> tcpdump.blackhole.monster
    • Added #1 new server (tcpdump) - 🇱🇺 Luxembourg
    • Added #2 new server (tcpdump) - 🇦🇿 Azerbaijan
    • Added #3 new server (tcpdump) - 🇺🇦 Ukraine
  • 2023 April 19
    Version: 0.21-βeta 🔥
    - Added new IP blacklist (list contains only IP from attack not older than 15 days)
    -> /blackhole-15days
    - Added new IP blacklist (list contains only IP from attack not older than 30 days)
    -> /blackhole-30days

    Thanked by (1)someTom
  • Added your blacklist into my csf firewall, let's see how much records can my vm handle

    Thanked by (1)xVPSx
  • 2023 April 21
    Version: 0.22-βeta 🔥
    - Added #16 new server - 🇲🇩 Moldova
    - Added #17 new server - 🇦🇲 Armenia
    - Added #18 new server - 🇵🇱 Poland

  • ConfigServer Security and Firewall (CSF)

    Edit CSF blocklist file:
    nano /etc/csf/csf.blocklists
    
    Navigate to the end of the file and append the following:
    # IP.blackhole.monster blacklist
    IPBLACKHOLE|3600|0|https://ip.blackhole.monster/blackhole-today
    
    After you finish editing the file, save it and restart CSF and lfd using:
    csf -ra
    
    Check the log file to ensure that the blacklist was added correctly:
    cat /var/log/lfd.log
    
    Thanked by (1)Khalequzzaman
  • 2023 April 23
    Version: 0.23-βeta 🔥
    - Added #19 new server - 🇮🇳 India
    - Added #20 new server - 🇿🇦 South Africa

Sign In or Register to comment.