2010 IP Blacklist
Posted on July 6, 2010 in Websites by Jeff Starr
Over the course of each year, I blacklist a considerable number of individual IP addresses. Every day, Perishable Press is hit with countless numbers of spammers, scrapers, crackers and all sorts of other hapless turds. Weekly examinations of my site’s error logs enable me to filter through the chaff and cherry-pick only the most heinous, nefarious attackers for blacklisting. Minor offenses are generally dismissed, but the evil bastards that insist on wasting resources running redundant automated scripts are immediately investigated via IP lookup and denied access via simple htaccess directive:
<Limit GET POST PUT>
Order Allow,Deny
Allow from all
Deny from 123.456.789
</LIMIT>Although many of the worst attacks happen in randomized, zombie-like fashion, I have found that individual IPs that are not blacklisted will return repeatedly until finally blocked. Yet, despite the short-term success enjoyed by denying access to the most malicious IPs, the long-term futility of such blacklisting reflects the temporary nature of this solution.
In other words, I have found that blocking individual IPs is useful only for limited periods of time. Thus, every year, I gather my code and flush the blacklist of all individually blocked IP addresses. I then start fresh, adding the worst villains to the list, blocking entire IP ranges if necessary, and referring to previous versions of my htaccess files to cross-check suspiciously familiar entities. Eventually, a new blacklist emerges and I share it at Perishable Press. Here is the current version for 2010..
2010 IP Blacklist, Featuring over 100 Blocked IPs
Here is my custom-built IP blacklist for 2010:
# 2010 IP BLACKLIST
<Limit GET POST PUT>
Order Allow,Deny
Allow from all
Deny from 208.120.202.98
Deny from 208.64.202.134
Deny from 217.218.166.14
Deny from 173.65.81.35
Deny from 77.21.46.241
Deny from 82.166.163.
Deny from 85.175.209.175
Deny from 212.107.136.66
Deny from 76.70.116.52
Deny from 70.106.192.200
Deny from 213.98.214.17
Deny from 114.58.253.56
Deny from 70.27.145.208
Deny from 208.99.193.10
Deny from 58.243.5.216
Deny from 146.115.72.39
Deny from 219.136.130.241
Deny from 65.208.151.
Deny from 222.73.173.11
Deny from 65.55.106.
Deny from 72.206.102.189
Deny from 99.159.41.74
Deny from 188.40.42.199
Deny from 195.10.218.132
Deny from 69.116.41.121
Deny from 84.220.96.39
Deny from 85.137.90.133
Deny from 85.137.83.160
Deny from 91.144.190.35
Deny from 83.233.165.88
Deny from 86.35.12.14
Deny from 24.182.45.28
Deny from 97.74.24.41
Deny from 24.182.45.26
Deny from 211.206.123.177
Deny from 213.215.116.99
Deny from 188.40.89.203
Deny from 65.55.207.
Deny from 71.95.178.74
Deny from 98.189.159.150
Deny from 174.143.3.188
Deny from 66.96.248.69
Deny from 71.235.77.152
Deny from 67.36.185.44
Deny from 65.242.250.130
Deny from 194.8.75.
Deny from 188.26.51.239
Deny from 118.208.240.173
Deny from 24.43.155.122
Deny from 91.149.157.136
Deny from 88.0.172.95
Deny from 66.82.9.92
Deny from 66.63.167.50
Deny from 208.99
Deny from 64.219.110.207
Deny from 98.189.159.153
Deny from 174.127.132.10
Deny from 67.185.43.239
Deny from 83.246.164.78
Deny from 213.227.252.26
Deny from 91.213.121.24
Deny from 96.243.186.28
Deny from 67.142.164.34
Deny from 173.58.132.100
Deny from 59.160.160.9
Deny from 67.225.242.171
Deny from 71.34.43.102
Deny from 67.205.45.142
Deny from 77.49.61.248
Deny from 79.174.64.184
Deny from 207.241.228.162
Deny from 204.12.192.135
Deny from 218.24.170.133
Deny from 200.90.216.146
Deny from 86.18.88.15
Deny from 212.225.185.11
Deny from 76.115.45.61
Deny from 213.37.57.113
Deny from 192.117.105.105
Deny from 69.45.51.98
Deny from 72.193.217.97
Deny from 115.133.252.31
Deny from 117.196.229.254
Deny from 117.196.234.101
Deny from 117.196.236.41
Deny from 77.49.57.214
Deny from 71.95.178.68
Deny from 92.233.3.91
Deny from 76.25.146.62
Deny from 66.25.140.85
Deny from 79.103.230.53
Deny from 76.65.178.130
Deny from 41.129.5.121
Deny from 84.40.30.37
Deny from 110.45.143.142
Deny from 66.221.63.33
Deny from 121.254.228.146
Deny from 222.236.47.182
Deny from 118.129.170.49
Deny from 88.191.94.188
Deny from 62.141.56.136
Deny from 174.120.219.160
Deny from 67.222.152.66
Deny from 92.240.42.10
Deny from 174.142.75.205
Deny from 91.142.208.158
Deny from 64.22.96.66
Deny from 78.86.185.224
Deny from 91.205.96.19
Deny from 202.70.54.115
Deny from 213.167.96.196
Deny from 195.117.223.98
Deny from 85.17.211.164
Deny from 213.93.38.160
</Limit>I use this blacklist on all of my sites, which are mostly WordPress, Joomla, and hand-rolled. Just pop it into the root .htaccess file and done. These are some of the worst offenders, so it’s nice knowing that they’re denied access.
How to get on next year’s list
Be a lowlife scumbag who gets off on malicious activity. If you suck enough, you’re going to get caught and appear on a list somewhere. Makes it easy to build effective IP blacklists. But remember that things change quickly, so you should refresh your ban lists as they become available. If you are using my 2007 IP Blacklist, I recommend replacing it with this one.
I’m listening, go a little deeper..
This blacklist was built over the past couple of years. Each week I review and analyze my log files, looking for patterns, noting behavior, checking data, etc. Most of the time attacks are executed simultaneously from multiple unique IPs. It’s futile to chase these “zombie” IPs around, but there are plenty of autonomous machines acting stupid to make IP blocking worthwhile.
Why so bad?
Because these IPs were associated with some seriously messed up behavior. Scanning through thousands of error logs, you see a lot of nasty stuff. Most of it seems very deliberate, hit or miss kind of activity. Other requests are just plain evil. Then there are the relentless “DoS”-like attacks. But in every crop of logs, there are those nefarious IPs that are both relentless and evil.
I’m sold. Wrap it up with an example
For example, one IP in the blacklist was recorded on July 22nd, 2009, as hitting my server 4783 times with all sorts of evil scripted payload. Most of the malicious requests are now blocked in the upcoming 5G Blacklist, but the IP address was consistent throughout the attack, so we block it as well. That’s the kind of stuff we’re blocking with the 2010 IP Blacklist.
Plaintxt for EZ Updates
Update 2010/07/06: You can get the IP blacklist as a plain-text file here:
http://perishablepress.com/blacklist/ip.txt
The text file contains the IP addresses only, each on its own line. I will keep this file updated with fresh data as it becomes available. I will also post some of my other blacklists in plaintxt format and keep those updated as well. Any of these files may be used in your own security/blacklist scripts as a source of data. It’s nice to automate this kind of stuff, but you still want to keep an eye on my feed for news of updates.
Thanks to Eric Marden for the “plaintxt” suggestion!
Related articles
- Blacklist Candidate Series Summary
- Latest Blacklist Entries
- Building the 3G Blacklist, Part 5: Improving Site Security by Selectively Blocking Individual IPs
- Building the 3G Blacklist, Part 4: Improving the RedirectMatch Directives of the Original 2G Blacklist
- Series Summary: Building the 3G Blacklist
- Perishable Press 3G Blacklist
- Blacklist Candidate Number 2008-05-31
Thank You for taking the time to make & post this list.
I am knew to being an admin for a small eCommerce site so I was wondering if you could post a walk through on what to look for in error logs?
You are talking about the basic server log right? or am I missing the boat completely.
@digideth: I use different types of logs:
As well other custom jobs for miscellaneous stuff. I like the idea of posting a walk-through on error-log analysis. I have already posted several good articles describing some of the thinking and strategy behind log analyses and blacklisting. Here are two of my favorites:
But most of that is pretty involved material. An easy walk-through post is a great idea. Thanks :)
Any plans to release this list in a format that we can pull into a script? RSS feed, plaintxt file, etc? That way using this list of IPs can be kept uptodate or added to new servers quickly and automatedly.
P.S. - Thanks
@Eric Marden: Hey that’s an excellent idea. I’ll post a .txt file containing the list of IPs at:
http://perishablepress.com/blacklist/ip.txt
And then keep it updated in the future. I’ll also be adding some of my other blacklists as I get to them. Thanks for the idea :)
@jeff Thank You!
Been a subscriber for awhile and have read both those posts so…
Hopefully when you have the time, do a walk-through PLEASE!
thanks again
Thanks a lot Mr Starr.
I protect my accesses with CrawlProtect too.
Don’t know if you’ve heard of it, so this is the URI:
http://www.crawlprotect.com/
if i may ask,
how can you determine which IP should be blacklisted?
is it mainly from the comments or mails ?
thanks
Thank you Jeff. This is really gold.
Here another IP from which someone did hot-linking to my blog. In other words I’ve seen my whole website, identical on another domain. Even the comments.
I’ve added right away into the .htaccess:
deny from 74.53.120.242Thanks again, now I should be better protected :)
Hey Jeff I almost forgot, can you please (if you have) add an email spam list so we can use it as a email filter?
I was looking for so many times on Google for such lists but so far I never found one to be OK - too many common words in those lists so I had to clean up too much.
@Ken the tech: About the closest thing I have to an email spam filter is a blacklist for the WordPress spam/blacklist settings in the Admin Discussion options. For emails, are you referring to server-sent (like for contact forms)? For regular emails, I think ISPs, hosts, and services like Gmail filter things well enough (if not too much). Would be happy to look into building one though :)
Incredible useful. Thanks so much!!!
So this can just be added on below your STRONG HTACCESS PROTECTION snip?
Thanks alot jeff
i was having problem earlier with spammer and scrapper i ended up blocking the whole ip range instead of individual ips
My test site htaccess is so crammed full of stuff now I don’t know what to think. Or if I even know what I am doing.
LOL oh man. Help . . . . . name your price!
@aleSub: My pleasure :)
@Steve: Yes absolutely, or below other code that you may have. I usually place this sort of stuff at the end of the htaccess file. Is there something specific that you are needing help with? Drop me a line and I’ll see what I can do.
@midali: Awesome, glad to hear it’s useful for you :)
Thank you Jeff!
I’ve added right away into the .htaccess:
deny from 91.201.66.6deny from 109.70.66.189deny from 88.191.120.194deny from 94.142.134.246Luis, are those friends of yours? ;)
Jeff
I Don’t Think So, Why?
I’m good guy!!!
:)
Thanks for the idea :-)
Speaking of it, can anyone recommend a good raw log viewer? For access and error logs?
@Steve: I have always analyzed my log files directly, but want to build an elegant PHP/MySQL viewer for custom logs, such as error and/or access. Thanks for the reminder :)
Block 95.168.177.94
http://bit.ly/behn3H
Hey Jeff, this IP blacklist is a great idea and I’m trying it on a few Wordpress sites that I work with.
How do I troubleshoot connection issues when the occasional visitor can’t access the sites I’m using this on? I’ve received a few consecutive emails where people are getting messages similar to this:
“Gone, The requested resource is no longer available on this server and there is no forwarding address. Please remove all references to this resource.”
When I remove the IP blacklist, this restores the connectivity issue. Does this mean these visitors are trying to access my sites from one of the IPs on this blacklist? If not, is there a way to view my logs and see who is trying to visit and if they’re getting blocked?
I’ve seen the links to your similar articles explaining some of the processes and they’re overwhelming but I hope to try and dig in to understand better what’s going on and how to resolve the issue. Thanks!
Hi Micah, have you cross-referenced the visitor IPs with your server access/error logs and also with the blacklist? All three should match and correspond to some event in the logbok such as the “410 - Gone” error. Also keep in mind that some of these users are working from infested machines, so they may not be the only ones using it. I hope this helps!
Is it mandatory to write the line?
What about using fail2ban? Over time, would this not build the same list?
When I add this to my .htaccess file it breaks the site, no matter where I put it or whether or not I have any IPs listed. I’m adding this to the .htaccess in the root.
I was just curious to know if the list at http://perishablepress.com/blacklist/ip.txt is still being updated or not?
@jeff if the list is updated what is the method used to update the list. Is there a dynamic way by which the list can be updated? (looking for some magic!).
Great job.
Thanks.
Yes, I just updated that ip.txt file about a month ago, just haven’t a lot of time for doing more with it lately. I’ll be adding another block here soon with the latest batch of bad guys.
There are dynamic ways of setting up and using blacklists using PHP et al, but I hand-cultivate my lists for maximum freshness.
Hey Jeff,
Looking for a good spam blocker so once again am back at your site looking for answers..
I have an IP to add to your list. One blog in my muslitsite install is being hit with huge amounts of spam. We are catching it and it ends up marked spam but still eats up the database. He had 25,000 + spam comments, 1200+ pages of them! Within ten minutes of deleting, there were 10 more already there.
Almost all are coming from these IP’s
46.4.104.7346.4.114.846.4.107.7946.4.84.242You can see the pattern, multiple from each individual IP but all coming from 46.4.
Any help on adding this to htaccess mucho appreciated!
Hey Marty, this will work to block the entire lot of IPs:
<Limit GET POST PUT>Order Allow,DenyAllow from allDeny from 46.4</Limit>Just add to the root htaccess file and you’re all set. You could even get more specific to avoid blocking as many IPs as possible.
<Limit GET POST PUT>Order Allow,DenyAllow from allDeny from 46.4.1Deny from 46.4.8</Limit>And so forth. There are other ways to blacklist as well, just in case they start using a different IP address.
Good luck!
Thank you for the quick answer!
That seemed to solve it. For now at least. Added your whole IP list and 4g list as well. :)
Hi Jeff,
Do you have a good way of blocking incoming connections from proxy servers which don’t modify the HTTP headers? You posted an article before that relied on modified headers such as X_FORWARDED_FOR but sites such as quickprox.info simply forward the headers from the client’s browser verbatim.
urlblacklist.com has a decent blacklist but it’s over 65,000 domains and would be even more for IPs which don’t RDNS, such as the above example proxy. There must be a better way.
I was thinking of maybe blocking top level domains that ISPs don’t commonly use but web proxies do, such as .info, .biz, .cc and .tk. Any thoughts?
Something like this may help:
http://perishablepress.com/block-tough-proxies/
I would not advise blocking top-level domains, unless they’re really obscure ones that nobody cares about.
Also, I heart the
.bizTLD =)Thanks for the feedback :)
An example is .cc for the Cocos islands. Population 600, but over 450 known proxies there, and as it’s an Australian territory it’s most likely that any ISP that serves those 600 people would use either .com.au or .net rather than .cc. The same goes for .tk, which has a population of around 1500 but gives away thousands of free domains for redirection, or .li for Liechtenstein with a population of around 35,000. Many small islands, principalities and tax havens tend to fall into this list.
I highly doubt there are (m)any ISPs which rDNS their customers back to a .biz domain either. Same goes for .name and .info.
In fact out of the entire blacklist, around half seem to be on .info, so just blocking .info means blocking around half of the list, without affecting any real people at all.