- Agrégation de listes d'adresses IP malveillantes scindée en fichiers de 131 072 entrées au maximum pour être intégrées dans des pare-feux : Fortinet FortiGate, Palo Alto, pfSense, OPNsense, IPtables ...
- Adresses IP malveillantes de type scanners et bruteforce, donc à bloquer UNIQUEMENT en entrée : dans le sens WAN > LAN
- Adresses IP ordonnées en fonction du nombre de sources dans lesquelles elles apparaissent (IP malveillantes apparaissant dans le plus de sources dans le premier fichier full-aa.txt)
- Mise à jour toutes les heures
Fichiers à utiliser (liens dans la partie "Links" ci-dessous) :
- full-aa.txt : 131 072 adresses IP les plus malveillantes
- full-a*.txt : toutes les adresses IP malveillantes en fichiers de 131 072 IP (pour FortiOS < 7.4.4)
- full-40k.txt : 40 000 adresses IP les plus malveillantes
- full-300k-a*.txt : toutes les adresses IP malveillantes en fichiers de 300 000 IP (pour FortiOS > 7.4.4)
- malicious-ip-by-country/full-*.txt : toutes les adresses IP malveillantes d'un pays (si vous avez besoin du fichier d'un pays manquant, envoyez moi un message)
Liste blanche : les adresses IP des services suivants sont retirées des fichiers : Google Bot, Bing Bot.
- Aggregation of lists of malicious IP addresses split into files of a maximum of 131,072 entries to be integrated into firewalls: Fortinet FortiGate, Palo Alto, pfSense, OPNsense, IPtables ...
- Malicious IP addresses such as scanners and bruteforce, therefore ONLY to be blocked in the WAN > LAN direction
- IP addresses ordered by the number of sources they appear in (malicious IPs appearing in most sources in the first file full-aa.txt)
- Updated every hour
Files to use (links in the "Links" section below):
- full-aa.txt: 131,072 most malicious IP addresses
- full-a*.txt: all malicious IP addresses in 131,072 IP files (for FortiOS < 7.4.4)
- full-40k.txt: 40,000 most malicious IP addresses
- full-300k-a*.txt : all malicious IP addresses in 300,000 IP files (for FortiOS > 7.4.4)
- malicious-ip-by-country/full-*.txt : all malicious IP addresses of a country (if you need a missing country file, send me a message)
Whitelist: IP addresses of the following services are removed from the files: Google Bot, Bing Bot.
Update of the following table: 2025-04-27 06:49 CEST
| Malicious IP addresses in full-* | % | Number of IPs |
|---|---|---|
| Present in 6 sources and more | 5.09 % | 34 730 |
| Present in 5 sources | 3.54 % | 24 154 |
| Present in 4 sources | 3.46 % | 23 628 |
| Present in 3 sources | 6.11 % | 41 669 |
| Present in 2 sources | 18.14 % | 123 634 |
| Present in 1 source | 63.62 % | 433 548 |
| Total | 100 % | 681 363 |
Update of the common IP table with the FortiGate ISDB Malicious-Malicious.Server: 2025-04-27 01:30 CEST
| FortiGate models | full-* IPs common with ISDB |
|---|---|
| 100F and below | 3.31 % |
| 200F and above | 21.77 % |
History of statistics here.
Classification by country and organizations of malicious IP addresses present in at least 2 sources.
Comment intégrer ces listes dans un pare-feu ?
- FortiGate
- C'est un complément de la base de données ISDB "Malicious-Malicious.Server" des FortiGate (statistiques d'IP communes entre la liste full-* et l'ISDB ici).
- Menu "Security Fabric → External Connectors → Create New → IP Address"
- Prendre une URL dans la partie "Links" ci-dessous
- Après, les listes peuvent être utilisées dans les "Firewall Policy" avec les objets "IP Address Threat Feed"
- Implémentation de la liste full validée même sur le plus petit boitier FortiGate 40F
- Plus d'informations : mon tutorial, le tutorial vidéo d'un expert sécurité Fortinet et cette page de l'aide Fortinet
- Palo Alto : lien. Modèle PA-3200 et supérieurs limités à 150k IP (utilisez uniquement full-aa.txt), modèles inférieurs limités à 50k IP (utilisez le fichier full-40k.txt)
- Sophos : lien.
- pfSense : via le package pfBlocker-NG. Il faut aussi augmenter le nombre maximum d'entrées : voir ici.
- OPNsense : via API (doc). Modifier le nombre maximal d'entrées d'un alias : "Firewall -> Settings -> Advanced -> Firewall Maximum Table Entries".
- IPTables avec le paquet "ipset" : tutorial 1 tutorial 2
How to integrate these lists into a firewall?
- FortiGate
- It is a complement to the FortiGate ISDB "Malicious-Malicious.Server" database (common IP address statistics between the full-* list and the ISDB here).
- Menu "Security Fabric → External Connectors → Create New → IP Address"
- Take a URL in the "Links" section below
- Then, the lists can be used in "Firewall Policy" as "IP Address Threat Feed" objects.
- Implementation of the full list validated even on the smallest FortiGate 40F appliance
- More information: my tutorial, the video tutorial from a Fortinet security expert and this Fortinet help page
- Palo Alto: here. PA-3200 model and above limited to 150k IP (use full-aa.txt only), lower models limited to 50k IP (use full-40k.txt file)
- Sophos : lien.
- pfSense: via the package pfBlocker-NG. The maximum number of entries must be increased: see here.
- OPNsense: via API (doc). Change the maximum number of entries for an alias: "Firewall -> Settings -> Advanced -> Firewall Maximum Table Entries".
- IPTables with the "ipset" package: tutorial 1 tutorial 2
Files URLs with all malicious IP addresses split in 131,072 IP files (especially for FortiOS < 7.4.4):
https://raw.githubusercontent.com/romainmarcoux/malicious-ip/main/full-aa.txt
https://raw.githubusercontent.com/romainmarcoux/malicious-ip/main/full-ab.txt
https://raw.githubusercontent.com/romainmarcoux/malicious-ip/main/full-ac.txt
https://raw.githubusercontent.com/romainmarcoux/malicious-ip/main/full-ad.txt
https://raw.githubusercontent.com/romainmarcoux/malicious-ip/main/full-ae.txt
https://raw.githubusercontent.com/romainmarcoux/malicious-ip/main/full-af.txt
https://raw.githubusercontent.com/romainmarcoux/malicious-ip/main/full-ag.txt
https://raw.githubusercontent.com/romainmarcoux/malicious-ip/main/full-ah.txt
https://raw.githubusercontent.com/romainmarcoux/malicious-ip/main/full-ai.txt
https://raw.githubusercontent.com/romainmarcoux/malicious-ip/main/full-aj.txt
https://raw.githubusercontent.com/romainmarcoux/malicious-ip/main/full-ak.txt
Files URLs with all malicious IP addresses split in 300,000 IP files (especially for FortiOS > 7.4.4):
https://raw.githubusercontent.com/romainmarcoux/malicious-ip/main/full-300k-aa.txt
https://raw.githubusercontent.com/romainmarcoux/malicious-ip/main/full-300k-ab.txt
https://raw.githubusercontent.com/romainmarcoux/malicious-ip/main/full-300k-ac.txt
File URL of the 40,000 most malicious IPs (for small firewall or Palo-Alto < PA-3200):
https://raw.githubusercontent.com/romainmarcoux/malicious-ip/main/full-40k.txt
URL example of a country file
https://raw.githubusercontent.com/romainmarcoux/malicious-ip/main/malicious-ip-by-country/full-fr-aa.txt
| Filename | Source | History | Description |
|---|---|---|---|
| abuseipdb-* | link | 120d | Collaborative blocklist |
| alienvault-fakelabs-* | link | 30d | SSH Brute-Force Honeypot |
| alienvault-georgs-* | link | 30d | RDP/SSH/VNC intrustion and Trojan request |
| alienvault-ssh-bruteforce-* | link | 30d | SSH Brute-Force Honeypot |
| binarydefense.com-* | link | 30d | IP Block List maintained by Binary Defense |
| blocklist.de-* | link | 30d | Collaborative blocklist (6k sensors) (stats) |
| cinsscore.com-* | link | 30d | IP Block List maintained by CINS |
| emergingthreats.net-* | link | 30d | IP Block List maintained by Proofpoint |
| greensnow.co-* | link | 30d | IP Block List maintained by greensnow.co |
| isc.sans.edu-* | link | 20d | Collaborative blocklist (500k sensors): false positives removed |
| malicious-ip-* | link | - | Private honeypots and other sources |
| projecthoneypot.org-* | link | 30d | Collaborative blocklist |
| sekio-* | - | 30d | Malicious IPs sent by my customers |
| snort.org-* | link | 30d | IP Block List maintained by snort.org (owned by Cisco Talos) |
| stamparm-* | link | 30d | Aggregation of lists of malicious IP addresses |
- 2025-02-08: Akamai removed (source no longer available)
- 2024-08-23: Added 300k malicious IP files and malicious IP by country files
- 2024-07-05: New source: projecthoneypot.org
- 2024-06-05: Whitelisting of IP addresses used by Cloudflare
- 2024-05-26: New source: binarydefense.com. Improved exploitation of isc.sans.edu with low signal IPs. Moving historical source files to the source folder.
- 2024-01-20: New sources: alienvault-ssh-bruteforce, alienvault-georgs, alienvault-fakelabs.
- 2024-01-19: New sources: stamparm, akamai.
- 2024-01-16: Whitelisting of IP addresses used by French mobile operators.
- 2023-12-26: New sources: cinsscore.com, emergingthreats.net, greensnow.co, snort.org.
- 2023-10-05: New source: isc.sans.edu.
- 2023-09-26: New sources: blocklist.de, abuseipdb.com.
- 2023-09-20: Initial release with first source: malicious-ip (github.com/duggytuxy/malicious_ip_addresses).
Contactez-moi via LinkedIn (mon profil) pour :
- m'indiquer des faux positifs
- être notifié quand un nouveau segment de fichier est créé (pour l'ajouter dans votre pare-feu)
- me proposer d'ajouter une autre source d'adresses IP malveillantes (voir sources actuelles)
Contact me via LinkedIn (my profile) to:
- notify me false positives
- be notified when a new file segment is created (to add it to your firewall)
- suggest I add another source of malicious IP addresses (see current sources