🛡Block malicious IP addresses and reduce your attack surface!
Data-Shield IPv4 Blocklist is an additional layer of protection containing a list of IP addresses (version 4) whose activities have been detected as malicious.
This list is designed around the discipline of Deceptive Security based on intelligent behavioral analysis of malicious activities related to cybercrime.
Data-Shield IPv4 Blocklist contains the most recent data (IPv4 addresses) to provide an additional layer of security for your firewall, WAF, and DNS sinkhole instances.
- Protective layer: Data-Shield IPv4 Blocklist provides an additional layer of security to reduce the number and attack surface of your exposed assets (web applications, websites, DMZs, public IPs, etc.), reducing the recon phase and exposure of your data on platforms such as Shodan and similar.
- Open to the general public: Data-Shield IPv4 Blocklist is open to any user with a firewall, WAF, DNS sinkhole, and other similar protection mechanisms.
- Single origin: Data-Shield IPv4 Blocklist comes from a single source, processed by probes located around the world. Logs are centralized on a self-hosted HIDS/SIEM platform, secured via an open-source WAF.
- Easy integration into your firewall, WAF, DNS Sinkhole instances: This list can be easily integrated into most vendors as a single link (RAW) for standard recognition of the included data.
- Customizable based on vendor limitations: Some vendors have limited the number of IPv4 addresses per entry (per list) to prevent resource consumption overload. Data-Shield IPv4 Blocklist is designed to comply with this limitation by creating split lists.
Important
- Data reliability (IPv4): Data-Shield IPv4 Blocklist provides high-quality, reliable data by minimizing false positives to avoid blocking legitimate exposed instances.
- Frequency of updates: Data-Shield IPv4 Blocklist is updated every
24hours to maintain the most recent data in order to protect you as effectively as possible. - Data retention (IPv4 only): Data retention is limited to a maximum of
15days. This retention is mainly used to continuously monitor the activities of IPv4 addresses tagged as malicious, which have short lifespans but are likely to resurface. - Performance: Data-Shield IPv4 Blocklist is just as effective as those offered by other solutions and vendors.
- The GNU GPLv3 Licence: Data-Shield IPv4 Blocklist is licensed under GNU GPLv3.
- Reduce noise by up to 50%, save time on incident response, reduce consumption of CPU, RAM, and other server resources.
- Block up to approximately 90% of malicious bot traffic in order to significantly reduce the load on servers in terms of resources.
- Automatic update of blocklists via GitHub, JSdelivr CDN and Gitea Raw URLs (GitLab coming soon...) and by scripts.
Note
Data-Shield IPv4 Blocklist consists of 5 official lists that are updated every 24 hours.
Important
Exhaustive lists of those that are put into production, followed by their uses and limitations:
Tip
Use the official URLs of the GitHub repository
- prod_data-shield_ipv4_blocklist.txt: Full list, limited to 110,000 IPv4 addresses:
https://raw.githubusercontent.com/duggytuxy/Data-Shield_IPv4_Blocklist/refs/heads/main/prod_data-shield_ipv4_blocklist.txt - prod_aa_data-shield_ipv4_blocklist.txt: Split list
A, limited to 30,000 IPv4 addresses:https://raw.githubusercontent.com/duggytuxy/Data-Shield_IPv4_Blocklist/refs/heads/main/prod_aa_data-shield_ipv4_blocklist.txt - prod_ab_data-shield_ipv4_blocklist.txt: Split list
B, limited to 30,000 IPv4 addresses:https://raw.githubusercontent.com/duggytuxy/Data-Shield_IPv4_Blocklist/refs/heads/main/prod_ab_data-shield_ipv4_blocklist.txt - prod_ac_data-shield_ipv4_blocklist.txt: Split list
C, limited to 30,000 IPv4 addresses:https://raw.githubusercontent.com/duggytuxy/Data-Shield_IPv4_Blocklist/refs/heads/main/prod_ac_data-shield_ipv4_blocklist.txt - prod_ad_data-shield_ipv4_blocklist.txt: Split list
D, limited to 30,000 IPv4 addresses:https://raw.githubusercontent.com/duggytuxy/Data-Shield_IPv4_Blocklist/refs/heads/main/prod_ad_data-shield_ipv4_blocklist.txt
Or
Tip
Use URLs from the JSdelivr CDN (Mirror Only)
- prod_data-shield_ipv4_blocklist.txt: Full list, limited to 110,000 IPv4 addresses:
https://cdn.jsdelivr.net/gh/duggytuxy/Data-Shield_IPv4_Blocklist@main/prod_data-shield_ipv4_blocklist.txt - prod_aa_data-shield_ipv4_blocklist.txt: Split list
A, limited to 30,000 IPv4 addresses:https://cdn.jsdelivr.net/gh/duggytuxy/Data-Shield_IPv4_Blocklist@main/prod_aa_data-shield_ipv4_blocklist.txt - prod_ab_data-shield_ipv4_blocklist.txt: Split list
B, limited to 30,000 IPv4 addresses:https://cdn.jsdelivr.net/gh/duggytuxy/Data-Shield_IPv4_Blocklist@main/prod_ab_data-shield_ipv4_blocklist.txt - prod_ac_data-shield_ipv4_blocklist.txt: Split list
C, limited to 30,000 IPv4 addresses:https://cdn.jsdelivr.net/gh/duggytuxy/Data-Shield_IPv4_Blocklist@main/prod_ac_data-shield_ipv4_blocklist.txt - prod_ad_data-shield_ipv4_blocklist.txt: Split list
D, limited to 30,000 IPv4 addresses:https://cdn.jsdelivr.net/gh/duggytuxy/Data-Shield_IPv4_Blocklist@main/prod_ad_data-shield_ipv4_blocklist.txt
Or
Tip
Use the official URLs of the GitLab repository
- prod_data-shield_ipv4_blocklist.txt: Full list, limited to 110,000 IPv4 addresses:
https://gitlab.com/duggytuxy/Data-Shield-IPv4-Blocklist/-/raw/main/prod_data-shield_ipv4_blocklist.txt?ref_type=heads - prod_aa_data-shield_ipv4_blocklist.txt: Split list
A, limited to 30,000 IPv4 addresses:https://gitlab.com/duggytuxy/Data-Shield-IPv4-Blocklist/-/raw/main/prod_aa_data-shield_ipv4_blocklist.txt?ref_type=heads - prod_ab_data-shield_ipv4_blocklist.txt: Split list
B, limited to 30,000 IPv4 addresses:https://gitlab.com/duggytuxy/Data-Shield-IPv4-Blocklist/-/raw/main/prod_ab_data-shield_ipv4_blocklist.txt?ref_type=heads - prod_ac_data-shield_ipv4_blocklist.txt: Split list
C, limited to 30,000 IPv4 addresses:https://gitlab.com/duggytuxy/Data-Shield-IPv4-Blocklist/-/raw/main/prod_ac_data-shield_ipv4_blocklist.txt?ref_type=heads - prod_ad_data-shield_ipv4_blocklist.txt: Split list
D, limited to 30,000 IPv4 addresses:https://gitlab.com/duggytuxy/Data-Shield-IPv4-Blocklist/-/raw/main/prod_ad_data-shield_ipv4_blocklist.txt?ref_type=heads
Or
Tip
Use the official URLs of the Gitea repository (Mirror Only)
- prod_data-shield_ipv4_blocklist.txt: Full list, limited to 110,000 IPv4 addresses:
https://gitea.com/duggytuxy/Data-Shield_IPv4_Blocklist/raw/branch/main/prod_data-shield_ipv4_blocklist.txt - prod_aa_data-shield_ipv4_blocklist.txt: Split list
A, limited to 30,000 IPv4 addresses:https://gitea.com/duggytuxy/Data-Shield_IPv4_Blocklist/raw/branch/main/prod_aa_data-shield_ipv4_blocklist.txt - prod_ab_data-shield_ipv4_blocklist.txt: Split list
B, limited to 30,000 IPv4 addresses:https://gitea.com/duggytuxy/Data-Shield_IPv4_Blocklist/raw/branch/main/prod_ab_data-shield_ipv4_blocklist.txt - prod_ac_data-shield_ipv4_blocklist.txt: Split list
C, limited to 30,000 IPv4 addresses:https://gitea.com/duggytuxy/Data-Shield_IPv4_Blocklist/raw/branch/main/prod_ac_data-shield_ipv4_blocklist.txt - prod_ad_data-shield_ipv4_blocklist.txt: Split list
D, limited to 30,000 IPv4 addresses:https://gitea.com/duggytuxy/Data-Shield_IPv4_Blocklist/raw/branch/main/prod_ad_data-shield_ipv4_blocklist.txt
Important
The main firewall rule around Data-Shield IPv4 Blocklist lists is implemented as follows so that it is operational and effective in terms of blocking:
Tip
From the internet to the internal network (WAN to LAN)
Caution
Do not integrate these flow rules in this direction (LAN to WAN)
Note
To facilitate the integration of Data-Shield IPv4 Blocklist into firewall instances, here is a non-exhaustive list of some tutorials offered by vendors and the Cyber community:
- Fortinet: Official guide :
https://docs.fortinet.com/document/fortigate/7.4.9/administration-guide/379433/configuring-a-threat-feed#threat-ext - Checkpoint: Manufacturer's guide:
https://sc1.checkpoint.com/documents/R80.20SP/WebAdminGuides/EN/CP_R80.20SP_Maestro_AdminGuide/Topics-Maestro-AG/IP-Block-Feature.htm - Palo Alto: EDL Overview:
https://docs.paloaltonetworks.com/network-security/security-policy/administration/objects/external-dynamic-lists/configure-the-firewall-to-access-an-external-dynamic-list#configure-the-firewall-to-access-an-external-dynamic-list-panorama - OPNsense: Slash-Root Guide (Julien Louis):
https://slash-root.fr/opnsense-block-malicious-ips/ - Stormshield: Official video:
https://www.youtube.com/watch?v=yT2oas7M2UM - F5 BIG-IP: Official guide:
https://my.f5.com/manage/s/article/K10978895 - NFtables, IPtables: Duggy Tuxy tutorial: See the tutorial link
- NAS Synology: MyOwnServer's website :
https://myownserver.org/posts/Automatiser_la_liste_de_blocage.html
Tip
Implementing the Data-Shield IPv4 Blocklist with NFtables:
Caution
Scripts must be used beforehand in pre-production or labs to avoid side effects (rules not adapted to the environment, etc.) in production.
- Create a directory to store the blocklist and script
mkdir /etc/nftables_blocklist
cd /etc/nftables_blocklist
- Download the script using the following command:
wget https://github.com/duggytuxy/Data-Shield_IPv4_Blocklist/releases/download/v1.1.1/update_nftables_blocklist.sh
- To check the sha256 of the file, enter the following command
- sha256:
840b852e5a2f20d73f37b120fdb33a0d3dd75262ad938feb3a4411933bc43ab9
sha256sum update_nftables_blocklist.sh
- Make the script executable:
chmod +x /etc/nftables_blocklist/update_nftables_blocklist.sh
- To keep your blocklist updated, create a cron job to run the script regularly:
crontab -e
- Add the following line to execute the script every hour:
0 * * * * /etc/nftables_blocklist/update_nftables_blocklist.sh
- Save and exit the editor.
Note
Logrotate configuration
- Creates the file
/etc/logrotate.d/nft_blocklist
/var/log/nft_blocklist_update.log {
daily
rotate 14
compress
delaycompress
missingok
notifempty
create 640 root adm
}
- Immediate test
sudo logrotate -f /etc/logrotate.d/nft_blocklist
Tip
Implementing the Data-Shield IPv4 Blocklist with IPtables:
Caution
Scripts must be used beforehand in pre-production or labs to avoid side effects (rules not adapted to the environment, etc.) in production.
- Create a directory to store the blocklist and script
mkdir /etc/iptables_blocklist
cd /etc/iptables_blocklist
- Download the script using the following command:
wget https://github.com/duggytuxy/Data-Shield_IPv4_Blocklist/releases/download/v1.0.0/update_iptables_blocklist.sh
- To check the sha256 of the file, enter the following command
- sha256:
6781142b77935a1bf8efcd036aac06ee0c028f7940c253b327952beb1b0a94c9
sha256sum update_iptables_blocklist.sh
- Make the script executable:
chmod +x /etc/iptables_blocklist/update_iptables_blocklist.sh
- To keep your blocklist updated, create a cron job to run the script regularly:
crontab -e
- Add the following line to execute the script every hour:
0 * * * * /etc/iptables_blocklist/update_iptables_blocklist.sh
- Save and exit the editor.
Note
Logrotate configuration
- Creates the file
/etc/logrotate.d/ipset_update
/var/log/ipset_update.log {
daily
rotate 7
compress
delaycompress
missingok
notifempty
create 640 root adm
}
- Immediate test
sudo logrotate -f /etc/logrotate.d/ipset_update
Note
Data-Shield IPv4 Blocklist requires time and funding. That is why it is important to appeal for donations so that it can be maintained over time and in the best possible conditions:
- Ko-Fi:
https://ko-fi.com/laurentmduggytuxy - Duggy Tuxy Store:
https://duggy-tuxy.myspreadshop.be
Important
Data-Shield IPv4 Blocklist 2023-2025 by Duggy Tuxy (Laurent Minne) is under license
