Malicious IP Blocklist & Cloudflare

Where do the malicious ip blocklists come from? in the last 24 hoursish my hestia servers have been having problems with random 521 error codes through Cloudflare. I’m 99% sure the blocklist has some of the cloudflare ip addresses blocked.

Be nice if we could easily just create our own whitelists…

The files you want to investigate are in /usr/local/hestia/data/firewall/ipset/
From the script you can see that its getting its blocked IPs from here.

    "" # Project Honey Pot Directory of Dictionary Attacker IPs
    ""  # TOR Exit Nodes
    "" # MaxMind GeoIP Anonymous Proxies
    "" # BruteForceBlocker IP List
    "" # Spamhaus Don't Route Or Peer List (DROP)
    "" # C.I. Army Malicious IP List
    "" # attackers
    "" # GreenSnow
    "" # Firehol Level 1
    "" # Stopforumspam via Firehol

The actual list of IPs you’ll need to grep through as its about 1Mb in size, approx 70k addresses.

-rw-rw---- 1 root root 1.1M Feb 10 00:10 blacklist-script.v4.iplist

I’m not sure that’s your issue though. Cloudflare has been doing weird things for one of my clients today, but then it clears up without changing any firewall settings.

Pretty sure you could use ipset for exactly this.

1 Like

In order to “whitelist” you can:

  • Less than 10 IPs: Create a firewall rule for each IP
  • 10 and more IPs: Create an ipset and create a firewall rule

BUT this won’t work since fail2ban will still ban your IP. You need to edit fail2ban jail.local


ignoreip =

You may even try something like this

I think you’re right. While i did remove the malicious ip list from my main server, after leaving everything overnight responses everywhere stopped throwing the random 521 errors. Guess I was just thinking the only thing that changed everywhere could have been that ip list and that Cloudflare could do no wrong… who knows, maybe it could have been just a general internet routing problem.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.