Where do the malicious ip blocklists come from? in the last 24 hoursish my hestia servers have been having problems with random 521 error codes through Cloudflare. I’m 99% sure the blocklist has some of the cloudflare ip addresses blocked.
Be nice if we could easily just create our own whitelists…
The files you want to investigate are in /usr/local/hestia/data/firewall/ipset/
From the blacklist.sh script you can see that its getting its blocked IPs from here.
BLACKLISTS=(
"https://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1" # Project Honey Pot Directory of Dictionary Attacker IPs
"https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1" # TOR Exit Nodes
"https://www.maxmind.com/en/high-risk-ip-sample-list" # MaxMind GeoIP Anonymous Proxies
"http://danger.rulez.sk/projects/bruteforceblocker/blist.php" # BruteForceBlocker IP List
"https://www.spamhaus.org/drop/drop.lasso" # Spamhaus Don't Route Or Peer List (DROP)
"https://cinsscore.com/list/ci-badguys.txt" # C.I. Army Malicious IP List
"https://lists.blocklist.de/lists/all.txt" # blocklist.de attackers
"https://blocklist.greensnow.co/greensnow.txt" # GreenSnow
"https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset" # Firehol Level 1
"https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/stopforumspam_7d.ipset" # Stopforumspam via Firehol
)
The actual list of IPs you’ll need to grep through as its about 1Mb in size, approx 70k addresses.
-rw-rw---- 1 root root 1.1M Feb 10 00:10 blacklist-script.v4.iplist
I’m not sure that’s your issue though. Cloudflare has been doing weird things for one of my clients today, but then it clears up without changing any firewall settings.
I think you’re right. While i did remove the malicious ip list from my main server, after leaving everything overnight responses everywhere stopped throwing the random 521 errors. Guess I was just thinking the only thing that changed everywhere could have been that ip list and that Cloudflare could do no wrong… who knows, maybe it could have been just a general internet routing problem.