Malicious IP Blocklist & Cloudflare

Community Support
1

Where do the malicious ip blocklists come from? in the last 24 hoursish my hestia servers have been having problems with random 521 error codes through Cloudflare. I’m 99% sure the blocklist has some of the cloudflare ip addresses blocked.

Be nice if we could easily just create our own whitelists…

2

The files you want to investigate are in /usr/local/hestia/data/firewall/ipset/
From the blacklist.sh script you can see that its getting its blocked IPs from here.

BLACKLISTS=(
    "https://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1" # Project Honey Pot Directory of Dictionary Attacker IPs
    "https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1"  # TOR Exit Nodes
    "https://www.maxmind.com/en/high-risk-ip-sample-list" # MaxMind GeoIP Anonymous Proxies
    "http://danger.rulez.sk/projects/bruteforceblocker/blist.php" # BruteForceBlocker IP List
    "https://www.spamhaus.org/drop/drop.lasso" # Spamhaus Don't Route Or Peer List (DROP)
    "https://cinsscore.com/list/ci-badguys.txt" # C.I. Army Malicious IP List
    "https://lists.blocklist.de/lists/all.txt" # blocklist.de attackers
    "https://blocklist.greensnow.co/greensnow.txt" # GreenSnow
    "https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset" # Firehol Level 1
    "https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/stopforumspam_7d.ipset" # Stopforumspam via Firehol
)

The actual list of IPs you’ll need to grep through as its about 1Mb in size, approx 70k addresses.

-rw-rw---- 1 root root 1.1M Feb 10 00:10 blacklist-script.v4.iplist

I’m not sure that’s your issue though. Cloudflare has been doing weird things for one of my clients today, but then it clears up without changing any firewall settings.

3

Pretty sure you could use ipset for exactly this.

1 Like
4

In order to “whitelist” you can:

  • Less than 10 IPs: Create a firewall rule for each IP
  • 10 and more IPs: Create an ipset and create a firewall rule

BUT this won’t work since fail2ban will still ban your IP. You need to edit fail2ban jail.local

/etc/fail2ban/jail.local

[DEFAULT]
ignoreip = 195.114.211.xxx 5.56.63.xxx 5.56.62.xxx 185.37.226.xxx 5.56.60.xxx

You may even try something like this

5

I think you’re right. While i did remove the malicious ip list from my main server, after leaving everything overnight responses everywhere stopped throwing the random 521 errors. Guess I was just thinking the only thing that changed everywhere could have been that ip list and that Cloudflare could do no wrong… who knows, maybe it could have been just a general internet routing problem.

6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.