[Firehol-support] blocklists

Tsaousis, Costa costa at tsaousis.gr
Sat May 23 17:08:15 BST 2015

Hi all,

update-ipsets.sh is now able to download, parse and update (while the
firewall is running), the free MaxMind Geolite2 Country Database.

I have also included it in the https://github.com/ktsaou/blocklist-ipsets repo.

Direct link to geolite2 ipsets here:


On Sun, May 17, 2015 at 11:16 PM, Tsaousis, Costa <costa at tsaousis.gr> wrote:
> Hi all,
> Recently I faced quite a challenge: 37.500 IPs from all over the world
> were attacking my servers for 2 weeks. It was a challenge because all
> the requests these IPs did were legitimate. They were not trying to
> damage or take control of anything. Each IP was used just a few times
> per day, to remain unnoticed. It was very hard to pinpoint them, to
> separate the attack from the normal traffic.
> Anyway, I managed to block them. Actually I had them blocked for 4
> days and then, suddenly they stopped...
> What I found in the process, is that the attackers were using open
> proxies, command and control compromised hosts, and who knows what
> else, to synchronize the attack.
> Another interesting observation is that their IPs seem to have a large
> overlap with anti-spam blacklists. They seem to be using the same
> hosts for both spamming and web attacks.
> In the last few days, I tried to extend update-ipsets.sh a lot. I
> think I have now included in it, all the freely available IP
> blocklists. If you find any missing, please send me a note to add it.
> I have also created a new github repo at
> https://github.com/ktsaou/blocklist-ipsets which is automatically
> updated by my update-ipsets.sh. This repo mirrors all the blocklists I
> found and also generates a nice table at the bottom of the page, with
> some facts and info about each list.
> Normally, as a FireHOL v3 user you don't need to use this repo.
> update-ipsets.sh generates all the ipsets from scratch, so it can do
> it for you too, on your servers.
> Unfortunately, there are a lot of very useful blacklists that are only
> available as a DNSBL, not as a data feed. DNSBL is mainly for
> anti-spam, but as I said above, web attackers are using the exact same
> hosts for web attacks and forum spam. I tried contacting several
> DNSBLs for releasing their IP lists, without a positive response so
> far.
> Anyway, I hope you will find all these useful. If you have any
> suggestions, please let me know.
> Costa

More information about the Firehol-support mailing list