we have blocked 931487 IP's now.
useful Links
- www.fail2ban.org
- Example Configuration Debian 5
- Example Configuration Debian 6
- The Global Reporting Project
- Example Report (postfix)
- Example Report (ssh, again)
- stopforumspam.com
N e w s:
27.01.2012X-ARF-Validator fixed and online
21.12.2011
since 20.12 T12am, we dont send new reports, because the database field for the report-id was to small. Is now fixed.
03.12.2011
Blocklist is now running on a ex6 and 2 webserver
05.11.2011
The Spamer register Accounts in other Forums and Blogs with @blocklist.de This User/Comments are not from blocklist.de! Please create a Police Report against the spaming IP!
04.11.2011
A Server 178.73.218.201 (wserv201.woodcrane.com) has send over 7000 registrations and a lot of contactforms and creating over 7000 konsole-h-ac counts with @blocklist.de..... The case is open on the police.
04.08.2010
The IP-Lists are now included in www.ipvoid.com.
PC infected / slow?
API/DNS from blocklist.de.
get blocklist.de results via DNS
The API can currently only issue attacks and reports per user, server or ip-address.
The appeal is therefore not very well protected.
General call is always: https://api.blocklist.de/api.php?
The following parameters are required (server or email or ip):
| server | ID of the server to query (int) |
| E-mail address of the user (string) | |
| ip | IP-Adresse to check the Attacks (string) |
| apikey | The API Key from the server or user (string) |
Optional parameters:
| start | Start time as a Unix timestamp (int) if the number is passed one is being sought from the first time (takes a while) |
| ende | should end as a Unix timestamp (int), to find where |
| format | Output format: text (default, two rows), php (serialized), xml (xml file), json (json encoded) |
Should be passed as no start, then the current time - 24 hours chosen.
Examples:
Query server 25 from 01/04/2010 04:05:00 until today:
server=25
apikey=server-key
start=1270087500
https://api.blocklist.de/api.php?server=25&apikey=xxxx&start=1270087500
Query for Server 10 from 01/04/2010 04:05:00 until 06/10/2010 20:10:00:
server=10
apikey=server-key
start=1270087500
ende=1276193400
https://api.blocklist.de/api.php?server=25&apikey=xxxx&start=1270087500&ende=1276193400
Query for the user "test" of the whole period to today:
email=email@adresse-wie-im-profil.tld
apikey=user-key
start=1
https://api.blocklist.de/api.php?email=email@adresse-wie-im-profil.tld&apikey=xxxx&start=1
Query for one IP-Address of the whole period to today:
ip=78.46.91.239
start=1
https://api.blocklist.de/api.php?ip=78.46.91.239&start=1
Example-Code for PHP (it is better to use a cache):
<?php
$url = 'https://api.blocklist.de/api.php?email=user@adresse.tld&apikey=xxxxxxx&start=1&format=php';
$cachefile = './blocklist.de.cache';
$cachetime = filemtime($cachefile);
$diff = time() - $cachetime;
if($diff <= 3600)
{
if(filesize($cachefile) >= 5)
{
$result = file_get_contents($cachefile);
}
else
{
$result = unserialize(file_get_contents($url));
}
}
else
{
$result = unserialize(file_get_contents($url));
}
$attacks = $result['attacks'];
$reports = $result['reports'];
echo 'Attacks: '.$attacks;
echo '<br />';
echo 'Reports: '.$reports;
echo '<br />Powered by <a href="http://www.blocklist.de/en/" target="_blank">www.blocklist.de</a>';
?>
DNS - bl.blocklist.de
Example DNS-Query:
For a Query to check all Lists for the IP IP 127.0.0.2 use the following:
host -t any 2.0.0.127.bl.blocklist.de
Answer:
2.0.0.127.bl.blocklist.de TXT "Infected System (Service: w00tw00t), see http://www.blocklist.de/en/view.html?ip=127.0.0.2"
2.0.0.127.bl.blocklist.de A 127.0.0.15
More examples for DNS-Querys and other Services are in the Forum under:
https://forum.blocklist.de/viewtopic.php?f=11&t=17
On the DNS blacklist all the IP addresses of attackers over the past 48 hours are saved.
The blacklist can be used for the evaluation of e-mails or users (bots, forum spam). Whether a refusal arises because it is the Administrator, which uses the list of bl.blocklist.de.
| Name / URL | Description / Content |
| apache.bl.blocklist.de | Apache, RFI, w00tw00t, SQL-Injection + http://honeystats.info/ |
| bl.blocklist.de | All IP-Addresses (all Services) |
| all.bl.blocklist.de | All IP-Addresses (all Services) |
| ftp.bl.blocklist.de | FTP -> only IP's there runs FTP Brute-Force-Attacks. |
| imap.bl.blocklist.de | imap, pop3, sasl, webmail-Logins.... |
| mail.bl.blocklist.de | mail/postfix, 5xx-Errors (Blacklist-Entrys), Relaying... |
| ssh.bl.blocklist.de | IPs there runs SSH-Attacks. |
| sip.bl.blocklist.de | IPs, who has try Sip/Asterisk Brute-Force-Login-Attacken. |
If you use all.bl.blocklist.de or bl.blocklist.de the Return-IP was different:
amavis = 127.0.0.2
apacheddos = 127.0.0.3
asterisk = 127.0.0.4
badbot = 127.0.0.5
ftp = 127.0.0.6
imap = 127.0.0.7
ircbot = 127.0.0.8
mail = 127.0.0.9
pop3 = 127.0.0.10
regbot = 127.0.0.11
rfi-attack = 127.0.0.12
sasl = 127.0.0.13
ssh = 127.0.0.14
w00tw00t = 127.0.0.15
portflood = 127.0.0.16
sql-injection = 127.0.0.17
Policy:
In the Export-/DNS-Lists was all IP-Addresses listen there was attack one of our systems/partners in the last 48 hours and not used the Delist-Link