Skip to content

Blocklists

This section outlines the purpose of CSF’s blocklist and how it helps server administrators control which IP addresses are allowed to access the server while rejecting unwanted connection attempts.



About Blocklists

A blocklist is a collection of IP addresses or entire networks (CIDRs) that you don’t want accessing your server. When an IP on the blocklist attempts to connect, CSF blocks the request, helping to protect your system from unwanted or malicious traffic.

Blocklists are powerful because they let you deny connections from known bad actors automatically. This includes IPs flagged for brute-force attacks, spam, port scanning, or other suspicious activity. Instead of manually adding rules for each offender, CSF can apply a list of rules that you maintain or import from external sources.

Many blocklists are published and maintained by security organizations that track malicious activity worldwide. By subscribing to these maintained blocklists, you can keep your server automatically protected from known threats without the need for constant manual intervention.

There are numerous popular choices for maintained blocklists such as:



Location

To view or edit your current blocklists, open the file /etc/csf/csf.blocklists. An explaination of how the blocklist file works will be given in the sections below.



How Blocklists Work

CSF supports two different methods for handling blocklists, and the choice depends on how large your lists are and the efficiency you want.


IPSET Disabled

Blocklists are processed line-by-line, and each entry becomes its own rule in iptables. This option should be selected if you plan to have very small lists that do not contain more than a few thousand entries.

  • Pros: Simple, no extra dependencies, works out of box.
  • Cons: Becomes slow and inefficient with large blocklists.


IPSET Enabled

Blocklists are imported into kernel-managed sets, allowing CSF to check connections against a single set rather than thousands of rules. This option is acceptable if your blocklist contains thousands of entries.

  • Pros: Extremely efficient and scalable, can handle very large lists.
  • Cons: Extra package dependency ipset must be installed.


If you wish to utilize option and enable IPSET, please review the section below Large Blocklists and IPSET regarding the installation and configuration of IPSET on your server related to blocklists.


  •   Introduction to IPSETs

    Enabling IPSETs on large blocklists will improve efficiency in CSF. IPSET integration will take over management of loading large blocklists.

    This chapter covers installing the IPSET package and configuring CSF to use it for handling blocklists.

    Using IPSET allows CSF to group IP addresses into sets, reducing the number of iptables rules and improving overall performance.



Configure Blocklists

You can manage and define which blocklists you wish to use in CSF by opening the file /etc/csf/csf.blocklists.

By default, every blocklist is commented out with a # symbol at the beginning of the line. Leave the line commented if you do not wish to use that blocklist. To enable a blocklist, simply remove the # and save the file.

All blocklists in CSF are disabled by default

Out of box, all blocklists are commented with the character # at the front of every line. To use a blocklist, remove the command character # and save the file.

/etc/csf/csf.blocklists
# #
#   @blocklist              Official CSF Blocklists
#   @details:               https://aetherinox.github.io/csf-firewall/usage/blocklists/#official-blocklists
#                           https://aetherinox.github.io/csf-firewall/advanced/services/blocklist.configserver
#   
#   The official CSF blocklists contain a large number of IPs which range from various 
#   different services, including AbuseIPDB (100% confidency).
#   
#   You can also use our blocklist service:
#       https://blocklist.configserver.dev/master.ipset
#       https://blocklist.configserver.dev/highrisk.ipset
#   
#   We offer many others, but these two are the primary ones.
#   
#   Requires you to edit /etc/csf/csf.conf setting:
#       LF_IPSET_MAXELEM = "500000"
# #

#   CSF_MASTER      | 43200 | 0 | https://blocklist.configserver.dev/master.ipset
#   CSF_HIGHRISK    | 43200 | 0 | https://blocklist.configserver.dev/highrisk.ipset

# #
#   @blocklist              Spamhaus Don't Route Or Peer List (DROP)
#   @details:               http://spamhaus.org/drop
# #

#   SPAMDROP|86400|0|http://www.spamhaus.org/drop/drop.txt

# #
#   @blocklist              Spamhaus IPv6 Don't Route Or Peer List (DROPv6)
#   @details:               http://spamhaus.org/drop
# #

#   SPAMDROPV6|86400|0|https://www.spamhaus.org/drop/dropv6.txt

# #
#   @blocklist              Spamhaus Extended DROP List (EDROP)
#   @details:               http://spamhaus.org/drop
# #

#   SPAMEDROP|86400|0|http://www.spamhaus.org/drop/edrop.txt

# #
#   @blocklist              DShield.org Recommended Block List
#   @details:               https://dshield.org
# #

#   DSHIELD|86400|0|https://www.dshield.org/block.txt

# #
#   @blocklist              TOR Exit Nodes List
#   @details:               https://trac.torproject.org/projects/tor/wiki/doc/TorDNSExitList
#   @notes                  Set URLGET in csf.conf to use LWP as this list
#                           uses an SSL connection
# #

#   TOR|86400|0|https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.2.3.4

# #
#   @blocklist              BOGON list
#   @details:               http://team-cymru.org/Services/Bogons
# #

#   BOGON|86400|0|http://www.cymru.com/Documents/bogon-bn-agg.txt

# #
#   @blocklist              Project Honey Pot Directory of Dictionary Attacker IPs
#   @details:               http://projecthoneypot.org
# #

#   HONEYPOT|86400|0|https://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1

# #
#   @blocklist              C.I. Army Malicious IP List
#   @details:               https://ciarmy.com
# #

#   CIARMY|86400|0|http://www.ciarmy.com/list/ci-badguys.txt

# #
#   @blocklist              BruteForceBlocker IP List
#   @details:               http://danger.rulez.sk/index.php/bruteforceblocker
# #

#   BFB|86400|0|http://danger.rulez.sk/projects/bruteforceblocker/blist.php

# #
#   @blocklist              MaxMind GeoIP Anonymous Proxies
#   @details:               https://maxmind.com/en/anonymous_proxies
#   @notes:                 Set URLGET in csf.conf to use LWP as this list
#                           uses an SSL connection
#   
#   This first list only retrieves the IP addresses added in the last hour
# #

#   MAXMIND|86400|0|https://www.maxmind.com/en/anonymous_proxies

# #
#   @blocklist              Blocklist.de
#   @details:               https://blocklist.de
#   @notes:                 Set URLGET in csf.conf to use LWP as this list
#                           uses an SSL connection
#   
#   This first list only retrieves the IP addresses added in the last hour
# #

#   BDE|3600|0|https://api.blocklist.de/getlast.php?time=3600

# #
#   This second list retrieves all the IP addresses added in the last 48 hours
#   and is usually a very large list (over 10000 entries), so be sure that you
#   have the resources available to use it
# #

#   BDEALL|86400|0|http://lists.blocklist.de/lists/all.txt

# #
#   @blocklist              Stop Forum Spam
#   @details:               http://stopforumspam.com/downloads
#   @notes:                 Many of the lists available contain a vast number of
#                           IP addresses so special care needs to be made when
#                           selecting from their lists
# #

#   STOPFORUMSPAM|86400|0|http://www.stopforumspam.com/downloads/listed_ip_1.zip

# #
#   @blocklist              Stop Forum Spam IPv6
#   @details:               http://stopforumspam.com/downloads
#   @notes:                 Many of the lists available contain a vast number of
#                           IP addresses so special care needs to be made when
#                           selecting from their lists
# #

#   STOPFORUMSPAMV6|86400|0|http://www.stopforumspam.com/downloads/listed_ip_1_ipv6.zip

# #
#   @blocklist              GreenSnow Hack List
#   @details:               https://greensnow.co
# #

#   GREENSNOW|86400|0|https://blocklist.greensnow.co/greensnow.txt


We will use the first blocklist in the example above to explain the format.

/etc/csf/csf.blocklists
# #
#   Example Blocklists
#   NAME   | INTERVAL | MAX_ENTRIES | BLOCKLIST_URL
# #

SPAMDROP      |   86400   |      0      |  https://spamhaus.org/drop/drop.txt
CSF_HIGHRISK  |   43200   |      0      |  https://blocklist.configserver.dev/highrisk.ipset
DSHIELD       |   86400   |      0      |  https://dshield.org/block.txt
----------------------------------------------------------------------------------------------------------------------------------
    ^NAME^     ^INTERVAL^  ^MAX_ENTRIES^              ^BLOCKLIST_URL^
NAME

Blocklist name with all uppercase alphabetic characters with no spaces and a maximum of 25 characters - this will be used as the iptables chain name

INTERVAL

Cache refresh interval (in seconds) to keep the list, must be a minimum of 3600 seconds (an hour). After this time has expired, entries in the blocklist will be refreshed.

  • 43200: 12 hours
  • 86400: 24 hours
MAX_ENTRIES

This is the maximum number of entries to load from a list. A value of 0 means all entries will be loaded (see note below). If you add a blocklist with 50,000 entries, and you set this value to 20,000; then you will only load the first 20,000 entries within the blocklist.

URL

The URL to download the ipset from



Official Blocklists

While there are many blocklists available on the internet — including repositories on GitHub — CSF also provides official blocklists maintained directly by us. These lists are curated, updated regularly, and designed to minimize false positives while providing protection against common threats.


These lists are refreshed approximately every 12 hours to ensure up-to-date protection. They include IP addresses flagged for abusive behavior such as:

  • SSH brute-forcing
  • Port scanning
  • DDoS attacks
  • IoT exploitation
  • Phishing attempts


While we provide a wide selection of blocklists, most users will find that the master.ipset and highrisk.ipset lists are more than enough to maintain strong security. These lists include extensive collections of high-confidence IPs (100% confidence level), minimizing the risk of false positives.

In addition to the primary lists, the CSF repository also offers specialized blocklists for categories like privacy, spam, and geographic restrictions. These allow you to further tailor your firewall rules, such as blocking traffic from specific countries.

The main blocklists come pre-configured in your /etc/csf/csf.blocklists file. To activate a blocklist, simply remove the leading comment character #.

# #
#   @blocklist              Official CSF Blocklists
#   @details:               https://aetherinox.github.io/csf-firewall/usage/blocklists/#official-blocklists
#                           https://aetherinox.github.io/csf-firewall/advanced/services/blocklist.configserver
#   
#   The official CSF blocklists contain a large number of IPs which range from various 
#   different services, including AbuseIPDB (100% confidency).
#   
#   You can also use our blocklist service:
#       https://blocklist.configserver.dev/master.ipset
#       https://blocklist.configserver.dev/highrisk.ipset
#   
#   We offer many others, but these two are the primary ones.
#   
#   Requires you to edit /etc/csf/csf.conf setting:
#       LF_IPSET_MAXELEM = "500000"
# #

CSF_MASTER   | 43200 | 0 | https://blocklist.configserver.dev/master.ipset
CSF_HIGHRISK | 43200 | 0 | https://blocklist.configserver.dev/highrisk.ipset


Using the master.ipset blocklist without enabling IPSET can cause server instability & increased memory usage

The official master.ipset blocklist contains millions of IP addresses.

We strongly recommend enabling IPSET before using this list. Without IPSET, CSF will create a separate iptables rule for every IP, which will dramatically increase memory usage and slow down firewall operations.

Using this list without IPSET may lead to performance issues or even system instability on servers with limited resources (memory).


Adding our master.ipset and highrisk.ipset blocklists from above will give you the entire collection for each main blocklist and will offer great protection. All that is needed is to restart CSF to ensure that the blocklists take affect:

sudo csf -ra


When CSF restarts, these blocklists will be loaded into CSF, and if someone from one of the IP addresses in these lists attempt to connect to your server in any way, they'll be timed out and unable to communicate with your server. You can confirm that these blocklists are loaded by running the command:

sudo ipset --list -n

chain_DENY
chain_6_DENY
chain_ALLOW
chain_6_ALLOW
bl_CSF_HIGHRISK
bl_6_CSF_HIGHRISK
bl_CSF_MASTER
bl_6_CSF_MASTER


In the Output tab above, you are looking for the following to show up in your list:

Blocklist List Name Protocol Version Description
Master bl_CSF_MASTER IPv4 List of all IPv4 addresses to restrict
Master bl_6_CSF_MASTER IPv6 List of all IPv6 addresses to restrict
High Risk bl_CSF_HIGHRISK IPv4 List of all IPv4 addresses to restrict
High Risk bl_6_CSF_HIGHRISK IPv6 List of all IPv6 addresses to restrict


To view a list of all IP addresses within a specific blocklist, run the command:

sudo ipset --list bl_CSF_HIGHRISK

Name: bl_CSF_HIGHRISK
Type: hash:net
Revision: 7
Header: family inet hashsize 1024 maxelem 500000 bucketsize 12 initval 0x5f263e28
Size in memory: 24024
References: 1
Number of entries: 630
Members:
XX.XX.XX.XXX
XX.XX.XX.XXX
[ ... ]


Now that you have our official blocklists defined in /etc/csf/csf.blocklists, we need to ensure that the setting LF_IPSET_MAXELEM is set to the proper value, otherwise, not all of the blocked entries in the lists will be loaded. That is explained in the section below.

Official master blocklist requires increased LF_IPSET_MAXELEM

If you plan to use our official blocklist, master.ipset, you must increase the LF_IPSET_MAXELEM setting in /etc/csf/csf.conf.

The master.ipset file currently contains approximately 350,000 entries. To allow for future updates and ensure safe operation, set LF_IPSET_MAXELEM to around 500000.

Instructions for doing this are available in the next section Increase Max Limit.



Large Blocklists and IPSET

When using large blocklists (more than a few thousand entries in a list), such as our officially maintained master.ipset, it is strongly recommended to enable IPSET.

As described in the How Blocklists Work section, blocklists can be handled in two ways:

  1. Each IP is applied as an individual iptables rule, or
  2. With IPSET enabled, the entire blocklist is managed as a single set.


For blocklists containing thousands of entries, option 2 is significantly faster and consumes far fewer system resources, including memory. However, if you plan to go with the route of enabling IPSET, you must modify the settings LF_IPSET and LF_IPSET_MAXELEM located in /etc/csf/csf.conf.

We have an entire chapter of our guide dedicated to How IPSET Works, so we will not go into great detail here.


Enable IPSET

If you decide to use option two and enable IPSET, you need to ensure IPSET is installed on your server:

sudo apt-get update
sudo apt-get install ipset

# using yum
sudo yum install ipset

#Using dnf
sudo dnf install ipset


Next, open /etc/csf/csf.conf and enable the setting LF_IPSET

/etc/csf/csf.conf
LF_IPSET = "0"
/etc/csf/csf.conf
LF_IPSET = "1"


This will enable IPSET support on your server. However, there is one final setting to mention which is the one responsible for limiting the use of large blocklists; which is LF_IPSET_MAXELEM. Continue to the next section Set LF_IPSET_MAXELEM.


Set LF_IPSET_MAXELEM

The setting LF_IPSET_MAXELEM defines how many entries are loaded within a blocklist. This is an important part of enabling large blocklists that contain tens of thousands of entries

If you have decided to use CSF's official blocklists master.ipset and highrisk.ipset; this setting is required to be set according to how large the lists are.

On average, our master.ipset blocklist contains approximately 350,000 entries. While our highrisk.ipset list contains approximately 10,000.

To support a blocklist this large, we must modify LF_IPSET_MAXELEM to a high enough value to support this, and also give us room in case the list grows larger in the future. We'll use the value 500,000 for this example.

Open /etc/csf/csf.conf and change the following:

/etc/csf/csf.conf
LF_IPSET_MAXELEM = "65536"
/etc/csf/csf.conf
LF_IPSET_MAXELEM = "500000"


By setting /etc/csf/csf.conf to 500000, this gives us enough to support our biggest blocklist master.ipset and its 350,000 entries, but also give us a buffer of 150,000 for future growth.


Also confirm that you have the blocklists themselves set to a value such as 0 within /etc/csf/csf.blocklists if you do not wish to limit the number of entries:

CSF_MASTER   | 43200 | 0 | https://blocklist.configserver.dev/master.ipset
CSF_HIGHRISK | 43200 | 0 | https://blocklist.configserver.dev/highrisk.ipset


Once you change the settings mentioned in this section, give CSF a restart:

sudo csf -ra


You should now have your blocklists confirmed within CSF, and have also enabled IPSET in order to manage these lists which increases performance.

If you want to learn more about IPSETs specifically, head over to the chapter Introduction to IPSETs.



Next Steps

Select what documentation you would like to proceed with next ...

  •   Geographical IP Block Integration

    Configure geographical restrictions in CSF to whitelist or blacklist specific regions from accessing your server.

    This chapter covers enabling the GeoIP blocklist feature using third-party services such as MaxMind (requires an API key), db-ip, ipdeny, or iptoasn.

    These services allow you to control access based on location while keeping your server secure.