| Last update: 2026-04-19 07:12 CEST | 508 792 malicious IP |
|---|
🇫🇷 Agrégation de listes d'adresses IP malveillantes de type scanners et bruteforce, donc à bloquer UNIQUEMENT en entrée : dans le sens WAN > LAN
🇬🇧 Aggregation of lists of malicious IP addresses such as scanners and bruteforce, therefore ONLY to be blocked in the WAN > LAN direction
🇫🇷⚠️ Introduction : à lire ABSOLUMENT avant utilisation
- Agrégation de listes d'adresses IP malveillantes de type scanners et bruteforce, donc à bloquer UNIQUEMENT en entrée : dans le sens WAN > LAN (pour les IP malveillantes en sortie c'est ici)
- Peut être intégrées dans des pare-feux 🧱 (Fortinet FortiGate, Palo Alto, Check Point, Sophos, pfSense, OPNsense, IPtables ...), WAF ou serveurs (Linux avec ipset 🐧)
- Adresses IP ordonnées en fonction du nombre de sources dans lesquelles elles apparaissent (IP malveillantes apparaissant dans le plus de sources dans le premier fichier
full-aa.txt) - Mise à jour toutes les heures ⏱️
Fichiers à utiliser (URL des fichiers dans la partie "URL of files to copy paste" ci-dessous) :
full-aa.txt: 131 072 adresses IP les plus malveillantesfull-40k.txt: 40 000 adresses IP les plus malveillantesfull-a\*.txt: toutes les adresses IP malveillantes en fichiers de 131 072 IP (notamment pour FortiOS < 7.4.4)full-300k-a\*.txt: toutes les adresses IP malveillantes en fichiers de 300 000 IP (notamment pour FortiOS > 7.4.4)malicious-ip-by-country/full-\*.txt: toutes les adresses IP malveillantes d'un pays (si vous avez besoin du fichier d'un pays manquant, envoyez moi un message)
Liste blanche : les adresses IP des services suivants sont retirées des fichiers : Google Bot, Bing Bot.
🇬🇧⚠️ Introduction: MUST read before use
- Aggregation of lists of malicious IP addresses such as scanners and bruteforce, therefore ONLY to be blocked in the WAN > LAN direction (for malicious outgoing IP it is here)
- To be integrated into firewalls 🧱 (Fortinet FortiGate, Palo Alto, Check Point, Sophos, pfSense, OPNsense, IPtables ...), WAF or servers (Linux with
ipset🐧) - IP addresses ordered by the number of sources they appear in (malicious IPs appearing in most sources in the first file
full-aa.txt) - Updated every hour ⏱️
Files to use (links in the "URL of files to copy paste" section below):
full-aa.txt: 131,072 most malicious IP addressesfull-40k.txt: 40,000 most malicious IP addressesfull-a\*.txt: all malicious IP addresses in 131,072 IP files (especially for FortiOS < 7.4.4)full-300k-a\*.txt: all malicious IP addresses in 300,000 IP files (especially for FortiOS > 7.4.4)malicious-ip-by-country/full-\*.txt: all malicious IP addresses of a country (if you need a missing country file, send me a message)
Whitelist: IP addresses of the following services are removed from the files: Google Bot, Bing Bot.
🇫🇷 Est-ce efficace ? 🛡
Oui, par exemple, chez un de mes utilisateurs, plus de 300 000 requêtes malveillantes bloquées par jour, rien qu'avec le premier fichier full-aa.txt.
🇬🇧 Is it effective? 🛡
Yes, for example, for one of my users, more than 300,000 malicious requests blocked per day, just with the first full-aa.txt file.
🇫🇷 Comment l'utilisez dans mes équipements ? 🔧
Comment intégrer ces listes dans un pare-feu ?
- FortiGate
- C'est un complément de la base de données ISDB "Malicious-Malicious.Server" des FortiGate (statistiques d'IP communes entre la liste full-* et l'ISDB, voir section "Statistics").
- Menu
Security Fabric→External Connectors→Create New→IP Address - Prendre une URL dans la partie "Links" ci-dessous
- Après, les listes peuvent être utilisées dans les
Firewall Policyavec les objets "IP Address Threat Feed" - Plus d'informations : mon tutorial, le tutorial vidéo d'un expert sécurité Fortinet et cette page de l'aide Fortinet
- Palo Alto : lien. Modèle PA-3200 et supérieurs limités à 150k IP (utilisez uniquement full-aa.txt), modèles inférieurs limités à 50k IP (utilisez le fichier full-40k.txt)
- Check Point : lien
- Sophos : lien.
- pfSense : via le package pfBlocker-NG. Il faut aussi augmenter le nombre maximum d'entrées : voir ici.
- OPNsense : via API (doc). Modifier le nombre maximal d'entrées d'un alias :
Firewall->Settings->Advanced->Firewall Maximum Table Entries. - IPTables avec le paquet
ipsetsur serveur Linux 🐧 : tutorial 1 tutorial 2
🇬🇧 How do I use it in my devices? 🔧
How to integrate these lists into a firewall?
- FortiGate
- It is a complement to the FortiGate ISDB "Malicious-Malicious.Server" database (common IP address statistics between the full-* list and the ISDB, see "Statistics" section).
- Menu
Security Fabric→External Connectors→Create New→IP Address - Take a URL in the "Links" section below
- Then, the lists can be used in
Firewall Policyas "IP Address Threat Feed" objects. - More information: my tutorial, the video tutorial from a Fortinet security expert and this Fortinet help page
- Palo Alto: link. PA-3200 model and above limited to 150k IP (use full-aa.txt only), lower models limited to 50k IP (use full-40k.txt file)
- Check Point : link
- Sophos : link.
- pfSense: via the package pfBlocker-NG. The maximum number of entries must be increased: see here.
- OPNsense: via API (doc). Change the maximum number of entries for an alias:
Firewall->Settings->Advanced->Firewall Maximum Table Entries. - IPTables with the
ipsetpackage on Linux server 🐧 : tutorial 1 tutorial 2
Statistics 📊
Update of the following table: 2026-04-19 07:12 CEST
| Malicious IP addresses in full-* | % | Number of IPs |
|---|---|---|
| Present in 6 sources and more | 7.09 % | 36 079 |
| Present in 5 sources | 5.22 % | 26 567 |
| Present in 4 sources | 5.09 % | 25 945 |
| Present in 3 sources | 6.59 % | 33 560 |
| Present in 2 sources | 14.45 % | 73 527 |
| Present in 1 source | 61.54 % | 313 114 |
| Total | 100 % | 508 792 |
Update of the common IP table with the FortiGate ISDB Malicious-Malicious.Server: 2026-04-19 01:50 CEST
| FortiGate models | full-* IPs common with ISDB |
|---|---|
| 100F and below | 5.37 % |
| 200F and above | 5.37 % |
History of statistics here.
Classification by country and organizations of malicious IP addresses present in at least 2 sources.
🔗 URL of files to copy paste ⧉
Files URLs with all malicious IP addresses split in 131,072 IP files (especially for FortiOS < 7.4.4):
https://raw.githubusercontent.com/romainmarcoux/malicious-ip/main/full-aa.txt
https://raw.githubusercontent.com/romainmarcoux/malicious-ip/main/full-ab.txt
https://raw.githubusercontent.com/romainmarcoux/malicious-ip/main/full-ac.txt
https://raw.githubusercontent.com/romainmarcoux/malicious-ip/main/full-ad.txt
https://raw.githubusercontent.com/romainmarcoux/malicious-ip/main/full-ae.txt
https://raw.githubusercontent.com/romainmarcoux/malicious-ip/main/full-af.txt
https://raw.githubusercontent.com/romainmarcoux/malicious-ip/main/full-ag.txt
https://raw.githubusercontent.com/romainmarcoux/malicious-ip/main/full-ah.txt
https://raw.githubusercontent.com/romainmarcoux/malicious-ip/main/full-ai.txt
https://raw.githubusercontent.com/romainmarcoux/malicious-ip/main/full-aj.txt
https://raw.githubusercontent.com/romainmarcoux/malicious-ip/main/full-ak.txt
Files URLs with all malicious IP addresses split in 300,000 IP files (especially for FortiOS > 7.4.4):
https://raw.githubusercontent.com/romainmarcoux/malicious-ip/main/full-300k-aa.txt
https://raw.githubusercontent.com/romainmarcoux/malicious-ip/main/full-300k-ab.txt
https://raw.githubusercontent.com/romainmarcoux/malicious-ip/main/full-300k-ac.txt
https://raw.githubusercontent.com/romainmarcoux/malicious-ip/main/full-300k-ad.txt
File URL of the 40,000 most malicious IPs (for small firewall or Palo-Alto < PA-3200):
https://raw.githubusercontent.com/romainmarcoux/malicious-ip/main/full-40k.txt
URL example of a country file
https://raw.githubusercontent.com/romainmarcoux/malicious-ip/main/malicious-ip-by-country/full-fr-aa.txt
Sources
| Filename | Source | History | Description |
|---|---|---|---|
| abuseipdb-* | link | 120d | Collaborative blocklist |
| alienvault-fakelabs-* | link | 30d | SSH Brute-Force Honeypot |
| alienvault-georgs-* | link | 30d | RDP/SSH/VNC intrustion and Trojan request |
| alienvault-ssh-bruteforce-* | link | 30d | SSH Brute-Force Honeypot |
| binarydefense.com-* | link | 30d | IP Block List maintained by Binary Defense |
| blocklist.de-* | link | 30d | Collaborative blocklist (6k sensors) (stats) |
| cinsscore.com-* | link | 30d | IP Block List maintained by CINS |
| emergingthreats.net-* | link | 30d | IP Block List maintained by Proofpoint |
| greensnow.co-* | link | 30d | IP Block List maintained by greensnow.co |
| isc.sans.edu-* | link | 20d | Collaborative blocklist (500k sensors): false positives removed |
| malicious-ip-* | link | - | Private honeypots and other sources |
| nxdomain.no-* | link | - | Bruteforce |
| projecthoneypot.org-* | link | 30d | Collaborative blocklist |
| sekio-* | - | 30d | Malicious IPs sent by my customers |
| snort.org-* | link | 30d | IP Block List maintained by snort.org (owned by Cisco Talos) |
| stamparm-* | link | 30d | Aggregation of lists of malicious IP addresses |
Release notes 📋
- 2026-01-27: New source: nxdomain.no
- 2025-02-08: Akamai removed (source no longer available)
- 2024-08-23: Added 300k malicious IP files and malicious IP by country files
- 2024-07-05: New source: projecthoneypot.org
- 2024-06-05: Whitelisting of IP addresses used by Cloudflare
- 2024-05-26: New source: binarydefense.com. Improved exploitation of isc.sans.edu with low signal IPs. Moving historical source files to the source folder.
- 2024-01-20: New sources: alienvault-ssh-bruteforce, alienvault-georgs, alienvault-fakelabs.
- 2024-01-19: New sources: stamparm, akamai.
- 2024-01-16: Whitelisting of IP addresses used by French mobile operators.
- 2023-12-26: New sources: cinsscore.com, emergingthreats.net, greensnow.co, snort.org.
- 2023-10-05: New source: isc.sans.edu.
- 2023-09-26: New sources: blocklist.de, abuseipdb.com.
- 2023-09-20: Initial release with first source: malicious-ip (github.com/duggytuxy/malicious_ip_addresses).
To support me 🫴
🇫🇷 Qui suis-je ?
Je suis expert freelance en cybersécurité, notamment sur les pare-feux.
Je maintiens ce projet depuis 2023 pour aider la communauté à se protéger contre les cybermenaces.
N'hésitez pas à me consulter pour vos besoins d'expertise pare-feux (audit, intégration, migration, problématiques ...) : voir contact ci-dessous.
🇬🇧 Who am I?
I am a freelance cybersecurity expert, particularly on firewalls.
I have been maintaining this project since 2023 to help the community protect itself against cyber threats.
Do not hesitate to consult me for your firewall expertise needs (audit, integration, migration, issues, etc.): see contact below.
🇫🇷 📬 Pour me contacter (faux positifs, idées, remerciements ...)
Contactez-moi via LinkedIn (mon profil) pour :
- m'indiquer des faux positifs
- me proposer d'ajouter une autre source d'adresses IP malveillantes (voir section "Sources" ci-dessus)
- me solliciter pour vos besoins d'expertise pare-feux (audit, intégration, migration, problématiques ...)
- me remercier et m'encourager pour le maintien de ce projet 😉
🇬🇧 📬 To contact me (false positives, ideas, thanks, etc.)
Contact me via LinkedIn (my profile) to:
- notify me false positives
- suggest I add another source of malicious IP addresses (see "Sources" section above)
- to consult me for your firewall expertise needs (audit, integration, migration, issues, etc.)
- thank me and encourage me for maintaining this project 😉