[Useful Info] - Active Hacker IP Subnets - for blocking purposes

Hi, in an effort to help others deal with / reduce the absurd level of brute force attacks we keep getting on our datacenters, ( and the lack of a block by country system) We have compiled a list of networks with main offenders, blocking these reduced the mass of attacks by 95%

So far we have detected no adverse effects and most reside in countries we do not do business nor care to so it seems like a good fix.

To implement these simply add these rules to your INBOUND FIREWALL RULES (/cgi-bin/MANGA/index.cgi?mode=config&option=firewall) and you are good to go

However as with everything your mileage may vary, you may want to edit these more/less to suit your solution.

If anyone knows any other offenders please post here, ill try to keep the list updated as we detect more.

This should help immensely in stemming the tide of attacks, it helped us, we hope it helps more people

(Update 1.1 - Added/Merged C_Metz’s Blocks)
(Update 1.2 - Added/Merged Emerging Threats List)

By Country:

  • 27.147.191.187/24 ,Bangladesh
  • 170.247.81.203/22 ,Brazil
  • 189.59.204.120/15 ,Brazil
  • 66.240.192.138 ,British Indian Ocean
  • 71.6.199.23/17 ,British Indian Ocean
  • 93.174.95.106/24 ,British Indian Ocean
  • 94.102.49.190/24 ,British Indian Ocean
  • 78.128.113.42/24 ,Bulgaria
  • 79.124.62.134/24 ,Bulgaria
  • 54.39.215.32/16 ,Canada (Datacenter)
  • 190.215.24.62/17 ,Chile
  • 14.135.120.3/15 ,China
  • 117.50.101.117/16 ,China
  • 122.228.19.79/27 ,China
  • 125.64.94.131/13 ,China
  • 183.129.159.244/29 ,China
  • 223.71.167.165/10 ,China
  • 45.56.91.118/18 ,China (USA)
  • 45.79.106.170/16 ,China (USA)
  • 47.89.92.94/14 ,China (USA)
  • 93.139.50.95/16 ,Croatia
  • 49.51.155.205/17 ,Germany
  • 176.58.194.184/17 ,Grece
  • 164.52.24.173/17 ,Hong Kong
  • 31.203.22.114/19 ,Kuwait
  • 185.176.220.239/24 ,Latvia
  • 193.93.62.61/24 ,Latvia
  • 60.53.222.213/23 ,Malaysia
  • 80.82.77.193/24 ,Netherlands
  • 89.248.160.150/24 ,Netherlands
  • 89.248.167.141/24 ,Netherlands
  • 89.248.168.217/24 ,Netherlands
  • 89.248.172.85/24 ,Netherlands
  • 94.102.50.137/24 ,Netherlands
  • 94.102.51.95/24 ,Netherlands
  • 185.216.140.31/23 ,Netherlands
  • 198.20.103.245/18 ,Netherlands
  • 49.151.109.197/20 ,Philipines
  • 112.201.63.25/17 ,Philipines
  • 81.196.154.175/16 ,Romania
  • 83.97.20.35/24 ,Romania
  • 193.29.13.33/24 ,Romania
  • 193.32.161.143/24 ,Romania
  • 45.145.66.93/11 ,Russia
  • 46.161.27.48/24 ,Russia
  • 87.251.73.231/23 ,Russia
  • 92.63.196.25/24 ,Russia
  • 92.63.197.53/24 ,Russia
  • 185.153.196.122/24 ,Russia
  • 185.153.199.145/22 ,Russia
  • 185.154.13.29/25 ,Russia
  • 185.156.73.65/24 ,Russia
  • 185.176.27.222/24 ,Russia
  • 193.27.228.198/24 ,Russia
  • 193.27.229.93/23 ,Russia
  • 194.26.25.102/24 ,Russia
  • 195.54.160.203/23 ,Russia
  • 213.217.1.35/23 ,Russia
  • 188.2.195.146/17 ,Serbia
  • 196.52.43.82/14 ,South Africa
  • 185.175.93.14/24 ,Spain
  • 79.136.122.195/18 ,Sweden
  • 46.2.238.206/23 ,Turkey
  • 88.0.0.0/8 ,Turkey
  • 151.225.150.210/14 ,UK
  • 193.56.28.220/24 ,UK (Datacenter)
  • 87.251.74.22/24 ,Ukraine
  • 195.88.72.122/23 ,Ukraine
  • 192.35.169.43/23 ,USA
  • 198.11.137.254/18 ,USA
  • 205.204.104.62/19 ,USA (China)
  • 64.64.104.10/24 ,USA (Datacenter)
  • 216.218.206.114/26 ,USA (Datacenter)
  • 173.79.234.105/12 ,USA (Fios VA)
  • 108.190.116.81/14 ,USA (Hosting FL)
  • 104.152.52.39/22 ,USA (Hosting KS)
  • 138.197.101.95/16 ,USA (Hosting NJ)
  • 167.71.110.14/16 ,USA (Hosting NJ)
  • 146.88.240.4/24 ,USA (Observatory MI)
  • 205.205.150.3/24 ,USA (Verizon Business)
  • 125.212.217.214/17 ,Vietnam
3 Likes

So I have to deal from time to time with people trying to hack my FusionHub hosted at Vultr in Dallas. I’ve taken the approach of verifying they are a bad actor through TalosThreatIntelligence and then blocking the ENTIRE SUBNET they are coming from. I do this because a lot of them are botnets with compromised machines in residential networks. So the way this list reads is… the IP address was the attacker and the /XX subnet is the entire subnet range they are sitting on. Works for my purposes, but may not work for some others.

80.82.77.193/24, 146.88.240.4/24, 122.228.19.79/27, 185.176.27.222/24, 216.218.206.114/26, 195.88.72.122/23, 71.6.199.23/17, 198.20.103.245/18, 89.248.168.217/24, 223.71.167.165/10, 185.156.73.65/24, 87.251.74.22/24, 83.97.20.35/24, 125.212.217.214/17, 213.217.1.35/23, 92.63.196.25/24, 94.102.50.137/24, 193.27.228.198/24, 125.64.94.131/13, 94.102.49.190/24, 45.145.66.93/11, 89.248.167.141/24, 185.153.196.122/24, 49.51.155.205/17, 185.153.199.145/22, 193.93.62.61/24, 193.56.28.220/24, 89.248.160.150/24, 64.64.104.10/24, 104.152.52.39/22, 195.54.160.203/23, 92.63.197.53/24, 117.50.101.117/16, 193.27.229.93/23, 66.240.192.138, 94.102.51.95/24, 87.251.73.231/23, 78.128.113.42/24, 89.248.172.85/24, 183.129.159.244/29, 14.135.120.3/15, 205.205.150.3/24, 185.154.13.29/25, 164.52.24.173/17, 45.79.106.170/16, 45.56.91.118/18, 54.39.215.32/16, 138.197.101.95/16, 192.35.169.43/23, 167.71.110.14/16, 93.174.95.106/24, 193.29.13.33/24, 196.52.43.82/14, 194.26.25.102/24, 46.161.27.48/24, 185.216.140.31/23, 185.175.93.14/24, 193.32.161.143/24, 185.176.220.239/24, 47.89.92.94/14, 198.11.137.254/18, 205.204.104.62/19, 79.124.62.134/24, 151.225.150.210/14, 95.92.223.197/18, 27.147.191.187/24, 170.247.81.203/22, 108.190.116.81/14, 188.2.195.146/17, 189.59.204.120/15, 60.53.222.213/23, 112.201.63.25/17, 31.203.22.114/19, 79.136.122.195/18, 46.2.238.206/23, 81.196.154.175/16, 190.215.24.62/17, 176.58.194.184/17, 173.79.234.105/12, 49.151.109.197/20, 93.139.50.95/16

2 Likes

Thanks so much this will help immensely, i see some of yours match mine as well.

Now if we could only add these in one file swoop to our peplink incoming firewall blocks…

ಥ_ಥ

Peplink preety please… haha

1 Like