Create file with only list ip and generate config from this file.

The blacklist is blocking some IP's of the statuscake.com service.

Statuscake.com is a uptime monitoring service

A list of their IP's is found here: https://www.statuscake.com/kb/knowledge-base/what-are-your-ips/

Ref: firehol/blocklist-ipsets#199

The IP block 23.247.208.0/22 was recently acquired through an ARIN Direct Allocation by FiberFly, LLC.
This can be verified via: https://search.arin.net/rdap/?query=23.247.208.0%2F22
FiberFly is a rural internet service provider (ISP), serving parts of Waxahachie, TX in the USA.
This can be verified at: https://fiberfly.com

We do not perform hosting services. We only provide home and business internet connections to our rural community.
Apparently the previously identified entity (micfo.com) was a hosting company, hence this block being included in your list.

Please update to remove this block from your list 'ip_blacklist.conf' on row 1209.

Row 1209: Remove '23.247.128.0/17'

This /17 block was been split among numerous organizations through ARIN via Direct Allocation in or around Oct 2021:
23.247.128.0/22 - IDC SPACE INC
23.247.132.0/22 - BRAIN PEACE SCIENCE FOUNDATION, INC
23.247.136.0/22 - Black Mesa Corporation
23.247.140.0/22 - Sky Fi
23.247.144.0/22 - VPB INC.
23.247.148.0/22 - City of Marshall
23.247.152.0/22 - VPSie INC
23.247.156.0/22<-- Not Assigned by ARIN
23.247.160.0/22 - One
23.247.164.0/22 - I.D. Logique
23.247.168.0/22 - Nasulex Networks
23.247.172.0/22 - Optelli Fiber LLC
23.247.176.0/22 - SDWANET LLC
23.247.180.0/24 - Ridge Wireless LLC
23.247.184.0/23 - PeopleHedge Corp
23.247.188.0/23 - Raptor Engineering, LLC
23.247.192.0/22 - I.S.F Quebec, Inc
23.247.196.0/22 - Clearwave Broadband Networks Inc.
23.247.200.0/22 - GHOST CLOUD LLC
23.247.204.0/22 - Estherville Communications LLC
23.247.208.0/22 - fiberfly <<<--------------------------------------------------------This is us!!!
23.247.212.0/22 - nextdns, Inc.
23.247.216.0/22 - City of Sylvester
23.247.220.0/22 - Data Stream
23.247.224.0/22 - BluBroadband ISP
23.247.228.0/22 - Kingsburg Media Foundation
23.247.232.0/22 - Voxtelesys LLC
23.247.236.0/22 - campuscolo.com
23.247.240.0/22 - Fortlab
23.247.244.0/22 - David & Denis Inc.
23.247.248.0/24 - RCG Communications, LLC
23.247.249.0/24 - Jackson County Memorial Hospital
23.247.250.0/23 - G5 INTERNET, LLC
23.247.252.0/24 - Computer Marketing Corporation
23.247.253.0/24 - Madon Damien, Sole Proprietorship
23.247.254.0/23 - HARRIS COUNTY TOLL ROAD AUTHORITY

Hi,

I have reports that the subnet 38.0.0.0/8 included in your list include false positives. Check firehol/blocklist-ipsets#10

@jtkdpu reported:

That is unfortunate. While some portions of that prefix are used for various monitoring, perhaps by Cyveillance, some are most certainly not. whois 38.229.0.0 for example. In that prefix is a lot of Team Cymru services, including some systems supporting Malware Hash Registry (MHR), which is a malware fighting tool presumably many security-conscious organizations would like to keep working.

What methodology are you using to develop this list? The comments say the list consists of "IPs based on honeypot site visits by various bots." Are you finding that a preponderance of the included CIDRs from Rackspace, Linode, and AWS are engaging with your honeypots? If so, that may be supportable, depending upon sample size and methodology. But if this is simply a list of someone's hunches, it might be more appropriate as a greylist (i.e., "alert for human inspection") than a blacklist except, perhaps, for hobbyists and researchers. While I understand the temptation presented by the profile of colo/VPS providers in developing threat intel, it strikes me as inappropriate to include vast swaths of Rackspace's, AWS's, and Linode's IPv4 allocations. There is some legitimate business that goes on there (including mine).

Hi!

bahnhof.net

deny from 37.123.128.0/18

This is one of Sweden's largest ISP:s, blocking all their users seems not so good.

Hi,

I would like to propose other webserver configuration file
I'm already doing some sed stuff to get it, but it would be cool to script something that generates the configuration files from a single source

What is the best way in your opinion ?

Hi!

I'd like to understand why you've added 206.251.244.0/19 to the blacklist.
My company resides in that list and suddenly we're blocked trying to access things on the internet, and after speaking with AWS abuse, it's because "for some reason we're in this blacklist".

We'd like to understand what gives, as we only have 5 addresses out of a shared /24, and wish to know how to grapple with being in the blast radius of 'someone bad, we dont know who' and being blocked because 'we have an IP close to theirs'

Hi,

I have added your blocklist to FIreHOL IP lists Analytics. You can find it at http://iplists.firehol.org/?ipset=pushing_inertia_blocklist.

Very interesting list. Check its overlaps with other lists, at the end of the page.

If you want me to add some more info about your list, please send me an HTML fragment to include in the About section.

Regards,

Costa

Hello,
can someone please explain me how to use ip-blacklist.conf with apache 2.4.10 on debian jessie?
Thanks