IP Intelligence
IP Intelligence provides you with additional information about any IP address you see in ngrok. It includes Autonomous System information, Geolocation data, as well as information fetched from 3rd parties that list IP address for blocklists or allowlists.
See the full list of IP Categories available here.
These variables can be used in Traffic Policy expressions, or they can be used to enrich your traffic via dynamic injection into headers or responses.
Client IP Intelligence
The following variables are available under the conn.client_ip
namespace:
Name | Type | Description |
---|---|---|
conn.client_ip.categories | list | The list of categories that classify the conn.client_ip . Check out our full list of categories. |
conn.client_ip.categories
The list of categories that classify the conn.client_ip
. Check out our full list of categories.
- YAML
- JSON
# snippet
---
expressions:
- "!('proxy.anonymous.tor' in conn.client_ip.categories)"
// snippet
{
"expressions": [
"!('proxy.anonymous.tor' in conn.client_ip.categories)"
]
}
Client IP Autonomous System
The following variables are available under the conn.client_ip
namespace:
Name | Type | Description |
---|---|---|
conn.client_ip.as.number | integer | The Autonomous System Number of the conn.client_ip . |
conn.client_ip.as.organization | string | The Autonomous System Organization name of the conn.client_ip . |
conn.client_ip.as.number
The Autonomous System Number of the conn.client_ip
.
- YAML
- JSON
# snippet
---
expressions:
- conn.client_ip.as.number == 12345
// snippet
{
"expressions": [
"conn.client_ip.as.number == 12345"
]
}
conn.client_ip.as.organization
The Autonomous System Organization name of the conn.client_ip
.
- YAML
- JSON
# snippet
---
expressions:
- conn.client_ip.as.organization == 'COMCAST-7922'
// snippet
{
"expressions": [
"conn.client_ip.as.organization == 'COMCAST-7922'"
]
}
Client IP Geo Location
This is the location where the IP address is located, which may be different from where the IP address is registered. For more details, see the MaxMind documentation.
Name | Type | Description |
---|---|---|
conn.client_ip.geo.location.city | string | The name of the city, in EN, where the conn.client_ip is likely to originate. |
conn.client_ip.geo.location.continent | string | The name of the continent, in EN, where the conn.client_ip is likely to originate. |
conn.client_ip.geo.location.country | string | The name of the country, in EN, where the conn.client_ip is likely to originate. |
conn.client_ip.geo.location.country_code | string | The two-letter ISO country code where the conn.client_ip is likely to originate. |
conn.client_ip.geo.location.is_eu | boolean | Determines if the conn.client_ip is located in the EU. Helpful for GDPR compliance. |
conn.client_ip.geo.location.latitude | string | The approximate latitude where the conn.client_ip is likely to originate. |
conn.client_ip.geo.location.longitude | string | The approximate longitude where the conn.client_ip is likely to originate. |
conn.client_ip.geo.location.metro_code | string | The metro code where the conn.client_ip is likely to originate. |
conn.client_ip.geo.location.postal_code | string | The postal code where the conn.client_ip is likely to originate. |
conn.client_ip.geo.location.radius | string | The radius in kilometers around the latitude and longitude where the conn.client_ip is likely to originate. |
conn.client_ip.geo.location.subdivision | string | The name of the subdivision, in EN, where the conn.client_ip is likely to originate. |
conn.client_ip.geo.location.timezone | string | The name of the timezone where the conn.client_ip is likely to originate. |
conn.client_ip.geo.location.city
The name of the city, in EN, where the conn.client_ip
is likely to originate.
- YAML
- JSON
# snippet
---
expressions:
- conn.client_ip.geo.location.city == 'Strongsville'
// snippet
{
"expressions": [
"conn.client_ip.geo.location.city == 'Strongsville'"
]
}
conn.client_ip.geo.location.continent
The name of the continent, in EN, where the conn.client_ip
is likely to originate.
- YAML
- JSON
# snippet
---
expressions:
- conn.client_ip.geo.location.continent == 'North America'
// snippet
{
"expressions": [
"conn.client_ip.geo.location.continent == 'North America'"
]
}
conn.client_ip.geo.location.country
The name of the country, in EN, where the conn.client_ip
is likely to originate.
- YAML
- JSON
# snippet
---
expressions:
- conn.client_ip.geo.location.country == 'United States'
// snippet
{
"expressions": [
"conn.client_ip.geo.location.country == 'United States'"
]
}
conn.client_ip.geo.location.country_code
The two-letter ISO country code where the conn.client_ip
is likely to originate.
- YAML
- JSON
# snippet
---
expressions:
- conn.client_ip.geo.location.country_code != 'US'
// snippet
{
"expressions": [
"conn.client_ip.geo.location.country_code != 'US'"
]
}
conn.client_ip.geo.location.is_eu
Determines if the conn.client_ip
is in the EU. Helpful for GDPR compliance.
- YAML
- JSON
# snippet
---
expressions:
- conn.client_ip.geo.location.is_eu == true
// snippet
{
"expressions": [
"conn.client_ip.geo.location.is_eu == true"
]
}
conn.client_ip.geo.location.latitude
The approximate latitude where the conn.client_ip
is likely to originate.
- YAML
- JSON
# snippet
---
expressions:
- double(conn.client_ip.geo.location.latitude) >= 45.0
// snippet
{
"expressions": [
"double(conn.client_ip.geo.location.latitude) >= 45.0"
]
}
conn.client_ip.geo.location.longitude
The approximate longitude where the conn.client_ip
is likely to originate.
- YAML
- JSON
# snippet
---
expressions:
- double(conn.client_ip.geo.location.longitude) <= -93.0
// snippet
{
"expressions": [
"double(conn.client_ip.geo.location.longitude) <= -93.0"
]
}
conn.client_ip.geo.location.metro_code
The metro code where the conn.client_ip
is likely to originate.
- YAML
- JSON
# snippet
---
expressions:
- conn.client_ip.geo.location.metro_code != ''
// snippet
{
"expressions": [
"conn.client_ip.geo.location.metro_code != ''"
]
}
conn.client_ip.geo.location.postal_code
The postal code where the conn.client_ip
is likely to originate.
- YAML
- JSON
# snippet
---
expressions:
- conn.client_ip.geo.location.postal_code == '94324'
// snippet
{
"expressions": [
"conn.client_ip.geo.location.postal_code == '94324'"
]
}
conn.client_ip.geo.location.radius
The radius in kilometers around the latitude and longitude where the conn.client_ip
is likely to originate.
- YAML
- JSON
# snippet
---
expressions:
- conn.client_ip.geo.location.radius <= '5'
// snippet
{
"expressions": [
"conn.client_ip.geo.location.radius <= '5'"
]
}
conn.client_ip.geo.location.subdivision
The name of the subdivision, in EN, where the conn.client_ip
is likely to originate.
- YAML
- JSON
# snippet
---
expressions:
- conn.client_ip.geo.location.subdivision == 'California'
// snippet
{
"expressions": [
"conn.client_ip.geo.location.subdivision == 'California'"
]
}
conn.client_ip.geo.location.timezone
The name of the timezone where the conn.client_ip
is likely to originate.
- YAML
- JSON
# snippet
---
expressions:
- conn.client_ip.geo.location.timezone == 'America/New_York'
// snippet
{
"expressions": [
"conn.client_ip.geo.location.timezone == 'America/New_York'"
]
}
Client IP Registered Geo Location
This is the location where the IP address is registered, which may be different from where the IP address is located. For more details, see the MaxMind documentation.
Name | Type | Description |
---|---|---|
conn.client_ip.geo.registered_location.city | string | The name of the city, in EN, where the conn.client_ip is registered. |
conn.client_ip.geo.registered_location.continent | string | The name of the continent, in EN, where the conn.client_ip is registered. |
conn.client_ip.geo.registered_location.country | string | The name of the country, in EN, where the conn.client_ip is registered. |
conn.client_ip.geo.registered_location.country_code | string | The two-letter ISO country code where the conn.client_ip is registered. |
conn.client_ip.geo.registered_location.is_eu | boolean | Determines if the conn.client_ip is registered in the EU. Helpful for GDPR compliance. |
conn.client_ip.geo.registered_location.metro_code | string | The metro code where the conn.client_ip is registered. |
conn.client_ip.geo.registered_location.subdivision | string | The name of the subdivision, in EN, where the conn.client_ip is registered. |
conn.client_ip.geo.registered_location.timezone | string | The name of the timezone where the conn.client_ip is registered. |
conn.client_ip.geo.registered_location.city
The name of the city, in EN, where the conn.client_ip
is registered.
- YAML
- JSON
# snippet
---
expressions:
- conn.client_ip.geo.registered_location.city == 'Strongsville'
// snippet
{
"expressions": [
"conn.client_ip.geo.registered_location.city == 'Strongsville'"
]
}
conn.client_ip.geo.registered_location.continent
The name of the continent, in EN, where the conn.client_ip
is registered.
- YAML
- JSON
# snippet
---
expressions:
- conn.client_ip.geo.registered_location.continent == 'North America'
// snippet
{
"expressions": [
"conn.client_ip.geo.registered_location.continent == 'North America'"
]
}
conn.client_ip.geo.registered_location.country
The name of the country, in EN, where the conn.client_ip
is registered.
- YAML
- JSON
# snippet
---
expressions:
- conn.client_ip.geo.registered_location.country == 'United States'
// snippet
{
"expressions": [
"conn.client_ip.geo.registered_location.country == 'United States'"
]
}
conn.client_ip.geo.registered_location.country_code
The two-letter ISO country code where the conn.client_ip
is registered.
- YAML
- JSON
# snippet
---
expressions:
- conn.client_ip.geo.registered_location.country_code != 'US'
// snippet
{
"expressions": [
"conn.client_ip.geo.registered_location.country_code != 'US'"
]
}
conn.client_ip.geo.registered_location.is_eu
Determines if the conn.client_ip
is in the EU. Helpful for GDPR compliance.
- YAML
- JSON
# snippet
---
expressions:
- conn.client_ip.geo.registered_location.is_eu == true
// snippet
{
"expressions": [
"conn.client_ip.geo.registered_location.is_eu == true"
]
}
conn.client_ip.geo.registered_location.subdivision
The name of the subdivision, in EN, where the conn.client_ip
is registered.
- YAML
- JSON
# snippet
---
expressions:
- conn.client_ip.geo.registered_location.subdivision == 'California'
// snippet
{
"expressions": [
"conn.client_ip.geo.registered_location.subdivision == 'California'"
]
}
conn.client_ip.geo.registered_location.metro_code
The metro code where the conn.client_ip
is registered.
- YAML
- JSON
# snippet
---
expressions:
- conn.client_ip.geo.registered_location.metro_code != ''
// snippet
{
"expressions": [
"conn.client_ip.geo.registered_location.metro_code != ''"
]
}
conn.client_ip.geo.registered_location.timezone
The name of the timezone where the conn.client_ip
is registered.
- YAML
- JSON
# snippet
---
expressions:
- conn.client_ip.geo.registered_location.timezone == 'America/New_York'
// snippet
{
"expressions": [
"conn.client_ip.geo.registered_location.timezone == 'America/New_York'"
]
}
Server IP Intelligence
The following variables are available under the conn.server_ip
namespace:
Name | Type | Description |
---|---|---|
conn.server_ip.categories | list | The list of categories that classify the conn.server_ip . Check out our full list of categories. |
conn.server_ip.categories
The list of categories that classify the conn.server_ip
. Check out our full list of categories.
- YAML
- JSON
# snippet
---
expressions:
- "!('proxy.anonymous.tor' in conn.server_ip.categories)"
// snippet
{
"expressions": [
"!('proxy.anonymous.tor' in conn.server_ip.categories)"
]
}
Server IP Autonomous System
Name | Type | Description |
---|---|---|
conn.server_ip.as.number | integer | The Autonomous System Number of the conn.server_ip . |
conn.server_ip.as.organization | string | The Autonomous System Organization name of the conn.server_ip . |
conn.server_ip.as.number
The Autonomous System Number of the conn.server_ip
.
- YAML
- JSON
# snippet
---
expressions:
- conn.server_ip.as.number == 12345
// snippet
{
"expressions": [
"conn.server_ip.as.number == 12345"
]
}
conn.server_ip.as.organization
The Autonomous System Organization name of the conn.server_ip
.
- YAML
- JSON
# snippet
---
expressions:
- conn.server_ip.as.organization == 'COMCAST-7922'
// snippet
{
"expressions": [
"conn.server_ip.as.organization == 'COMCAST-7922'"
]
}
Server IP Location Geo
This is the location where the server IP address is located, which may be different from where the IP address is registered. For more details, see the MaxMind documentation.
Name | Type | Description |
---|---|---|
conn.server_ip.geo.location.city | string | The name of the city, in EN, where the conn.server_ip is likely to originate. |
conn.server_ip.geo.location.continent | string | The name of the continent, in EN, where the conn.server_ip is likely to originate. |
conn.server_ip.geo.location.country | string | The name of the country, in EN, where the conn.server_ip is likely to originate. |
conn.server_ip.geo.location.country_code | string | The two-letter ISO country code where the conn.server_ip is likely to originate. |
conn.server_ip.geo.location.is_eu | boolean | Determines if the conn.server_ip is located in the EU. Helpful for GDPR compliance. |
conn.server_ip.geo.location.latitude | string | The approximate latitude where the conn.server_ip is likely to originate. |
conn.server_ip.geo.location.longitude | string | The approximate longitude where the conn.server_ip is likely to originate. |
conn.server_ip.geo.location.metro_code | string | The metro code where the conn.server_ip is likely to originate. |
conn.server_ip.geo.location.postal_code | string | The postal code where the conn.server_ip is likely to originate. |
conn.server_ip.geo.location.radius | string | The radius in kilometers around the latitude and longitude where the conn.server_ip is likely to originate. |
conn.server_ip.geo.location.subdivision | string | The name of the subdivision, in EN, where the conn.server_ip is likely to originate. |
conn.server_ip.geo.location.timezone | string | The name of the timezone where the conn.server_ip is likely to originate. |
conn.server_ip.geo.location.city
The name of the city, in EN, where the conn.server_ip
is likely to originate.
- YAML
- JSON
# snippet
---
expressions:
- conn.server_ip.geo.location.city == 'Strongsville'
// snippet
{
"expressions": [
"conn.server_ip.geo.location.city == 'Strongsville'"
]
}
conn.server_ip.geo.location.continent
The name of the continent, in EN, where the conn.server_ip
is likely to originate.
- YAML
- JSON
# snippet
---
expressions:
- conn.server_ip.geo.location.continent == 'North America'
// snippet
{
"expressions": [
"conn.server_ip.geo.location.continent == 'North America'"
]
}
conn.server_ip.geo.location.country
The name of the country, in EN, where the conn.server_ip
is likely to originate.
- YAML
- JSON
# snippet
---
expressions:
- conn.server_ip.geo.location.country == 'United States'
// snippet
{
"expressions": [
"conn.server_ip.geo.location.country == 'United States'"
]
}
conn.server_ip.geo.location.country_code
The two-letter ISO country code where the conn.server_ip
is likely to originate.
- YAML
- JSON
# snippet
---
expressions:
- conn.server_ip.geo.location.country_code != 'US'
// snippet
{
"expressions": [
"conn.server_ip.geo.location.country_code != 'US'"
]
}
conn.server_ip.geo.location.is_eu
Determines if the conn.server_ip
location is in the EU. Helpful for GDPR compliance.
- YAML
- JSON
# snippet
---
expressions:
- conn.server_ip.geo.location.is_eu == true
// snippet
{
"expressions": [
"conn.server_ip.geo.location.is_eu == true"
]
}
conn.server_ip.geo.location.latitude
The approximate latitude where the conn.server_ip
is likely to originate.
- YAML
- JSON
# snippet
---
expressions:
- double(conn.server_ip.geo.location.latitude) >= 45.0
// snippet
{
"expressions": [
"double(conn.server_ip.geo.location.latitude) >= 45.0"
]
}
conn.server_ip.geo.location.longitude
The approximate longitude where the conn.server_ip
is likely to originate.
- YAML
- JSON
# snippet
---
expressions:
- double(conn.server_ip.geo.location.longitude) <= -93.0
// snippet
{
"expressions": [
"double(conn.server_ip.geo.location.longitude) <= -93.0"
]
}
conn.server_ip.geo.location.metro_code
The metro code where the conn.server_ip
is likely to originate.
- YAML
- JSON
# snippet
---
expressions:
- conn.server_ip.geo.location.metro_code != ''
// snippet
{
"expressions": [
"conn.server_ip.geo.location.metro_code != ''"
]
}
conn.server_ip.geo.location.postal_code
The postal code where the conn.server_ip
is likely to originate.
- YAML
- JSON
# snippet
---
expressions:
- conn.server_ip.geo.location.postal_code == '94324'
// snippet
{
"expressions": [
"conn.server_ip.geo.location.postal_code == '94324'"
]
}
conn.server_ip.geo.location.radius
The radius in kilometers around the latitude and longitude where the conn.server_ip
is likely to originate.
- YAML
- JSON
# snippet
---
expressions:
- conn.server_ip.geo.location.radius <= '5'
// snippet
{
"expressions": [
"conn.server_ip.geo.location.radius <= '5'"
]
}
conn.server_ip.geo.location.subdivision
The name of the subdivision, in EN, where the conn.server_ip
is likely to originate.
- YAML
- JSON
# snippet
---
expressions:
- conn.server_ip.geo.location.subdivision == 'California'
// snippet
{
"expressions": [
"conn.server_ip.geo.location.subdivision == 'California'"
]
}
conn.server_ip.geo.location.timezone
The name of the timezone where the conn.server_ip
is likely to originate.
- YAML
- JSON
# snippet
---
expressions:
- conn.server_ip.geo.location.timezone == 'America/New_York'
// snippet
{
"expressions": [
"conn.server_ip.geo.location.timezone == 'America/New_York'"
]
}
Server IP Registered Location Geo
This is the location where the server IP address is registered, which may be different from where the IP address is located. For more details, see the MaxMind documentation.
Name | Type | Description |
---|---|---|
conn.server_ip.geo.registered_location.city | string | The name of the city, in EN, where the conn.server_ip is registered. |
conn.server_ip.geo.registered_location.continent | string | The name of the continent, in EN, where the conn.server_ip is registered. |
conn.server_ip.geo.registered_location.country | string | The name of the country, in EN, where the conn.server_ip is registered. |
conn.server_ip.geo.registered_location.country_code | string | The two-letter ISO country code where the conn.server_ip is registered. |
conn.server_ip.geo.registered_location.is_eu | boolean | Determines if the conn.server_ip is registered in the EU. Helpful for GDPR compliance. |
conn.server_ip.geo.registered_location.metro_code | string | The metro code where the conn.server_ip is registered. |
conn.server_ip.geo.registered_location.subdivision | string | The name of the subdivision, in EN, where the conn.server_ip is registered. |
conn.server_ip.geo.registered_location.timezone | string | The name of the timezone where the conn.server_ip is registered. |
conn.server_ip.geo.registered_location.city
The name of the city, in EN, where the conn.server_ip
is registered.
- YAML
- JSON
# snippet
---
expressions:
- conn.server_ip.geo.registered_location.city == 'Strongsville'
// snippet
{
"expressions": [
"conn.server_ip.geo.registered_location.city == 'Strongsville'"
]
}
conn.server_ip.geo.registered_location.continent
The name of the continent, in EN, where the conn.server_ip
is registered.
- YAML
- JSON
# snippet
---
expressions:
- conn.server_ip.geo.registered_location.continent == 'North America'
// snippet
{
"expressions": [
"conn.server_ip.geo.registered_location.continent == 'North America'"
]
}
conn.server_ip.geo.registered_location.country
The name of the country, in EN, where the conn.server_ip
is registered.
- YAML
- JSON
# snippet
---
expressions:
- conn.server_ip.geo.registered_location.country == 'United States'
// snippet
{
"expressions": [
"conn.server_ip.geo.registered_location.country == 'United States'"
]
}
conn.server_ip.geo.registered_location.country_code
The two-letter ISO country code where the conn.server_ip
is registered.
- YAML
- JSON
# snippet
---
expressions:
- conn.server_ip.geo.registered_location.country_code != 'US'
// snippet
{
"expressions": [
"conn.server_ip.geo.registered_location.country_code != 'US'"
]
}
conn.server_ip.geo.registered_location.is_eu
Determines if the conn.server_ip
is in the EU. Helpful for GDPR compliance.
- YAML
- JSON
# snippet
---
expressions:
- conn.server_ip.geo.registered_location.is_eu == true
// snippet
{
"expressions": [
"conn.server_ip.geo.registered_location.is_eu == true"
]
}
conn.server_ip.geo.registered_location.subdivision
The name of the subdivision, in EN, where the conn.server_ip
is registered.
- YAML
- JSON
# snippet
---
expressions:
- conn.server_ip.geo.registered_location.subdivision == 'California'
// snippet
{
"expressions": [
"conn.server_ip.geo.registered_location.subdivision == 'California'"
]
}
conn.server_ip.geo.registered_location.metro_code
The metro code where the conn.server_ip
is registered.
- YAML
- JSON
# snippet
---
expressions:
- conn.server_ip.geo.registered_location.metro_code != ''
// snippet
{
"expressions": [
"conn.server_ip.geo.registered_location.metro_code != ''"
]
}
conn.server_ip.geo.registered_location.timezone
The name of the timezone where the conn.server_ip
is registered.
- YAML
- JSON
# snippet
---
expressions:
- conn.server_ip.geo.registered_location.timezone == 'America/New_York'
// snippet
{
"expressions": [
"conn.server_ip.geo.registered_location.timezone == 'America/New_York'"
]
}
IP Categories
The following categories are available to use with the IP Intelligence .categories
list.
The categories are hierarchal and can be matched at any level needed. For example, an IP with the category of com.cloudflare.ipv4
also has the categories
com
and com.cloudflare
. This can be helpful if you want to allow all IPs from Cloudflare using com.cloudflare
which would have both ipv4 and ipv6 lists.
Here's an example of how to block Tor exit node IPs from accessing your endpoint.
- YAML
- JSON
# snippet
---
expressions:
- "!('proxy.anonymous.tor' in conn.client_ip.categories)"
// snippet
{
"expressions": [
"!('proxy.anonymous.tor' in conn.client_ip.categories)"
]
}
Or you can block all anonymous proxies which would include Tor as well as any other lists with the proxy.anonymous
category.
- YAML
- JSON
# snippet
---
expressions:
- "!('proxy.anonymous' in conn.client_ip.categories)"
// snippet
{
"expressions": [
"!('proxy.anonymous' in conn.client_ip.categories)"
]
}
Blocklists
Name | Description | Sources |
---|---|---|
blocklist.co.greensnow | From greensnow.co: GreenSnow is a team consisting of the best specialists in computer security, we harvest a large number of IPs from different computers located around the world. GreenSnow is comparable with Spamhaus for attacks of any kind except for spam. Our list is updated automatically and you can withdraw at any time your IP address if it has been listed. | Source |
blocklist.com.stopforumspam.toxic_ips | From stopforumspam.com: The data provided here represents what we believe will only ever be used to abuse. IP Addresses listed here will be returned in API results as "blacklisted". You would be very unlikely to see valid content from the IP addresses listed. | Source |
blocklist.de.blocklist.all | From BlockList.de: All IP addresses that have attacked one of our customers/servers in the last 48 hours. | Source |
blocklist.de.blocklist.apache | From BlockList.de: All IP addresses which have been reported within the last 48 hours as having run attacks on the service Apache, Apache-DDOS, RFI-Attacks. | Source |
blocklist.de.blocklist.bots | From BlockList.de: All IP addresses which have been reported within the last 48 hours as having run attacks on the RFI-Attacks, REG-Bots, IRC-Bots or BadBots (BadBots = he has posted a Spam-Comment on a open Forum or Wiki). | Source |
blocklist.de.blocklist.bruteforcelogin | From BlockList.de: All IPs which attacks Joomlas, Wordpress and other Web-Logins with Brute-Force Logins. | Source |
blocklist.de.blocklist.ftp | From BlockList.de: All IP addresses which have been reported within the last 48 hours for attacks on the Service FTP. | Source |
blocklist.de.blocklist.imap | From BlockList.de: All IP addresses which have been reported within the last 48 hours for attacks on the Service imap, sasl, pop3. | Source |
blocklist.de.blocklist.mail | From BlockList.de: All IP addresses which have been reported within the last 48 hours as having run attacks on the service Mail, Postfix. | Source |
blocklist.de.blocklist.sip | From BlockList.de: All IP addresses that tried to login in a SIP-, VOIP- or Asterisk-Server and are included in the IPs-List from http://www.infiltrated.net/ (Twitter). | Source |
blocklist.de.blocklist.strongips | From BlockList.de: All IPs which are older then 2 month and have more than 5,000 attacks. | Source |
blocklist.de.blocklist.ssh | From BlockList.de: All IP addresses which have been reported within the last 48 hours as having run attacks on the service SSH. | Source |
blocklist.net.emergingthreats.compromised_ips | From emergingthreats.net: Emerging Threats Intelligence from Proofpoint provides information on IP addresses and domains that may be compromised. | Source |
blocklist.org.firehol.abusers_1d | From firehol.org: An ipset made from blocklists that track abusers in the last 24 hours. | Source |
blocklist.org.firehol.abusers_30d | From firehol.org: An ipset made from blocklists that track abusers in the last 30 days. | Source |
blocklist.org.firehol.level_1 | From firehol.org: The objective is to create a blacklist that can be safe enough to be used on all systems, with a firewall, to block access entirely, from and to its listed IPs. The key prerequisite for this cause, is to have no false positives. All IPs listed should be bad and should be blocked, without exceptions. | Source |
blocklist.org.firehol.level_2 | From firehol.org: An ipset made from blocklists that track attacks, during the last 48 hours. | Source |
blocklist.org.firehol.level_3 | From firehol.org: An ipset made from blocklists that track attacks, spyware, viruses. It includes IPs than have been reported or detected in the last 30 days. | Source |
blocklist.org.spamhaus.drop.ipv4 | From spamhaus.org: Don't Route Or Peer (DROP) lists the worst of the worst IP traffic. It is an advisory “drop all traffic”, containing IP ranges which are so dangerous to internet users that Spamhaus provides access to anyone who wants to add this layer of protection, free of charge. | Source |
blocklist.org.spamhaus.drop.ipv6 | From spamhaus.org: Don't Route Or Peer (DROP) lists the worst of the worst IP traffic. It is an advisory “drop all traffic”, containing IP ranges which are so dangerous to internet users that Spamhaus provides access to anyone who wants to add this layer of protection, free of charge. | Source |
blocklist.org.team_cymru.fullbogons.ipv4 | From team-cymru.com: The traditional bogon prefixes, plus prefixes that have been allocated to RIRs but not yet assigned by those RIRs to ISPs, end-users, etc. | Source |
blocklist.org.team_cymru.fullbogons.ipv6 | From team-cymru.com: IPv6 "fullbogons", all IPv6 prefixes that have not been allocated to RIRs and that have not been assigned by RIRs to ISPs, end-users, etc. | Source |
Proxies / VPNs
Name | Description | Sources |
---|---|---|
proxy.anonymous.org.firehol | From firehol.org: An ipset that includes all the anonymizing IPs of the world. (includes: anonymous dm_tor firehol_proxies tor_exits) | Source |
proxy.anonymous.tor | These IPs are actively serving as Tor Exit nodes. | Source |
proxy.open.org.firehol | From firehol.org: An ipset made from all sources that track open proxies. It includes IPs reported or detected in the last 30 days. | Source |
proxy.vpn.protonvpn | The entry and exit IPs for ProtonVPN | Source |
Organizations
Amazon Web Services (AWS)
Name | Description | Sources |
---|---|---|
com.aws.sns | IPs from AWS SNS service | Source |
com.aws.us-east-1.sns | IPs from AWS SNS service for the us-east-1 region | Source |
com.aws.us-east-2.sns | IPs from AWS SNS service for the us-east-2 region | Source |
com.aws.us-west-1.sns | IPs from AWS SNS service for the us-west-1 region | Source |
com.aws.us-west-2.sns | IPs from AWS SNS service for the us-west-2 region | Source |
com.aws | IPs from AWS | Source |
Censys
Name | Description | Sources |
---|---|---|
io.censys.scanners | The IPs that Censys bots use to continually scan the entire public IPv4 address space across all possible IP and port combinations using automatic protocol detection. | Source |
Cloudflare
Name | Description | Sources |
---|---|---|
com.cloudflare.ipv4 | IPv4s from Cloudflare | IPv4, IPv6 |
com.cloudflare.ipv6 | IPv6s from Cloudflare | IPv4, IPv6 |
Datadog
Name | Description | Sources |
---|---|---|
com.datadog.agents | IPs for Datadog Agents | Source |
com.datadog.api | IPs for Datadog API | Source |
com.datadog.apm | IPs for Datadog APM | Source |
com.datadog.global | IPs for Datadog Global | Source |
com.datadog.logs | IPs for Datadog Logs | Source |
com.datadog.orchestrator | IPs for Datadog Orchestrators | Source |
com.datadog.process | IPs for Datadog Processes | Source |
com.datadog.remote-configuration | IPs for Datadog Remote Configurations | Source |
com.datadog.synthetics-private-locations | IPs for Datadog Synthetics Private Locations | Source |
com.datadog.synthetics | IPs for Datadog Synthetics | Source |
com.datadog.webhooks | IPs for Datadog Webhooks | Source |
com.datadog | IPs for Datadog | Source |
Delinea
Name | Description | Sources |
---|---|---|
com.delinea.<ipv4 | ipv6> | IPs for Delinea | Source |
Firehol
Name | Description | Sources |
---|---|---|
org.firehol.level_4 | From firehol.org: An ipset made from blocklists that track attacks, but may include a large number of false positives. | Source |
org.firehol.webserver | From firehol.org: A web server IP blacklist made from blocklists that track IPs that should never be used by your web users. This list includes IPs that are servers hosting malware, bots, etc or users having a long criminal history. | Source |
Github
Name | Description | Sources |
---|---|---|
com.github.actions_macos | IPs for Github Actions from MacOS | Source |
com.github.actions | IPs for Github Actions | Source |
com.github.api | IPs for the Github API | Source |
com.github.codespaces | IPs for Github Code Spaces | Source |
com.github.copilot | IPs for Github CoPilot | Source |
com.github.dependabot | IPs for Github Dependabot | Source |
com.github.git | IPs for Github Git | Source |
com.github.github_enterprise_importer | IPs for Github Enterprise Importer | Source |
com.github.hooks | IPs for Github Webooks | Source |
com.github.importer | IPs for Github Importer | Source |
com.github.packages | IPs for Github Packages | Source |
com.github.pages | IPs for Github Pages | Source |
com.github.web | IPs for Github Web | Source |
Stripe
Name | Description | Sources |
---|---|---|
com.stripe.api | The full list of IP addresses that api.stripe.com may resolve to | Source |
com.stripe.armada_gator | The full list of IP addresses that files.stripe.com, armada.stripe.com, and gator.stripe.com may resolve to | Source |
com.stripe.webhooks | The full list of IP addresses that Stripe webhook notifications may come from | Source |
com.teleport | Public address allow list for Teleport | Source |
Telegram
Name | Description | Sources |
---|---|---|
org.telegram | IPs for Telegram Bots | Source |
Vultr
Name | Description | Sources |
---|---|---|
com.vultr | IPs for Vultr | Source |