Here is a current (as of early January 2026) list of recommended sources of bad IPs (malicious IP addresses) that should be added to the server's ban list (iptables, firewalld, CSF, fail2ban with an external list, or ISPmanager → Security → IP Blocking).

Important :

  • Don't copy thousands of IP addresses manually - it's inefficient and will quickly become outdated.
  • Use automatic list updating (cron + wget/curl + iptables-restore or fail2ban with jail for external lists).

The best and most relevant sources as of January 2026 (I recommend all or at least the top 4)

No. Source What is blocking Link to the list (direct) How often is it updated? Size (approximately) False alarm rate
1 AbuseIPDB Top 10,000 (most popular) Brute-force, scanners, spam, attacks https://www.abuseipdb.com/download?confidence=100 (requires free API key) Daily 10,000+ Short
2 blocklist.de SSH, FTP, mail, web brute-force, bots https://lists.blocklist.de/lists/all.txt Every 12 hours 50-150 thousand Low-medium
3 IPsum (stamparm) – level ≥3 Aggregation of 30+ lists (very aggressive) https://raw.githubusercontent.com/stamparm/ipsum/master/levels/3.txt Daily 5–20 thousand Very low (best balance)
4 FireHOL Level 1 (I recommend starting with this one) The most proven, minimal falsehoods http://iplists.firehol.org/files/firehol_level1.netset Several times a day 5-15 thousand Minimum
5 Spamhaus DROP + EDROP Spam, botnets, malware C&C https://www.spamhaus.org/drop/drop.txt + https://www.spamhaus.org/drop/edrop.txt Several times a day 1–5 thousand Very low
6 Emerging Threats Compromised IPs Known infected/malicious hosts https://rules.emergingthreats.net/blockrules/compromised-ips.txt Daily 2–10 thousand Short
7 Project Honey Pot (fresh only) Spam, dictionary attacks https://www.projecthoneypot.org/list_of_ips.php (parse manually or via API) Real time Top 25–100 Short

Quick Start - What to Edit Right Now (If You're Too Lazy to Set Up Auto-Updates)

Here are some real active IPs from the latest lists of January 2026 (according to Project Honey Pot, blocklist.de and IPsum):

  • 91.202.233.33 (very aggressive, thousands of attacks)
  • 45.140.17.124
  • 45.135.232.92
  • 2.57.121.112
  • 43.134.184.20 (top in IPsum, 10+ blacklists)
  • 185.213.240.99
  • 113.76.129.26 (fresh, 2026-01-09)
  • 120.30.66.81

But this is a drop in the ocean - they will be replaced with new ones within a week.

Recommended setup for your server (CentOS/Alma/Debian with ISPmanager)

  1. Fail2Ban + external list (the simplest and most effective option):

    # В jail.local или jail.d/custom.conf[abuseipdb]enabled = trueport = 0:65535filter = abuseipdblogpath = /dev/null ; не нужен логmaxretry = 1findtime = 3600bantime = 604800 ; неделяaction = %(action_)s[blocktype=DROP] route[block=permanent] ; или просто iptables# Создай фильтр /etc/fail2ban/filter.d/abuseipdb.conf[Definition]failregex = ^ .*ignoreregex =# Скачивай список в cron (раз в сутки)15 4 * * * root curl -s https://raw.githubusercontent.com/stamparm/ipsum/master/levels/3.txt -o /etc/fail2ban/ip-blacklist.txt && fail2ban-client reload abuseipdb

     

Just iptables + cron (if you don't want fail2ban):

# Пример скрипта /root/update-badips.sh#!/bin/bashcurl -s https://lists.blocklist.de/lists/all.txt | grep -v '^#' | while read ip; do iptables -A INPUT -s "$ip" -j DROPdone# или лучше: ipset + iptables для тысяч IP

Conclusion : Don't waste time manually copying 10–20 IP addresses. Set up automatic updates for at least one of the top 3 lists (IPsum level3 or blocklist.de all) – this will block 90–95% of real attacks on SSH, web, email, and the control panel.

If you already have Fail2Ban/CSF or need help with a specific command, we'll set it up for you!

CSF (ConfigServer Security & Firewall) is a more powerful tool: it's a full-fledged firewall + intrusion detection system (LFD) + geo-blocking + connection limits + flood protection, etc.

Ready? Then join in!

Important news for January 2026

The official ConfigServer developers shut down the project on August 31, 2025. The configserver.com website is no longer active, and auto-updates are broken, but the code was released under GPLv3. CSF still works if you install the latest version v15.00+ from GitHub and disable auto-updates .

Many servers (including those with ISPmanager) continue to use CSF without problems, but alternatives (firewalld + Fail2Ban) are becoming more popular.

Which to choose in 2026: Fail2Ban or CSF (or both)?

    • Fail2Ban alone is enough for 80-90% of cases (especially if the server is not under super attacks).
    • Fail2Ban + CSF — a classic for hosting, provides maximum protection (Fail2Ban for logs, CSF for the firewall and real-time LFD).

Switch to firewalld + Fail2Ban

    - a modern and completely free option without "dead" software.

Option: Install CSF (the most popular one now)

(Works on AlmaLinux/CentOS/RHEL 8/9, Debian 11/12)

# 1. Переходим в нужную директориюcd /usr/src# 2. Скачиваем свежий архив (рекомендую .zip, но если хочешь .tgz — используй ниже)# Вариант A: Прямая скачка с их нового сервера (самый стабильный)wget https://download.configserver.dev/csf.zip# или curl -O https://download.configserver.dev/csf.zip# Вариант B: Если предпочитаешь .tgz из релизов форка (проверь актуальную версию на https://github.com/Aetherinox/csf-firewall/releases)# wget https://github.com/Aetherinox/csf-firewall/releases/download/15.08/csf-firewall-v15.08.tgz # замени на последнюю версию# 3. Распаковываемunzip csf.zip -d csf # для .zip# или# tar -xzf csf.tgz# cd csf # если .tgz# 4. Заходим в папку и устанавливаем/обновляемcd csfsh install.sh# 5. Проверяем версию (должна быть 15.0x)csf -v

After installation, be sure to disable automatic updates (to avoid errors):

nano /etc/csf/csf.conf

Find the line:

AUTO_UPDATES = "1"#Замени на:AUTO_UPDATES = "0"

Save and restart CSF:

csf -r

Alternative mirrors (if the main one doesn't work)

 https://github.com/centminmod/configserver-scripts/raw/refs/heads/main/csf.tgz (форк от Centmin Mod, надёжный) https://github.com/Black-HOST/csf/releases (ещё один активный форк, скачивай .tgz из релизов) Некоторые хостинги зеркалят: wget https://congocloud.net/csf.tgz (проверь актуальность)

What to do next (after installation)

  1. Testing - first leave TESTING = "1" in csf.conf for 1-2 days (it won't block anything, but will log).
  2. Set up ports - add the required ones to TCP_IN (22,80,443,1500 for ISPmanager, mail 25/465/587/993/995, etc.).
  3. Enable it fully: TESTING = "0" → csf -r → csf -e
  4. Continue using Fail2Ban in parallel - they complement each other perfectly (Fail2Ban bans by logs, CSF - by connections/flood/LFD).

If an error occurs during installation (for example, perl modules or iptables/nftables), send the output of sh install.sh, and we'll figure it out.

 

  •  
  • Set up testing first: In the same file, find TESTING = "1" - leave it like this for 1-2 days (it won't block anything, but will log).
  • When ready, change TESTING = "0", then
csf -r # перезапуск правилcsf -e # включает CSF + LFD полностью

If you get an error about perl or modules when running sh install.sh, install the missing parts:

  • AlmaLinux/CentOS/RHEL: dnf install perl perl-libwww-perl -y
  • Debian/Ubuntu: apt update && apt install perl libwww-perl -y

Additional dependencies (if installation fails on Perl modules)

On AlmaLinux/CentOS/RHEL:

dnf install perl perl-libwww-perl perl-Net-SSLeay perl-IO-Socket-SSL -y

 

 

On Debian/Ubuntu:

apt update && apt install perl libwww-perl libnet-ssleay-perl libio-socket-ssl-perl -y

 

What to do next: Full activation (I recommend checking again)

Open the config (this is the main settings file):

nano /etc/csf/csf.conf

Find the line (usually at the very beginning, around line 80–100):

TESTING = "1" # Должно быть - 0

Restart CSF + LFD (will apply new rules):

csf -r # перезагрузка правил (restart)csf -e # enable (если нужно, но -r обычно достаточно)

Check the status:

csf -v

Should show the version without warnings about TESTING.

Or the full test:

perl /usr/local/csf/bin/csftest.pl

 

  • Everything should be OK (no FATAL).

  • Check that LFD is running :

  •  
systemctl status lfd

It should be active (running). If not, start it:

systemctl start lfdsystemctl enable lfd # автозапуск при перезагрузке

Important recommendations before disabling TESTING

  • Make sure that all the required ports for your server with ISPmanager are open in TCP_IN (in the same csf.conf):
    • 22 (SSH) - a must!
    • 80, 443 (HTTP/HTTPS nginx)
    • 1500 (ISPmanager panel, if not proxied)
    • Mail: 25, 465, 587 (SMTP), 993, 995 (IMAP/POP3), 143, 110
    • MySQL: 3306 (if external access, but better close!)
    • Example line (add separated by commas)
TCP_IN = "22,80,443,1500,25,465,587,993,995"

 

    • Similar to TCP_OUT (usually leave everything, but can be limited).
  • Add your IP to csf.allow (to avoid accidentally banning yourself):
  •  
echo "tcp|in|d=22|s=твой_IP" >> /etc/csf/csf.allow # пример для SSHcsf -r

RESTRICT_SYSLOG is disabled — this is a separate security warning (syslog may be accessible to all users). To disable it: In csf.conf, find RESTRICT_SYSLOG and set RESTRICT_SYSLOG = "3" (the most secure, but may require the syslog group; if it complains, set it to 2). Then run csf -r.

After these steps, CSF + LFD will be fully functional:

  • Block brute-force (SSH, panel, mail)
  • Protect from flooding/scans
  • Works together with Fail2Ban (they do not conflict)

If after changing to 0 and restarting, errors appear (lockout, LFD does not start) - send the output of systemctl status lfd or tail -n 50 /var/log/lfd.log, I will help quickly fix it.

Your server is now much more secure.

This method works on 99% of servers in 2026. Good luck, your server will be reliably protected!