Primary Use Case

This tool is designed for Ubuntu users who want to automatically block malicious or unwanted IP addresses at the firewall level, particularly on systems exposed to the internet such as home gateways or public servers. It is ideal for administrators seeking a low-maintenance, resource-efficient solution to reduce unsolicited inbound, outbound, and forwarded traffic.

Key Features

Integrates seamlessly with Ubuntu's ufw firewall

Blocks inbound, outbound, and forwarding packets

Uses Linux ipsets for kernel-level performance

Automatically refreshes the IP blocklist daily

Sources blocklist data from the IPsum project

Minimal resource usage and zero maintenance after setup

Preserves solid state storage by avoiding further writes post-installation

Provides status and flush-all commands for monitoring and management

Insights & Recommendations

This tool requires Ubuntu with ufw and ipset installed and is best suited for systems with public IP exposure. It is designed to be low maintenance with daily automatic updates via a cron job. Users should backup original ufw configuration files before installation. The blocklist can be manually flushed and modified for testing, but regular updates should be managed via the provided cron script to maintain effectiveness.

Installation

Install the ipset package: sudo apt install ipset
Backup the original ufw after.init script: sudo cp /etc/ufw/after.init /etc/ufw/after.init.orig
Clone the ufw-blocklist repository: git clone https://github.com/poddmo/ufw-blocklist.git
Change directory to the cloned repo: cd ufw-blocklist
Copy after.init to ufw directory: sudo cp after.init /etc/ufw/after.init
Copy the cron job script: sudo cp ufw-blocklist-ipsum /etc/cron.daily/ufw-blocklist-ipsum
Set ownership to root: sudo chown root:root /etc/ufw/after.init /etc/cron.daily/ufw-blocklist-ipsum
Set permissions: sudo chmod 750 /etc/ufw/after.init /etc/cron.daily/ufw-blocklist-ipsum
Download initial IP blocklist: curl -sS -f --compressed -o ipsum.4.txt 'https://raw.githubusercontent.com/stamparm/ipsum/master/levels/4.txt'
Set permissions on the blocklist file: sudo chmod 640 ipsum.4.txt

Usage

sudo /etc/ufw/after.init start

Starts the ufw-blocklist service and loads the IP blocklist into ipset.

sudo /etc/ufw/after.init status

Displays the current blocklist entry count, firewall hit counts, and recent log entries.

sudo /etc/ufw/after.init flush-all

Deletes all entries from the blocklist and resets iptables hit counters.

sudo ipset add ufw-blocklist-ipsum a.b.c.d

Manually adds a specific IP address to the blocklist for testing or immediate blocking.

sudo ipset list ufw-blocklist-ipsum -terse | grep 'Number of entries'

Monitors the progress of loading blocklist entries into the ipset.

Smart Usage Notes

Integrate ufw-blocklist with SIEM solutions to correlate blocked IPs with intrusion attempts for enhanced threat intelligence.Use the daily updated blocklist to automate firewall rule tuning and reduce false positives in network monitoring.Deploy on edge devices or home gateways to provide lightweight, kernel-level network filtering with minimal resource impact.Combine with honeypot systems to dynamically update blocklists based on attacker behavior observed in controlled environments.Leverage the flush-all and manual IP add features for incident response drills and testing firewall rule effectiveness.

OpenSec Atlas

ufw-blocklist

About This Tool

Primary Use Case

Key Features

Insights & Recommendations

Installation

Usage

Smart Usage Notes

Security Capability Profile

Tags

You Might Also Like