The forum is read-only currently.

Call for IP address blacklist contributions

The next software release implements Rob's suggestion of a "download" button on the admin page network tab that populates the IP address blacklist text area from a file fetched from

Those of you that have curated extensive blacklists, that you'd like to see merged into that file, please post them here and I'll include them for the initial version. The file can be viewed manually at


  • Just simple bash script for create ipset from this file on personal frp-server (for example):


    ipset -N kiwiblacknets nethash

    wget -q -O - | grep -o '".*"' | sed 's/"//g' | while read NET


    ipset -A kiwiblacknets $NET


    After run, - check it (ipset -L kiwiblacknets) and add drop rule to input iptables:

    iptables -I INPUT -m set --match-set kiwiblacknets src -j DROP

  • I'll revisit/refresh my lists as I was a bit to quick to block wide swathes of IP's rather than drill down and try and limit it them to the subnet associated with the company.

    Now if I could block any IP that comes back as under the control of I would.

    Someone seems to use a very wide range of addresses from them to get round blacklists. I've built /16 addresses around some of the connecting addresses, but as they can be Germany, US, Japan etc some legitimate connections would be unfairly blocked. Doesn't matter for me but would for a decent SDR site.

    Yesterday's IP's active on my blocklists (not the ones) - 376 times - 1104 - 4 - 106

  • Here is the blacklist I am using at KFS and KPH:

  • Some dupes in there and singles (/32) covered under wider ranges.

    I think a shorter version is

  • The javascript that downloads the blacklist does consistency checks that can then be fed back into correcting and minimizing the list. This was essential to make merging of lists from multiple contributors less error prone than if done by hand.

    For example a blacklist containing, followed later on by, has the /24 removed. And is AND'ed with its netmask to obtain Also simple things like dups are removed.

  • Thanks John,

    I look forward to being freed of blacklist maintenance. My Kiwis are still running v1.461 from Aug 16th. Will there be a new build or a new version which includes your auto-blacklist feature?


  • Yes, I'm trying to get v1.462 ready for release. Almost 5000 lines of changes/additions. So lots of checking and testing required. And we know my track record on that isn't so good 🙄

  • Goodness, when are you going to label a release V2.0 ;=)

  • jksjks
    edited August 30

    An excellent question. I was saving v2.x for after there is a proper mobile interface implemented, user preferences and a few other major improvements that have been in the queue for years now..

  • edited September 13

    I looked at Vultr Scans from 5th September to 11th (part day). Bear in mind my Kiwi is not publicly listed (or if it is that is an old listing) Many of these IP's were in the syslog "3 times" or "6 times" for one count here    188 times    12     88   884    136     86    3982    404     7102   69    1283    564    909     1      1550   1651     964      20    24   799    516     707      31      30     40

    That is (mostly) just the scan mechanism, the actual connecting machines will be different (and fewer) but I have little interest in following that up.

    Some of these like are probably not Vultr, that might be one of the actual servers that connect, can't remember the exact sequence, but once I spot the fingerprint of Vultr scan - hand off for access it gets (grumpy - manually) associated with this list. It is possible an odd IP got listed that is OK but as the SDR is not listed that would have to be "Old listing" + Similar range to scan bots.

    Also I'm not saying these are bad actors but they do have the feel of bots looking to tie up channels and scrap data and unless that is what your SDR is online for I'd reject the connection.

    This also does not cover my other "bad actors" list built up from actual connections that tied up the channels to timeout or acted like Mil HF sniffing bots.



    (2021-09-13) Today's Vultr addition

    Does seem like they have enough funds to use a lot of global VM's or IP's.

  • Bot from IP is very active now, I recommend for all put his network to BlackList, how did @Powernumpty to do or full CIDR for this IP:

  • That listing was from Rob, I was just trimming it down, I will change my local firewall to /12 tnx.

    For some reason I don't generally get hit by that IP or range. I might be targeting sites that have been public recently.

    Yesterday's Vultr addition

    I also see possible Bots on for 36 seconds, default frequency every time

    Sep 7 18:21:06 Dest Kiwi, Source "" (LEAVING after 0:00:37)

    Sep 8 22:59:20 Dest Kiwi, Source "" (LEAVING after 0:00:36)

    Sep 12 12:35:24 Dest Kiwi, Source "" (LEAVING after 0:00:36)

    Sep 13 11:30:05 Dest Kiwi, Source "" (LEAVING after 0:00:36)

    Sep 14 11:04:31 Dest Kiwi, Source "" (LEAVING after 0:00:37)

  • jksjks
    edited September 17

    Thanks Yuri. Click the "download" button on the admin network page to get a new blacklist that expands that ip range to from 39.105/16 to 39.96/12

  • edited September 17

    Thanks for the blacklist feature John!

    How will we know when you have updated your master copy?

  • Added another ip belonging to to my local list: ""


  • Today's Vultr

    Followed up by

  • edited October 18

    And also these added today (originating from vultr / constant) :

  • edited October 22

    Vultr very active with scanning my Kiwi the last couple of days and I added these as well:

    This is like hydra, chop off one head and another one grows back right away...Shortly after adding one range to the ip block list the "vultures" are back via another server sometimes from a different part of the world.

  • edited October 22

    That (perhaps) is just the scanner, I think we should record the IP that connects once the Vultr's have noticed an accessible radio. Simple scanners on new short term VM's are probably cheap but moving the main info gathering servers IP's might be more problematic.

    iptraf-ng is quite interesting to watch after Vultr finds us, I'm only using or two channels, not sure how badly it would affect multiple users so don't recommend for popular radios. I did just have my Kiwi go slow (I don't think it was running).

Sign In or Register to comment.