The KiwiSDR 2 online store is open for orders! Please visit
Please visit (documentation) and (online store)

Call for IP address blacklist contributions

The next software release implements Rob's suggestion of a "download" button on the admin page network tab that populates the IP address blacklist text area from a file fetched from

Those of you that have curated extensive blacklists, that you'd like to see merged into that file, please post them here and I'll include them for the initial version. The file can be viewed manually at



  • Just simple bash script for create ipset from this file on personal frp-server (for example):


    ipset -N kiwiblacknets nethash

    wget -q -O - | grep -o '".*"' | sed 's/"//g' | while read NET


    ipset -A kiwiblacknets $NET


    After run, - check it (ipset -L kiwiblacknets) and add drop rule to input iptables:

    iptables -I INPUT -m set --match-set kiwiblacknets src -j DROP

  • I'll revisit/refresh my lists as I was a bit to quick to block wide swathes of IP's rather than drill down and try and limit it them to the subnet associated with the company.

    Now if I could block any IP that comes back as under the control of I would.

    Someone seems to use a very wide range of addresses from them to get round blacklists. I've built /16 addresses around some of the connecting addresses, but as they can be Germany, US, Japan etc some legitimate connections would be unfairly blocked. Doesn't matter for me but would for a decent SDR site.

    Yesterday's IP's active on my blocklists (not the ones) - 376 times - 1104 - 4 - 106

  • Here is the blacklist I am using at KFS and KPH:

  • Some dupes in there and singles (/32) covered under wider ranges.

    I think a shorter version is

  • The javascript that downloads the blacklist does consistency checks that can then be fed back into correcting and minimizing the list. This was essential to make merging of lists from multiple contributors less error prone than if done by hand.

    For example a blacklist containing, followed later on by, has the /24 removed. And is AND'ed with its netmask to obtain Also simple things like dups are removed.

  • Thanks John,

    I look forward to being freed of blacklist maintenance. My Kiwis are still running v1.461 from Aug 16th. Will there be a new build or a new version which includes your auto-blacklist feature?


  • Yes, I'm trying to get v1.462 ready for release. Almost 5000 lines of changes/additions. So lots of checking and testing required. And we know my track record on that isn't so good 🙄

  • Goodness, when are you going to label a release V2.0 ;=)

  • jksjks
    edited August 2021

    An excellent question. I was saving v2.x for after there is a proper mobile interface implemented, user preferences and a few other major improvements that have been in the queue for years now..

  • edited September 2021

    I looked at Vultr Scans from 5th September to 11th (part day). Bear in mind my Kiwi is not publicly listed (or if it is that is an old listing) Many of these IP's were in the syslog "3 times" or "6 times" for one count here    188 times    12     88   884    136     86    3982    404     7102   69    1283    564    909     1      1550   1651     964      20    24   799    516     707      31      30     40

    That is (mostly) just the scan mechanism, the actual connecting machines will be different (and fewer) but I have little interest in following that up.

    Some of these like are probably not Vultr, that might be one of the actual servers that connect, can't remember the exact sequence, but once I spot the fingerprint of Vultr scan - hand off for access it gets (grumpy - manually) associated with this list. It is possible an odd IP got listed that is OK but as the SDR is not listed that would have to be "Old listing" + Similar range to scan bots.

    Also I'm not saying these are bad actors but they do have the feel of bots looking to tie up channels and scrap data and unless that is what your SDR is online for I'd reject the connection.

    This also does not cover my other "bad actors" list built up from actual connections that tied up the channels to timeout or acted like Mil HF sniffing bots.



    (2021-09-13) Today's Vultr addition

    Does seem like they have enough funds to use a lot of global VM's or IP's.

  • Bot from IP is very active now, I recommend for all put his network to BlackList, how did @Powernumpty to do or full CIDR for this IP:

  • That listing was from Rob, I was just trimming it down, I will change my local firewall to /12 tnx.

    For some reason I don't generally get hit by that IP or range. I might be targeting sites that have been public recently.

    Yesterday's Vultr addition

    I also see possible Bots on for 36 seconds, default frequency every time

    Sep 7 18:21:06 Dest Kiwi, Source "" (LEAVING after 0:00:37)

    Sep 8 22:59:20 Dest Kiwi, Source "" (LEAVING after 0:00:36)

    Sep 12 12:35:24 Dest Kiwi, Source "" (LEAVING after 0:00:36)

    Sep 13 11:30:05 Dest Kiwi, Source "" (LEAVING after 0:00:36)

    Sep 14 11:04:31 Dest Kiwi, Source "" (LEAVING after 0:00:37)

  • jksjks
    edited September 2021

    Thanks Yuri. Click the "download" button on the admin network page to get a new blacklist that expands that ip range to from 39.105/16 to 39.96/12

  • edited September 2021

    Thanks for the blacklist feature John!

    How will we know when you have updated your master copy?

  • Added another ip belonging to to my local list: ""


  • Today's Vultr

    Followed up by

  • edited October 2021

    And also these added today (originating from vultr / constant) :

  • edited October 2021

    Vultr very active with scanning my Kiwi the last couple of days and I added these as well:

    This is like hydra, chop off one head and another one grows back right away...Shortly after adding one range to the ip block list the "vultures" are back via another server sometimes from a different part of the world.

  • edited October 2021

    That (perhaps) is just the scanner, I think we should record the IP that connects once the Vultr's have noticed an accessible radio. Simple scanners on new short term VM's are probably cheap but moving the main info gathering servers IP's might be more problematic.

    iptraf-ng is quite interesting to watch after Vultr finds us, I'm only using or two channels, not sure how badly it would affect multiple users so don't recommend for popular radios. I did just have my Kiwi go slow (I don't think it was running).

  • Good morning,

    I have a question about the blacklist.

    On my Kiwi, a few weeks ago I had an IP address connected h / 24 on a single am frequency where there are no transmissions, after performing the Kick I noticed that 7 seconds maximum it reconnected, to which I decided to blacklist the address.

    The next day I find myself connected on the same frequency and in the same ways the IP, both belonging to the same domain [].

    The question is simple, what should I write in the admin blacklist box to block all addresses?

    I read something about the CIDR but I still have some doubts, it might be right to block all 65.536 addresses of the domain.

    Thanks for the help


  • edited December 2021

    Hi Fabrys,

    It is normally enough to add a mask after the IP, this covers a range of addresses. For example

    Covers -

    That would include the two you have seen and a good few more, I'd be more precise if they were local.




    The proper way to do it is probably to find the range of addresses covered by the domain you want to block, then use that range, or ranges. That works if the details are readily available and you are concerned about blocking indiscriminately. I started out like that but after seeing IP's change every few days at most I realised some geographically specific ranges seem safe to just block without affecting genuine users.

  • jksjks
    edited December 2021

    I just added and to the list fetched by the "Download" button on the admin page, network tab. So just click that and don't worry about what to enter in the "IP address blacklist" field.

    UNLESS you've made a bunch of custom changes to the field you don't want overwritten by the download (in which case you should already know how to add the new entries manually).

  • Hi Stu ....

    thanks for the tip, I'll do some tests hoping to get rid of these annoying accesses.



  • Being that this is a new scourge to me of recent times and that I'm particularly computer illiterate: is it possible to add a button in admin/status section (beside the 'kick' option) to 'add IP address to blacklist' or a combo of 'kick and add to blacklist'?

    Also, is there a master list that I can add to for consideration for the download list?

  • so far I've blocked the pesky ones from the location "Piscataway, New Jersey": 

  • Also, is there a master list that I can add to for consideration for the download list?

    The first post in this thread has a link to the current blacklist retrieved by clicking the "Download" button on the admin page, network tab.

  • Just now I have updated the download blacklist with all the suggestions from this thread and some other sources. So if you are using the downloaded list you might want to click the "Download" button again.

  • Kramcd, yes, those are the same addresses I have been seeing. The "Piscataway NJ" location comes from the application; the addresses themselves are all over the place.

    Has this sort of thing been going on for a long time? What are they trying to do?

  • I'm still not seeing any attacks on the new port number despite being listed in for several days. The attacks still persist on the old port number, however. Instead of using iptables to simply drop incoming packets, I'm sending them to the TCP discard service. Because the attacker's application level timeout is much longer than his TCP retry timer, this cuts down significantly on the actual number of unwanted packets/sec.

    I'm able to do this because my router is a general purpose Linux system. I don't know how you'd do it on a turnkey router.

  • Maybe there could be an option to allow an an automatic update of the IP blacklist when the Kiwi updates or reboots ?

    This would help protect admins who don't maintain their own entries.

This discussion has been closed.