-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathconfig.toml
More file actions
176 lines (151 loc) · 7.36 KB
/
Copy pathconfig.toml
File metadata and controls
176 lines (151 loc) · 7.36 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
[mongodb]
connection_url = "mongodb://127.0.0.1:27117" # MongoDB connection string for UniFi Controller
database_name = "ace" # You shouldnt need to change this
[application]
log_level = "info" # Logging verbosity level (trace, debug, info, warn, error)
site_name = "default" # UniFi site name to update (use "default" for the main site)
allow_insecure_requests = false # Allow HTTP downloads without SSL verification
max_items_in_list = 10_000 # Maximum number of IPs per firewall group to prevent UniFi overload. I stongly advise not changing this.
split_on_max_items = false # Automatically split large IP lists into multiple firewall groups
dry_run = false # Test mode that downloads lists but doesn't write to the database
excluded = [ # IP ranges to exclude from downloaded blocklists
"10.0.0.0/8",
"172.16.0.0/12",
"192.168.0.0/16",
"127.0.0.0/8",
"169.254.0.0/16",
"100.64.0.0/10"
]
[iplists]
[[iplists.sources]]
name = "Firehol_level1"
url = "https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_level1.netset"
enabled = false
# FireHOL Level 1: Maximum protection with minimum false positives
# Aggregated IP list providing baseline protection against known threats
# Source: FireHOL blocklist-ipsets project (https://iplists.firehol.org)
[[iplists.sources]]
name = "Firehol_webserver"
url = "https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_webserver.netset"
enabled = false
# FireHOL Webserver: Web-specific threat blocklist
# Tracks IPs hosting malware, bots, and servers with criminal history
# Designed for web server protection - use on top of firehol_level1/2/3
# Source: FireHOL blocklist-ipsets project (https://iplists.firehol.org)
[[iplists.sources]]
name = "Tor_Exit_Nodes"
url = "https://check.torproject.org/torbulkexitlist"
enabled = false
# Tor Exit Nodes: List of Tor network exit nodes
# Tor provides anonymity but can be used to bypass geographic restrictions or hide identity
# Source: The Tor Project (https://www.torproject.org)
[[iplists.sources]]
name = "EmergingThreats_Compromised"
url = "https://rules.emergingthreats.net/blockrules/compromised-ips.txt"
enabled = false
# Emerging Threats Compromised IPs: Known compromised hosts
# Maintained by Proofpoint's Emerging Threats team
# Updated every 12 hours with latest compromised/infected systems
# Source: Emerging Threats / Proofpoint (https://rules.emergingthreats.net)
[[iplists.sources]]
name = "Feodo_Tracker"
url = "https://feodotracker.abuse.ch/downloads/ipblocklist.txt"
enabled = false
# Feodo Tracker: Botnet C2 server blocklist
# Tracks Dridex, Emotet, TrickBot, QakBot, and BazarLoader C2 infrastructure
# Maintained by abuse.ch - focuses on banking trojans and malware
# Source: abuse.ch Feodo Tracker (https://feodotracker.abuse.ch)
[[iplists.sources]]
name = "Spamhaus_DROP"
url = "https://www.spamhaus.org/drop/drop.txt"
enabled = false
# Spamhaus DROP: "Don't Route Or Peer" List
# Hijacked or leased netblocks used for spam/malware distribution and cybercrime
# Free advisory list of the most dangerous IP ranges on the Internet
# Only includes confirmed malicious allocations, not legitimate networks
# Source: The Spamhaus Project (https://www.spamhaus.org/drop/)
[[iplists.sources]]
name = "GreenSnow"
url = "https://blocklist.greensnow.co/greensnow.txt"
enabled = false
# GreenSnow: Multi-attack threat intelligence blocklist
# Monitors port scans, FTP, POP3, IMAP, SMTP, SSH, cPanel attacks, and more
# Maintained by cybersecurity specialists, comparable to SpamHaus for non-spam attacks
# Source: GreenSnow (https://greensnow.co)
[[iplists.sources]]
name = "BinaryDefense_Artillery"
url = "https://www.binarydefense.com/banlist.txt"
enabled = false
# Binary Defense Artillery: Honeypot-based threat intelligence
# IPs observed attacking Artillery honeypot and monitoring platform
# Source: Binary Defense Systems (https://www.binarydefense.com)
[[iplists.sources]]
name = "IPsum_1day"
url = "https://raw.githubusercontent.com/stamparm/ipsum/master/levels/5.txt"
enabled = false
# IPsum Level 5: Aggregated threat intelligence with scoring
# Combines 30+ public blocklists into single scored feed
# Level 5 = IPs appearing on 5+ source list (24h lookback)
# Source: stamparm/ipsum GitHub (https://github.com/stamparm/ipsum)
###### Whitelist options, i dont reocommend blocking the following 3 ######
[[iplists.sources]]
name = "Cloudflare_Servers"
url = "https://www.cloudflare.com/ips-v4"
enabled = false
# Cloudflare IP Ranges: Official Cloudflare IPv4 address space
# Use for allowlisting Cloudflare CDN traffic or blocklisting CDN-proxied threats
# Source: Cloudflare (https://www.cloudflare.com)
[[iplists.sources]]
name = "AWS_Servers"
url = "https://ip-ranges.amazonaws.com/ip-ranges.json"
handler = "AWS"
enabled = false
# Amazon Web Services IP Ranges: Official AWS IPv4 address space
# Use for allowlisting AWS services or blocking AWS-hosted infrastructure
# Source: Amazon Web Services (https://aws.amazon.com)
[[iplists.sources]]
name = "Google_Servers"
url = "https://www.gstatic.com/ipranges/cloud.json"
handler = "Google"
enabled = false
# Google Cloud Platform IP Ranges: Official GCP IPv4 address space
# Use for allowlisting Google Cloud services or blocking GCP-hosted infrastructure
# Source: Google Cloud Platform (https://cloud.google.com)
###### These lists have a high chance of soft-locking your config, use with caution, and a backup ######
[[iplists.sources]]
name = "Firehol_level2"
url = "https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_level2.netset"
enabled = false
# FireHOL Level 2: More aggressive blocking than Level 1
# Larger aggregated blocklist with increased coverage but potentially more false positives
# WARNING: Large list size may overwhelm UniFi and cause "Gateway Configuration Failed" errors
# Source: FireHOL blocklist-ipsets project (https://iplists.firehol.org)
[[iplists.sources]]
name = "Firehol_level3"
url = "https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_level3.netset"
enabled = false
# FireHOL Level 3: Most aggressive blocking with maximum coverage
# Very large aggregated blocklist - highest protection but increased risk of false positives
# WARNING: Large list size may overwhelm UniFi and cause "Gateway Configuration Failed" errors
# Source: FireHOL blocklist-ipsets project (https://iplists.firehol.org)
[[iplists.sources]]
name = "Blocklist-de"
url = "https://www.blocklist.de/downloads/export-ips_all.txt"
enabled = false
# Blocklist.de: Comprehensive attack reporting service
# Reports IPs attacking via SSH, Mail, FTP, Web, and other services
# Free voluntary service from fraud/abuse specialists
# Aggregates real-world attack data from multiple honeypots
# WARNING: Very large list - may overwhelm UniFi and cause "Gateway Configuration Failed" errors
# Source: Blocklist.de (https://www.blocklist.de)
[[iplists.sources]]
name = "CI-Badguys"
url = "https://cinsscore.com/list/ci-badguys.txt"
enabled = false
# CINS Army CI-Badguys: Active threat intelligence from CINS Score
# IPs with poor Rogue Packet scores or multiple trusted alert triggers
# Updated hourly from network of Sentinel devices and InfoSec sources
# Free community threat intelligence feed operating for 10+ years
# Focuses on active attackers and scanners across all protocols
# WARNING: Large list - may overwhelm UniFi and cause "Gateway Configuration Failed" errors
# Source: CINS Score / CINS Army (https://cinsscore.com)