sshbl.org - (the SSH blacklist)

The blacklist, updated every 15 minutes, contains IP addresses of hosts which tried to bruteforce into any of currently 10 hosts (all running OpenBSD or FreeBSD). The hosts are currently located in Germany, the United States, Australia, Belgium, France, Netherland and setup to report and log those attempts to a central database. Very similar to all the spam blacklists out there.
******************************************
If you are running VMware ESX or any other kind of virtualization that lets you
run virtual (Free|Open)BSD hosts, got some spare ressources, or money, you could
donate, do not hesitate to use the email address below. All that is needed is
approx. 64-128 MB RAM, some swap, 512-1024 MB HDD space and, of cause, an external IP.
Multiple different IPs or small subnets increase the detection rate dramaticaly.

PayPal Donations are also accepted:




******************************************
The newest entries are always added to the top. Currently there are about 5-27 logged attacks every day. An attack is logged as retry if the same IP is logged again either at least 48 hours later from the same host or from any other host that reports those attacks. To not get a too high retry count all hosts that report are within different IP ranges from different providers.

For every logged attack an email is sent out to the contacts listed in the whois information of the attacking host, only a few minutes after the attack started. It is our hope that the responsible administrators use that information to quickly clean and secure the misused machines.

SSH bruteforce IP list
available lists / statistics

Your IP is listed here? You want to remove it from the list? Click here!

News

  • 2010-02-12:
    Due to a bug in the data processing script and OpenBSD's pfctl on one of the most active machines 179 old entries were marked as new. The 179 updates were removed from the database but emails were already sent out. The workaround is now to ignore dates reported from pfctl that are from the future. ;-) Sorry for the inconvenience!

  • 2010-02-10:
    The site is now fully reachable using IPv6 too. The list will remain IPv4 only for now though. If you experience any issues with IPv6 regarding this site, please contact us.

  • 2010-01-20:
    Due to a database error some notification emails were sent out several times. The problem is fixed and will never happen again. We are sorry for the inconvenience.

  • 2010-01-13:
    We now send out automatically generated emails to the WHOIS contacts, reporting logged attacks so that the network/host owners can take action to prevent further abuse. So, if one of those emails brought you here AND you fixed the issue AND want to get the IP removed from the list, click the delisting link above.

  • 2010-01-06:
    There now also is a list which includes only those IPs that got logged during the last 30 days. Keep checking the lists/ directory for other list variants. If you need some special format of the list or would love to see certain statistics, feel free to ask.

  • 2010-01-05:
    The first set of statistics is available. More will follow.

  • 2010-01-02:
    The list is now generated from the new database. It currently still has less entries than the old DB, but contains more accurate information and the information is gathered from more hosts. There now also is an extended list containing the timestamp when every IP was last updated.

  • 2009-10-29:
    There is currently work being done (a complete rewrite of the used scripts) to get more and better data. If the data gathering and list generation is improved there finally will be some real statistics too.


    Contact: support{AT}sshbl{D0T}org

    Supported by:
  • bsdhost - Secure Hosting Solutions
  • RootBSD - The Hosting Specialists
  • your.org - Your Source for Internet and E-Business Solutions