knock-knock.net
Attacker IP BlocklistsEvery IP that touches this honeypot is, by definition, scanning or attacking servers on the open internet — across SSH, Telnet, FTP, RDP, SMB, SIP, HTTP and SMTP. We publish them as two free, plain-text blocklists you can drop straight into your firewall.
Format: one IPv4 address per line, no comments or headers — the lowest-common-denominator every firewall ingests. Regenerated hourly — fetch up to hourly.
Examples use the 365-day list (swap -year → -month for the conservative one). CSF and
pfSense self-refresh once configured; the CrowdSec / ipset / nftables snippets fetch the list from cron (or a systemd timer), up to hourly.
Add one line to /etc/csf/csf.blocklists (format is NAME|refresh_secs|max_ips(0=all)|URL),
then reload. Set LF_IPSET = "1" in csf.conf so the list lands in ipset, not raw iptables.
# /etc/csf/csf.blocklists
KNOCKKNOCK|3600|0|https://knock-knock.net/static/ip-blocklist-year.txt
csf -ra
Import as decisions from cron; match the duration to your fetch interval.
curl -sf https://knock-knock.net/static/ip-blocklist-year.txt \
| cscli decisions import -i - --format values --duration 25h --reason "knock-knock-honeypot"
The universal recipe — atomic swap, no gap. Safe to run whole from cron: the set is refreshed each time, and the DROP rule is added only if it isn't already there.
URL=https://knock-knock.net/static/ip-blocklist-year.txt
ipset create knockknock hash:ip -exist
ipset create knockknock_tmp hash:ip -exist; ipset flush knockknock_tmp
curl -sf "$URL" | sed 's/^/add knockknock_tmp /' | ipset restore -exist
ipset swap knockknock_tmp knockknock
ipset destroy knockknock_tmp
# add the DROP rule only if it's not already present (so re-running is harmless):
iptables -C INPUT -m set --match-set knockknock src -j DROP 2>/dev/null \
|| iptables -I INPUT -m set --match-set knockknock src -j DROP
Create the table/set/rule once (or keep them in nftables.conf); only the refresh block at the
bottom runs from cron.
nft add table inet filter
nft add set inet filter knockknock '{ type ipv4_addr; flags interval; }'
nft add rule inet filter input ip saddr @knockknock drop
# refresh (hourly): build one bulk element line
IPS=$(curl -sf https://knock-knock.net/static/ip-blocklist-year.txt | paste -sd,)
nft flush set inet filter knockknock
nft add element inet filter knockknock "{ $IPS }"
No shell needed: Firewall → Aliases → add a "URL Table (IPs)" alias pointing at the list URL with a 1-day refresh, then add a WAN/floating rule that blocks traffic from the alias. Done in the GUI.
fail2ban is built for parsing your logs, not importing a static list — it's the wrong tool here. Use the ipset recipe above (fail2ban itself sits on top of iptables/nftables anyway).
Keep in mind, this list captures IP addresses of bad actors in the recent past. Use a finite ban time, and keep an allowlist for anything user-facing.
The lists are generated from the same data behind the live dashboard and rebuilt hourly. Feedback, or using them somewhere interesting? We'd love to hear about it.
View live attack dashboard