Small Follow-Up:
CrowdSourced Blocklists
There are two crowdsourcing services around where you can retrieve a list of hosts where attacks are being originated from currently. The blocklists are from very recent activities. So the contents of the blocklists frequently change and no hosts are blocked by it permanently.
- blocklist.de: German completely free service. It's seems being near to a shutdown from time to time. But even if the activity for development is very low or non-existent, the infrastructure works and is fully in service. The Service provides ~20K Hosts at the moment.
- abuseipdb.com: That's a more commercially active platform. Free usage is available but very limited. You get a list of the top 10K attack hosts and may download that up to 5 or 10 times a day. (Premium users geht up to the top 500K attack hosts). Very strict limits. You have to take care not to use them up quickly and be blocked for the rest of the day.
Using the Blocklists to block harmful clients
You can use it, ideally at the application level, to block the listed hosts. On a network level this is more difficult, as a firewall with ~25K rules may not be performing so well. I'm assuming the same goes for using such mass of null routing entries within your router. But at the application level, it probably does not hurt so much, if at the beginning of a network session some milliseconds are spent for a blocklist lookup.
I checked it out with some postfix mail servers of mine and with all of the openssh-servers. For postfix I created an additional access table, with all ip addresses on the list returning an immediately "521 REJECT by blocklist BLOCKLISTNAME" back. For openssh I used the tcp-wrapper(/etc/hosts.deny) to compeletely block the hosts.
For the mail servers it does not seem so effective as for about 6 mailservers in the evaluation I see only ~20 Rejections per day. The mass of other clients using brute force to retrieve passwords are not blocked by it. (As I see on the statistics page of blocklist.de, the mass of reportings are about ssh-attacks, so there maybe too little count contributors for mail server attacks).
For the ssh-servers the reduction effect is huge. Failed logins go down by ~90%.
To have the blocklists regularly updated, I download them in central location, merge the lists and directly distribute it to the mailservers with reloading the services when necessary. The ssh servers regularly download the compressed hosts.deny file themselves from a central webserver.
Participate with Host reporting
Both services allow to participate by reporting attackers back to the service. In both cases the normal way to do this is to use fail2ban to report a host, when multiple cases of offensive behaviour had been detected. That's on the list for me to implement next. But I'll take enough care not to report falsely and doing harm instead of helping.
Personal Note
I like common services and infrastructure very much, where everybody can contribute to support the system and no one is forced to pay money. That's why I'm not that fond of abuseipdb, because the free contingent is very limited and the prices for the paid plans are too much in my opinion (Premium for 89 USD/month for 500K entries). I would tolerate a low fee, to be able to maintain the service but that's too much for my taste. For the strict limits on the resource usage however: 2 thumbs up! Resources should not be wasted, so I absolutely approve strict limits when full possibility of usage is granted.
Nevertheless, I think the combination of both can serve as quite an improvement for server and network security.
EDIT
Here are the scripts for downloading and processing the lists: