velvetrnd/abuse-geodata
GitHub: velvetrnd/abuse-geodata
每日自动从公开威胁情报源构建多格式地理威胁数据,供 Xray、sing-box 和 ipset 直接使用的防御情报聚合工具。
Stars: 0 | Forks: 0
# abuse-geodata
**[English](#english) | [Русский](#russian)**
## English
Automated threat intelligence geodata for **Xray**, **sing-box**, and **ipset**.
Built daily from public abuse feeds. Designed for VPN operators, hosting providers, and network administrators to protect infrastructure and reduce abuse complaints.
### 下载
All files are published as [GitHub Releases](../../releases/latest).
| File | Format | Use case |
|------|--------|----------|
| `geoip.dat` | Xray/V2Ray | `geoip:category-*` routing rules |
| `geosite.dat` | Xray/V2Ray | `geosite:category-*` routing rules |
| `geoip.db` | MaxMind MMDB | sing-box `geoip` rules |
| `srs/category-*.srs` | sing-box | Per-category rule-sets |
| `srs/category-bundle-strict-*.srs` | sing-box | Aggregated stable categories only |
| `srs/category-bundle-full-*.srs` | sing-box | All categories including noisy |
| `txt/category-*.txt` | Plain text | ipset, hosts file, custom scripts |
### 用法
#### Xray
```
{
"routing": {
"rules": [
{
"type": "field",
"ip": [
"geoip:category-sinkhole",
"geoip:category-malware-c2",
"geoip:category-spam",
"geoip:category-brute-force"
],
"outboundTag": "block"
},
{
"type": "field",
"domain": [
"geosite:category-malware-c2",
"geosite:category-phishing",
"geosite:category-cryptojacking"
],
"outboundTag": "block"
}
]
},
"outbounds": [
{ "tag": "block", "protocol": "blackhole" }
]
}
```
Place `geoip.dat` and `geosite.dat` in your Xray assets directory (default: `/usr/local/share/xray/`).
#### sing-box
```
{
"route": {
"rule_set": [
{
"tag": "malware-c2-ip",
"type": "remote",
"format": "binary",
"url": "https://github.com/velvetrnd/abuse-geodata/releases/latest/download/category-malware-c2-ip.srs",
"update_interval": "24h"
}
],
"rules": [
{
"rule_set": [
"malware-c2-ip",
"malware-c2-domain",
"sinkhole",
"phishing"
],
"outbound": "block"
}
]
}
}
```
#### ipset (Linux)
```
ipset create abuse-block hash:net
curl -sL https://github.com/velvetrnd/abuse-geodata/releases/latest/download/category-bundle-strict-ip.txt \
| grep -v '^#' | xargs -I{} ipset add abuse-block {}
iptables -I FORWARD -m set --match-set abuse-block dst -j DROP
```
### 分类
| Category | Type | Description | Flags |
|----------|------|-------------|-------|
| `category-sinkhole` | IP | Known sinkhole IPs operated by security researchers | – |
| `category-malware-c2` | IP + Domain | Malware C2 servers (botnets, ransomware, trojans) | – |
| `category-phishing` | Domain | Phishing domains | ⚡ volatile |
| `category-spam` | IP | Spamhaus DROP/EDROP – hijacked IP blocks | – |
| `category-tor-exit` | IP | Tor exit nodes | ⚠️ controversial |
| `category-brute-force` | IP | IPs conducting brute-force attacks | ⚡ volatile |
| `category-cryptojacking` | IP + Domain | Cryptomining pools used for unauthorized mining | – |
| `category-dga` | Domain | DGA-generated malware domains | ⚠️ high FP, large |
#### Flag 图例
| Flag | Meaning |
|------|---------|
| `high_false_positive` | Legitimate traffic may be blocked. Review before deploying. |
| `high_volatility` | List changes rapidly. IPs may be reassigned to legitimate users. |
| `controversial` | Blocking has valid counter-arguments depending on use case. |
| `large_dataset` | Large number of entries. May affect routing performance. |
#### Bundles
- **`category-bundle-strict-*`** – only categories with no `high_false_positive` or `large_dataset` flags. Safe for most deployments.
- **`category-bundle-full-*`** – all categories. Includes DGA and other noisy sets.
### Sources
| Source | URL |
|--------|-----|
| Feodo Tracker (abuse.ch) | https://feodotracker.abuse.ch |
| URLhaus (abuse.ch) | https://urlhaus.abuse.ch |
| Emerging Threats | https://rules.emergingthreats.net |
| Spamhaus DROP/EDROP | https://www.spamhaus.org/drop/ |
| Tor Project | https://check.torproject.org/torbulkexitlist |
| blocklist.de | https://www.blocklist.de |
| OpenPhish | https://openphish.com |
| brakmic/Sinkholes | https://github.com/brakmic/Sinkholes |
| Bambenek DGA feed | https://bambenekconsulting.com |
### 更新计划
Rebuilt automatically every day at **03:00 UTC** via GitHub Actions.
### Telegram bot
Subscribe to [@abuse_geodata_bot](https://t.me/abuse_geodata_bot) to get notifications about new releases with per-category stats and delta from the previous build.
## Русский
Автоматически обновляемые threat intelligence данные в форматах **Xray**, **sing-box** и **ipset**.
Собираются ежедневно из публичных abuse-фидов. Предназначены для операторов VPN, хостинг-провайдеров и сетевых администраторов – для защиты инфраструктуры и снижения числа abuse-жалоб.
### Загрузка
Все файлы публикуются в [GitHub Releases](../../releases/latest).
| Файл | Формат | Применение |
|------|--------|------------|
| `geoip.dat` | Xray/V2Ray | Правила роутинга `geoip:category-*` |
| `geosite.dat` | Xray/V2Ray | Правила роутинга `geosite:category-*` |
| `geoip.db` | MaxMind MMDB | Правила `geoip` в sing-box |
| `srs/category-*.srs` | sing-box | Rule-set на каждую категорию |
| `srs/category-bundle-strict-*.srs` | sing-box | Агрегат – только стабильные категории |
| `srs/category-bundle-full-*.srs` | sing-box | Агрегат – все категории включая шумные |
| `txt/category-*.txt` | Обычный текст | ipset, hosts-файл, кастомные скрипты |
### Использование
#### Xray
```
{
"routing": {
"rules": [
{
"type": "field",
"ip": [
"geoip:category-sinkhole",
"geoip:category-malware-c2",
"geoip:category-spam",
"geoip:category-brute-force"
],
"outboundTag": "block"
},
{
"type": "field",
"domain": [
"geosite:category-malware-c2",
"geosite:category-phishing",
"geosite:category-cryptojacking"
],
"outboundTag": "block"
}
]
},
"outbounds": [
{ "tag": "block", "protocol": "blackhole" }
]
}
```
Положи `geoip.dat` и `geosite.dat` в директорию ресурсов Xray (по умолчанию `/usr/local/share/xray/`).
#### sing-box
```
{
"route": {
"rule_set": [
{
"tag": "malware-c2-ip",
"type": "remote",
"format": "binary",
"url": "https://github.com/velvetrnd/abuse-geodata/releases/latest/download/category-malware-c2-ip.srs",
"update_interval": "24h"
}
],
"rules": [
{
"rule_set": ["malware-c2-ip", "malware-c2-domain", "sinkhole", "phishing"],
"outbound": "block"
}
]
}
}
```
#### ipset (Linux)
```
ipset create abuse-block hash:net
curl -sL https://github.com/velvetrnd/abuse-geodata/releases/latest/download/category-bundle-strict-ip.txt \
| grep -v '^#' | xargs -I{} ipset add abuse-block {}
iptables -I FORWARD -m set --match-set abuse-block dst -j DROP
```
### Категории
| Категория | Тип | Описание | Флаги |
|-----------|-----|----------|-------|
| `category-sinkhole` | IP | Известные sinkhole IP исследователей безопасности | – |
| `category-malware-c2` | IP + Domain | C2-серверы малвари (ботнеты, ransomware, трояны) | – |
| `category-phishing` | Domain | Фишинговые домены | ⚡ волатильный |
| `category-spam` | IP | Spamhaus DROP/EDROP – захваченные спамерами блоки | – |
| `category-tor-exit` | IP | Exit-ноды сети Tor | ⚠️ спорный |
| `category-brute-force` | IP | IP-адреса, ведущие брутфорс-атаки | ⚡ волатильный |
| `category-cryptojacking` | IP + Domain | Майнинг-пулы для несанкционированного майнинга | – |
| `category-dga` | Domain | DGA-домены малвари | ⚠️ высокий FP, большой |
#### Описание флагов
| Флаг | Значение |
|------|----------|
| `high_false_positive` | Возможна блокировка легитимного трафика. Проверь перед деплоем. |
| `high_volatility` | Список меняется часто. IP могут быть переназначены легитимным пользователям. |
| `controversial` | У блокировки есть весомые контраргументы в зависимости от контекста использования. |
| `large_dataset` | Большое число записей. Может влиять на производительность роутинга. |
#### Бандлы
- **`category-bundle-strict-*`** – только категории без флагов `high_false_positive` и `large_dataset`. Безопасен для большинства деплоев.
- **`category-bundle-full-*`** – все категории, включая DGA и другие шумные наборы.
### Источники
| Источник | URL |
|----------|-----|
| Feodo Tracker (abuse.ch) | https://feodotracker.abuse.ch |
| URLhaus (abuse.ch) | https://urlhaus.abuse.ch |
| Emerging Threats | https://rules.emergingthreats.net |
| Spamhaus DROP/EDROP | https://www.spamhaus.org/drop/ |
| Tor Project | https://check.torproject.org/torbulkexitlist |
| blocklist.de | https://www.blocklist.de |
| OpenPhish | https://openphish.com |
| brakmic/Sinkholes | https://github.com/brakmic/Sinkholes |
| Bambenek DGA feed | https://bambenekconsulting.com |
### Расписание обновлений
Пересборка автоматически каждый день в **03:00 UTC** через GitHub Actions.
### Telegram-бот
Подпишись на [@abuse_geodata_bot](https://t.me/abuse_geodata_bot), чтобы получать уведомления о новых релизах со статистикой по категориям и дельтой от предыдущей сборки.
## Contributing
PRs welcome. To add a new source – добавь запись в соответствующий `sources/category-*.yml` или создай новый файл по образцу существующих.
标签:GeoIP, GeoSite, ipset, IP 地址批量处理, IP封锁, MaxMind, MMDB, Object Callbacks, sing-box, V2Ray, VPN, Xray, 地理位置数据, 域名拦截, 威胁情报, 威胁防御, 开发者工具, 恶意软件, 托管服务, 挖矿劫持, 网络安全, 网络调试, 网络钓鱼, 自动化, 规则集, 路由规则, 防滥用, 隐私保护, 黑名单