Here are links to blackhats banlists which are updated regularly based on presumptive nefarious ip addresses. A reverse proxy (relayd) running in front of locally hosted web sites is used to block IP addresses which have tried to exploit wordpress, php, access files and applications, or have tried to run various shell scripts. In an average day, 30% of hits are valid requests, while 50+% are likely malicious; the remaining 20% are TLS errors or other malformed requests. Those judged malicious are extracted from the logs and used by pf as blocklists. These results are tabulated and presented in two lists:
1. blackhats.bak: the cumulative list of all malicious ip addresses.
2. cumulative_persistent_threats: a cumulative list of ip addresses which have repeatedly over periods greater than a week attempted exploits on the web server.
The IP addresses may be spoofed but many are found on other published banlists such as Spamhaus. The lists are sorted, duplicates are removed, and can be used with pf or other firewalls. With a bit of editing, it is also useful for unbound-adblock, unwind-adblock, various Pi-hole installations, or conversion into rpz format.
Download link: blackhats.bak
Download link: cumulative_persistent_threats
Hope you find them useful.
Updated daily "-ish".
For free use, no warranties implied.