Free Threat Intelligence Feeds: The Self-Hoster’s Guide to Real-Time Protection

Your server is being probed right now. Not maybe — definitely. Every public-facing IP on the internet gets hit by automated scanners, brute-force bots, and malware C2 callbacks within minutes of going live. The attackers aren’t targeting you specifically — they’re running scripts that sweep the entire IPv4 space on a loop, and your server is just one more address on the list.

The good news? The security community has been cataloguing these bad actors for years, and much of that intelligence is free. There are hundreds of thousands of known-malicious IPs, domains, URLs, and file hashes being shared publicly every day by organizations like abuse.ch, Spamhaus, and government agencies. You can pull those lists and start blocking before an attack even reaches your application layer.

This guide is for self-hosters, homelab operators, and sysadmins who want real protection without a commercial threat intel subscription. You’ll get working scripts, the best free feeds for every use case, and a clear picture of what you’re actually getting — including the limitations.

Prerequisites: A Linux server (Debian/Ubuntu or RHEL/CentOS family), root or sudo access, basic comfort with bash scripting, and optionally a Pi-hole or AdGuard Home instance for DNS blocking.

What Are Threat Intelligence Feeds?

Quick Answer: Threat intel feeds are regularly updated lists of known-bad IPs, domains, URLs, and file hashes you can use to block malicious traffic automatically.

A threat intelligence feed is a continuously updated stream of indicators of compromise — IOCs in the jargon — that tell you something specific is known to be malicious. The data comes from honeypots, malware sandboxes, abuse reports, government monitoring programs, and community submissions. The feed publisher aggregates all of that, strips out the noise as best they can, and publishes it in a machine-readable format so you can automate blocking.

IOCs come in several flavors:

• IP addresses — Scanners, brute-force bots, malware C2 servers, spam senders
• Domains — Malware delivery sites, phishing infrastructure, botnet command-and-control domains
• URLs — Specific malware download paths, phishing pages, exploit kit landing pages
• File hashes (MD5, SHA1, SHA256) — Fingerprints of known malware samples
• CVE identifiers — Known exploited vulnerabilities being actively targeted in the wild

Perfect for:

• Home lab operators who want firewall blocking that actually means something
• Small businesses running their own mail, web, or VPN servers
• Sysadmins managing VPS or dedicated servers without a dedicated security team
• Anyone running Pi-hole or AdGuard Home who wants to add a threat layer on top of ad blocking
• Teams running Suricata, Snort, or a SIEM who want free ruleset updates

Heads up — honest caveats before you dive in:

• False positives are real. Some feeds are more aggressive than others. An IP flagged for SSH scanning six months ago might now belong to a legitimate CDN. Always start with conservative threshold settings and tune from there.
• Feed quality varies enormously. The abuse.ch feeds and HaGeZi lists are well-maintained and well-documented. Some GitHub-hosted lists haven’t been touched in two years. Know your source.
• Update lag matters. A feed updated every 12 hours isn’t going to catch a zero-day campaign in hour one. Threat intel is defense-in-depth, not a silver bullet.
• Volume has limits. If you try to load 10 million IPs into iptables rules individually, you’ll crater your server. Use ipset. We’ll cover that.

IP Blocklist Feeds

Quick Answer: IPsum (GitHub, daily), Blocklist.de (every 30 min), and Spamhaus ZEN (DNSBL, real-time) are the three go-to free IP blocklists for self-hosters — pick based on your use case.

IP blocklists are the bluntest instrument in the threat intel toolkit, and also the most immediately useful. Drop a known-bad IP into ipset, and everything from that address gets silently dropped at the kernel level before it even touches your application. No processing, no logging overhead, no wasted connections.

Feed	Update Frequency	Format	License	Approx Size	Best For
IPsum	Daily	Plain text (IP + count)	MIT	~5k–30k IPs (level 3+)	General firewall blocking
Blocklist.de	Every 30 minutes	Plain text (one IP per line)	Free (non-commercial)	~30k IPs (all.txt)	SSH/mail/web server protection
Spamhaus ZEN	Every 5 minutes	DNSBL (DNS query)	Free (non-commercial)	N/A (query-based)	Mail server connection checks

IPsum

IPsum is the duct tape of IP blocklists — crude, effective, and absolutely everywhere in self-hosted security setups. Miroslav Stampar pulls from 30+ public blacklists daily, aggregates them, and scores each IP by how many source lists it appears on. The higher the score, the more confident you can be that the IP is genuinely bad.

The main file at https://raw.githubusercontent.com/stamparm/ipsum/master/ipsum.txt contains all IPs with their occurrence counts as tab-separated values. The levels/ subdirectory gives you pre-filtered files — levels/3.txt contains only IPs that appear on 3 or more source lists, which is the sweet spot for low false positives. You can also grab levels/5.txt or higher if you want to be even more conservative.

Blocklist.de

Blocklist.de is a volunteer-run service that aggregates real attack reports from servers worldwide. When a server in their network gets hit by an SSH brute-force, a mail relay attempt, or a web exploit, that IP gets added to the appropriate list within 30 minutes. Unlike IPsum’s daily cadence, Blocklist.de refreshes constantly.

The service offers category-specific lists at https://lists.blocklist.de/lists/:

• all.txt — everything (~30k IPs)
• ssh.txt — SSH brute-force attackers
• mail.txt — mail server attackers (largest list)
• apache.txt — web server exploit attempts
• imap.txt — IMAP brute-force
• bots.txt — malicious bots and IRC bots

If you’re running a mail server, mail.txt alone is worth pulling. If you want everything, use all.txt.

Spamhaus ZEN

Spamhaus ZEN is different from the other two — it’s a DNSBL (DNS-based blackhole list), not a flat file you download. Instead of grabbing a list and loading it into ipset, you query the Spamhaus DNS servers at connection time. Your MTA sends a reverse-lookup query to zen.spamhaus.org for each incoming connection, and Spamhaus returns a response code indicating whether the IP is listed and why.

This real-time model means you always get current data without any local storage or update scripts. The catch: Spamhaus’s free tier is for non-commercial use only, and if your query volume exceeds their limits, they’ll start returning errors. For commercial use, you need a Data Query Service subscription. If you’re running a busy mail server for a business, budget for it.

Malware, URL, and Phishing Feeds

Quick Answer: The abuse.ch suite (URLhaus, ThreatFox, Feodo Tracker) plus OpenPhish covers malware URLs, C2 infrastructure, and phishing pages — all free, all well-maintained.

Beyond raw IP blocking, you need feeds that cover the malware delivery chain: the URLs hosting malware droppers, the C2 infrastructure malware phones home to, and the phishing pages harvesting credentials. These feeds are more specialized than IP blocklists and require different integration approaches.

Feed	Update Frequency	Format	Auth Required	IOC Types	Suricata Rules?
URLhaus	Every 5 minutes	CSV, JSON API	Optional (API key for submissions)	Malware download URLs	No
ThreatFox	Real-time	JSON, CSV, MISP	Yes (free API key)	IPs, domains, URLs, hashes	Yes
Feodo Tracker	Every 5 minutes	Plain text, CSV, JSON	No	Botnet C2 IPs	Yes
OpenPhish	Every 12 hours (free)	Plain text	No	Phishing URLs	No

The abuse.ch Suite

The abuse.ch crew maintains several feeds that are basically required reading for anyone serious about threat intel. They’re not separate independent projects — they’re a family of complementary services run by the same Swiss nonprofit, each targeting a different part of the malware ecosystem.

URLhaus focuses on active malware distribution sites. When a URL is confirmed to be serving malware, it goes in. The bulk CSV is available at https://urlhaus.abuse.ch/downloads/csv_online/ (currently active URLs only) and is regenerated every 5 minutes. The API at https://urlhaus-api.abuse.ch/v1/ lets you query individual URLs or pull recent submissions.

ThreatFox is the broadest of the three — it covers IPs, domains, URLs, and file hashes associated with specific malware families. You need a free API key from auth.abuse.ch, and then you can query recent IOCs via POST requests to https://threatfox-api.abuse.ch/api/v1/ with a JSON payload. ThreatFox also publishes Suricata rules for network-level detection.

Feodo Tracker is the most focused: it tracks active botnet C2 servers for specific malware families (Dridex, QakBot, BazarLoader, and others). The plain-text IP list at https://feodotracker.abuse.ch/downloads/ipblocklist.txt requires no auth and contains only currently active C2 IPs. The Suricata rulesets at https://feodotracker.abuse.ch/downloads/feodotracker.rules are regenerated every 5 minutes — one of the fastest-updating free rulesets available.

OpenPhish

OpenPhish‘s free community feed at https://openphish.com/feed.txt is a plain-text list of active phishing URLs updated every 12 hours. It’s narrowly focused — you won’t use this for firewall blocking, but it’s useful for web proxies, mail filters, and SIEM enrichment. The premium tier updates every 5 minutes with additional metadata (targeted brand, country, industry), but for homelab use the free feed covers the basics.

DNS Blocklist Feeds

Quick Answer: HaGeZi’s tiered DNS blocklists are the best free DNS-level threat protection available — start with Normal/Pro and upgrade tiers as needed based on false positive tolerance.

DNS blocking is arguably the most efficient security control you can run. Block a malicious domain at the resolver level and nothing on your network can reach it — no matter what application, device, or protocol tries. Pi-hole and AdGuard Home make this dead simple, and HaGeZi’s DNS blocklists are the gold standard for free, well-maintained, actively curated DNS threat feeds.

HaGeZi publishes a tiered system where each level adds more blocked domains with a corresponding increase in false positive risk. The lists are updated daily and published in multiple formats (Adblock, Pi-hole, hosts, dnsmasq, Unbound, and more).

Tier	Blocked Domains (approx)	False Positive Risk	Best For
Light	~100k	Very low	Shared networks, production servers, cautious users
Normal	~700k	Low	Most home/homelab setups — the sensible default
Pro	~1.2M	Low-medium	Homelabs wanting broader coverage, recommended by HaGeZi
Pro++	~1.7M	Medium	Security-focused setups willing to tune exceptions
Ultimate	~2.5M+	Medium-high	Aggressive blocking; expect to maintain a whitelist
TIF (Threat Intelligence Feeds)	~5M+	Low (security-focused)	Specifically malware, phishing, and C2 domains — stack with any tier

The Pi-hole and AdGuard Home import URLs for each tier (adblock format):

• Light: https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/adblock/light.txt
• Normal: https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/adblock/multi.txt
• Pro: https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/adblock/pro.txt
• Pro++: https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/adblock/pro.plus.txt
• Ultimate: https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/adblock/ultimate.txt
• TIF: https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/adblock/tif.txt

The TIF list deserves special attention. It’s not a general ad/tracker blocker — it’s specifically focused on threat intelligence: malware domains, phishing infrastructure, botnet C2 domains, and active exploit hosts. You can run TIF alongside any other HaGeZi tier and it won’t conflict. If you’re only adding one security-focused DNS list, make it TIF.

AdGuard Home users can add all of the same URLs through Settings > Filters > DNS blocklists. The adblock format works natively in both Pi-hole v5+ and AdGuard Home.

OSINT and Community Feeds

Quick Answer: AlienVault OTX (19M+ indicators/day, free API), GreyNoise Community (noise classification, 50 lookups/week free), and Shadowserver (daily scans, org application required) round out the free community intelligence landscape.

Beyond the purpose-built blocklists, a layer of OSINT and community intelligence helps you understand what you’re dealing with — context that raw IP lists don’t provide.

AlienVault OTX

AlienVault OTX (now operated by LevelBlue) is one of the largest open threat intelligence communities in existence, with over 19 million threat indicators generated daily by researchers worldwide. Free registration gets you an API key and access to the full indicator database.

OTX organizes intelligence into “pulses” — curated collections of related IOCs around a specific threat campaign or malware family. You can subscribe to pulses from specific researchers, pull indicators by tag or malware family, or query the reputation of specific IPs, domains, and file hashes against the entire OTX corpus.

The API base URL is https://otx.alienvault.com/api/v1/ with authentication via the X-OTX-API-Key header. The OTXv2 Python SDK (pip install OTXv2) makes bulk operations much cleaner than raw curl — you’ll see both approaches in the scripts section.

GreyNoise Community

GreyNoise works differently from every other feed here. Rather than cataloguing “known-bad” IPs, GreyNoise catalogues “background noise” — all the automated scanning and opportunistic probing that hits the entire internet constantly. Their sensor network observes this traffic and classifies IPs as noise (mass scanners, benign researchers), malicious (targeted attack tools), or unknown.

The Community API at https://api.greynoise.io/v3/community/{ip} is free with no authentication required (up to about 10 lookups/day unauthenticated, or 50 searches/week with a free account). It tells you whether an IP is “noise” (background scanning that’s hitting everyone, not just you) versus “malicious” (targeted activity). This context is gold for alert triage — if your SIEM is firing on an IP that GreyNoise classifies as mass-scanning noise, that’s a different response priority than a targeted attack IP.

Shadowserver

Shadowserver scans the entire public IPv4 space 42 times per day across hundreds of ports and services. They’re the world’s largest provider of free daily network threat intelligence — sending custom remediation reports to over 9,000 vetted subscribers across 173 countries.

The catch: Shadowserver is not self-serve. You have to apply for access and demonstrate you’re a legitimate network defender organization — a CSIRT, ISP, government body, or similar. If you qualify (and many self-hosted business operators do), the daily CSV feeds covering vulnerable systems, malware infections, and active exploit activity on your IP ranges are genuinely exceptional. If you’re just running a personal homelab, you probably won’t qualify — look at the other feeds.

Government and Enterprise Feeds

Quick Answer: CISA AIS is free STIX 2.1/TAXII 2.1 threat intel from the US government, but requires a formal participation agreement and PKI certificate — it’s serious infrastructure, not a weekend project.

Government threat intelligence feeds exist and some of them are genuinely excellent. The main one worth knowing about is CISA AIS.

CISA Automated Indicator Sharing (AIS)

CISA AIS is the US Cybersecurity and Infrastructure Security Agency’s real-time indicator sharing program. It publishes IOCs in STIX 2.1 format over a TAXII 2.1 server — the two dominant open standards for structured threat intelligence exchange.

Quick translation: STIX (Structured Threat Information Expression) is a JSON-based data format that describes threat actors, campaigns, malware, attack patterns, and indicators in a standardized schema. TAXII (Trusted Automated Exchange of Intelligence Information) is the transport protocol — think of it as the API layer for requesting and receiving STIX bundles. Together they’re the plumbing of enterprise threat intelligence. They sound like members of a 70s prog rock band, but they’re actually the reason different threat intel platforms can talk to each other.

To participate in AIS, you need to:

• Contact CISA and agree to their Terms of Use (non-federal) or MISA (federal)
• Acquire a STIX/TAXII-capable client (several open source options exist)
• Get a PKI certificate from a Federal Bridge Certificate Authority
• Sign an Interconnection Agreement and provide your IP to CISA

This is real paperwork and real infrastructure overhead. For a Fortune 500 company or government agency, it’s absolutely worth it. For a homelab operator or small business — honestly? It’s overkill. Your time is better spent getting IPsum and HaGeZi TIF running properly. Mention it to your boss if you’re a sysadmin at a mid-size company that might actually qualify.

Feed Aggregators and Directories

Quick Answer: MISP is the open-source platform for aggregating and sharing threat intel; threatfeeds.io and Bert-JanP’s GitHub list are the best directories for discovering new feeds.

Once you’re pulling more than a couple of feeds, you’ll want infrastructure to manage them. And before you can manage them, you need to find them.

MISP

MISP (Malware Information Sharing Platform) is the open-source backbone of professional threat intelligence operations. It’s a full platform for ingesting, enriching, correlating, and sharing IOCs across organizations. MISP connects to dozens of feed sources automatically, normalizes data to a common format, and lets you push indicators directly to firewalls, SIEMs, and endpoint tools via its API.

It’s Docker-deployable and genuinely powerful — but it’s also a significant operational commitment. If you’re at the point where you need to manage multiple feeds, correlate indicators, and share intel with other orgs, MISP is the right tool. If you just want to block bad IPs on a VPS, it’s like buying a commercial dishwasher for a studio apartment.

Feed Directories

• threatfeeds.io — A searchable directory of public threat intelligence feeds. Filter by type (IP, domain, URL, hash), format, and update frequency. Good starting point when you’re looking for a feed that covers a specific use case.
• threat-intel.xyz — Community-maintained list of free threat intel sources with direct links and format documentation.
• github.com/Bert-JanP/Open-Source-Threat-Intel-Feeds — The most comprehensive curated list available, with 145+ feeds organized by IOC type (IP, DNS, URL, MD5, SHA256, CVE, and more). Includes KQL hunting queries for Microsoft Sentinel integration. Actively maintained and arguably the best single reference for discovering free feeds.

Consuming Feeds with iptables and ipset

Quick Answer: Use ipset with atomic set swapping to load threat intel IP lists into your firewall — it’s kernel-fast and updates without any connection interruption.

Raw iptables rules don’t scale to tens of thousands of IPs. Adding 30,000 individual DROP rules means every packet gets checked against 30,000 entries sequentially — that’ll impact performance on anything but the beefiest hardware. ipset solves this by storing IPs in a kernel-level hash table. Lookup is O(1) regardless of list size. You can comfortably block 500,000+ IPs with minimal overhead.

The atomic swap pattern is the key technique. Instead of modifying a live ipset in place (which creates a window where either old or partial-new rules are active), you build the new set under a temporary name, then swap it with the active set in a single atomic kernel operation. Zero downtime, zero gaps. Here’s how it works in practice:

Script 1: IPsum ipset atomic swap block script

Script 2: ipset persistence via systemd (survive reboots)

ipset rules live in kernel memory and don’t survive reboots by default. Save them to disk and restore on boot with a systemd service:

Script 3: Crontab entry for daily automation

Feodo Tracker C2 Blocking

Quick Answer: Feodo Tracker’s C2 IP list targets active botnet infrastructure specifically — run it as a separate ipset alongside your general blocklist for targeted malware C2 blocking.

Feodo Tracker is worth running as its own separate ipset rather than merging it into your general IPsum list. The distinction matters: IPsum casts a wide net, while Feodo Tracker is surgical — every IP in that list is a currently active command-and-control server for specific named malware families. If any host on your network connects to one of those IPs, that’s a high-confidence malware infection alert, not a false positive.

Script 4: Feodo Tracker C2 ipset block script

Note the OUTPUT chain rule — that’s intentional. Blocking outbound connections to Feodo C2 IPs means that even if a host on your network gets infected, it can’t phone home to receive instructions. This is especially useful if you’re running the script on a gateway or router that sees traffic from multiple hosts.

DNS Blocking with Pi-hole and AdGuard Home

Quick Answer: Pi-hole CLI lets you add blocklist URLs and trigger gravity rebuilds from bash scripts; AdGuard Home uses a web UI that takes 60 seconds to configure with any HaGeZi URL.

DNS blocking is where the homelab crowd really shines. If you’ve already got Pi-hole or AdGuard Home running, you’re two commands away from blocking millions of malware and phishing domains.

Script 5: Pi-hole CLI feed import and gravity update

Adding feeds in AdGuard Home (no script needed):

1. Open AdGuard Home at http://YOUR-ADGUARD-IP:3000
2. Navigate to Filters > DNS blocklists
3. Click Add blocklist > Add a custom list
4. Give it a name (e.g., “HaGeZi TIF”) and paste the URL from the tier table above
5. Click Save — AdGuard Home downloads and applies the list immediately
6. Repeat for any additional tiers

AdGuard Home shows blocked query counts per list in real time, which makes it easy to see how much each feed is actually doing. The TIF list in particular tends to rack up a surprising number of blocks if you’ve got IoT devices or game consoles on the network pinging home.

Querying AlienVault OTX API

Quick Answer: OTX’s API at otx.alienvault.com/api/v1/ gives you per-IP reputation lookups via curl and bulk pulse/indicator pulls via the OTXv2 Python SDK — both free with a registered API key.

OTX is most useful when you need context, not just block/allow decisions. Before you decide how to respond to an IP in your logs, you can check whether that IP is associated with known threat campaigns, what malware families have been seen using it, and how recently it was observed doing bad things.

Script 6: OTX API curl single-IP reputation check

Script 7: OTX SDK bulk pulse pull and IPv4 extraction

SIEM and IDS/IPS Integration

Quick Answer: Feed Feodo Tracker and ThreatFox Suricata rules into Suricata with a single script; use python-stix2 and taxii2-client for STIX/TAXII feeds; Elastic and Splunk have native abuse.ch integrations.

If you’re running an IDS/IPS like Suricata or Snort, threat intelligence feeds become even more powerful — instead of just blocking known-bad IPs, you’re detecting malicious patterns in traffic content, catching C2 callbacks by network signature, and alerting on exploit attempts in real time.

Script 8: Suricata rules download and reload

STIX/TAXII Tooling

If you’re integrating with STIX/TAXII sources (including CISA AIS if you qualify), the Python ecosystem has you covered:

• python-stix2 — The OASIS-maintained Python library for creating, parsing, and manipulating STIX 2.x objects. pip install stix2.
• taxii2-client — Python TAXII 2.x client for querying TAXII servers. pip install taxii2-client. Pair this with python-stix2 to pull indicators from any TAXII 2.1 server.

SIEM Integration

Elastic Security has a native abuse.ch integration that ingests URLhaus, ThreatFox, and Feodo Tracker data directly into your Elasticsearch cluster — no custom scripts needed. Splunk has the Threat Intelligence Framework add-on which supports STIX/TAXII sources and several abuse.ch feeds via the Splunkbase marketplace. If you’re already running either platform, check their respective app stores before writing your own ingestion code.

Choosing the Right Feed for Your Setup

Quick Answer: Match the feed to your enforcement point — IP blocklists for firewalls, DNS lists for resolvers, Suricata rules for IDS, and OTX API for SIEM enrichment.

Use Case	Recommended Feed	Format	Update Freq	Complexity	Notes
iptables/nftables blocking	IPsum (level 3+) + Blocklist.de	Plain text IP	Daily / 30 min	Low	Use ipset for performance; atomic swap for zero-downtime updates
Pi-hole / AdGuard Home	HaGeZi Pro + HaGeZi TIF	Adblock	Daily	Very low	TIF is the security-focused tier; Pro covers ads + threats together
pfSense / OPNsense	IPsum + Feodo Tracker	Plain text IP	Daily / 5 min	Low	Both platforms have built-in alias/blocklist update schedulers
Suricata / Snort IDS	Feodo Tracker rules + ThreatFox rules	Suricata rules	5 min / real-time	Medium	Use suricatasc reload-rules for live updates; no restart required
SIEM ingestion / enrichment	AlienVault OTX + ThreatFox API	JSON API	Real-time	Medium-high	OTX for context/enrichment; ThreatFox for structured IOC ingestion
Web server (nginx/Apache)	IPsum level 5+ for precision	Plain text IP	Daily	Low-medium	Higher threshold reduces false positives for legitimate user traffic
Mail server (Postfix/Exim)	Spamhaus ZEN (DNSBL) + Blocklist.de mail.txt	DNSBL + plain text	5 min / 30 min	Low	ZEN for connection-time checks; blocklist.de for ipset-level blocking

FAQ