Skip to main content

Blacklist

Blacklisting feature will help you block access from computers trying to scan your Evilginx HTTP server. With default settings, an IP of the originating request is added to blacklist whenever the request is unathorized.

Unauthorized requests are considered as follows:

  • Request was made to a URL not belonging to any of the currently set up lures.
  • Request matches the lure URL, but lure phishlet is disabled or hidden.

When a visitor opens a valid lure URL, belonging to enabled phishlet, their session will be whitelisted and they will be able to open any URL through Evilginx reverse-proxy for the duration of session being valid.

You can check the current blacklist settings with:

: blacklist

It will also tell you how many IPs and IP masks are currently being managed by the blacklist.

Blacklist can operate in multiple ways:

modedescription
allBlock and blacklist IP of every single request (even the ones pointing to valid lure URLs!). This is useful if you want to manually trigger the scanning of your lure URLs with online services and force the scanner IPs to get blacklisted.
unauthBlock and blacklist IP of every request, which doesn't point to a valid lure URL of an enabled phishlet. This is a default setting.
noaddBlock every request, which doesn't point to a valid lure URL of an enabled phishlet, but do not add the IP to the blacklist.
offBlock unauthorized requests, but ignore blocking of IPs stored already in the blacklist.

You can change the blacklist mode at any time with:

: blacklist <mode>

Storage

The blacklist is stored in a text file at /root/.evilginx/blacklist.txt. You can backup this file and copy it over to any new instance running Evilginx to reuse the lists you've generated over time.

Keep in mind that blacklist file is loaded only when Evilginx starts, so if you want to update the blacklist.txt file, you may need to restart the software after that.

Blacklist file supports both single IP addresses and IP masks. You can add a single IP like so:

192.188.55.3

Or you can put in an IP mask with a / character followed by a subnet mask e.g.:

192.188.0.0/16

Which will block all IPs from 192.168.0.0 to 192.168.255.255.

Commands

: help blacklist

 blacklist

 Select what kind of requests should result in requesting IP addresses
 to be blacklisted.

 blacklist
   show current blacklisting mode
 blacklist all
   block and blacklist ip addresses for every single request (even authorized ones!)
 blacklist unauth
   block and blacklist ip addresses only for unauthorized requests
 blacklist noadd
   block but do not add new ip addresses to blacklist
 blacklist off
   ignore blacklist and allow every request to go through
 blacklist log <on|off>
   enable or disable log output for blacklist messages