Blacklist
Blacklisting feature will help you block access from computers trying to scan your Evilginx HTTP server. With default settings, an IP of the originating request is added to blacklist whenever the request is unathorized.
Unauthorized requests are considered as follows:
- Request was made to a URL not belonging to any of the currently set up lures.
- Request matches the lure URL, but lure phishlet is disabled or hidden.
When a visitor opens a valid lure URL, belonging to enabled phishlet, their session will be whitelisted and they will be able to open any URL through Evilginx reverse-proxy for the duration of session being valid.
You can check the current blacklist settings with:
: blacklist
It will also tell you how many IPs and IP masks are currently being managed by the blacklist.
Blacklist can operate in multiple ways:
mode | description |
---|---|
all | Block and blacklist IP of every single request (even the ones pointing to valid lure URLs!). This is useful if you want to manually trigger the scanning of your lure URLs with online services and force the scanner IPs to get blacklisted. |
unauth | Block and blacklist IP of every request, which doesn't point to a valid lure URL of an enabled phishlet. This is a default setting. |
noadd | Block every request, which doesn't point to a valid lure URL of an enabled phishlet, but do not add the IP to the blacklist. |
off | Block unauthorized requests, but ignore blocking of IPs stored already in the blacklist. |
You can change the blacklist mode at any time with:
: blacklist <mode>
Storage
The blacklist is stored in a text file at /root/.evilginx/blacklist.txt
. You can backup this file and copy it over to any new instance running Evilginx to reuse the lists you've generated over time.
Keep in mind that blacklist file is loaded only when Evilginx starts, so if you want to update the blacklist.txt
file, you may need to restart the software after that.
Blacklist file supports both single IP addresses and IP masks. You can add a single IP like so:
192.188.55.3
Or you can put in an IP mask with a /
character followed by a subnet mask e.g.:
192.188.0.0/16
Which will block all IPs from 192.168.0.0
to 192.168.255.255
.
Commands
: help blacklist
blacklist
Select what kind of requests should result in requesting IP addresses
to be blacklisted.
blacklist
show current blacklisting mode
blacklist all
block and blacklist ip addresses for every single request (even authorized ones!)
blacklist unauth
block and blacklist ip addresses only for unauthorized requests
blacklist noadd
block but do not add new ip addresses to blacklist
blacklist off
ignore blacklist and allow every request to go through
blacklist log <on|off>
enable or disable log output for blacklist messages