Skip to main content


Blacklisting feature will help you block access from computers trying to scan your Evilginx HTTP server. With default settings, an IP of the originating request is added to blacklist whenever the request is unathorized.

Unauthorized requests are considered as follows:

  • Request was made to a URL not belonging to any of the currently set up lures.
  • Request matches the lure URL, but lure phishlet is disabled or hidden.

When a visitor opens a valid lure URL, belonging to enabled phishlet, their session will be whitelisted and they will be able to open any URL through Evilginx reverse-proxy for the duration of session being valid.

You can check the current blacklist settings with:

: blacklist

It will also tell you how many IPs and IP masks are currently being managed by the blacklist.

Blacklist can operate in multiple ways:

allBlock and blacklist IP of every single request (even the ones pointing to valid lure URLs!). This is useful if you want to manually trigger the scanning of your lure URLs with online services and force the scanner IPs to get blacklisted.
unauthBlock and blacklist IP of every request, which doesn't point to a valid lure URL of an enabled phishlet. This is a default setting.
noaddBlock every request, which doesn't point to a valid lure URL of an enabled phishlet, but do not add the IP to the blacklist.
offBlock unauthorized requests, but ignore blocking of IPs stored already in the blacklist.

You can change the blacklist mode at any time with:

: blacklist <mode>


The blacklist is stored in a text file at /root/.evilginx/blacklist.txt. You can backup this file and copy it over to any new instance running Evilginx to reuse the lists you've generated over time.

Keep in mind that blacklist file is loaded only when Evilginx starts, so if you want to update the blacklist.txt file, you may need to restart the software after that.

Blacklist file supports both single IP addresses and IP masks. You can add a single IP like so:

Or you can put in an IP mask with a / character followed by a subnet mask e.g.:

Which will block all IPs from to


: help blacklist


Select what kind of requests should result in requesting IP addresses
to be blacklisted.

show current blacklisting mode
blacklist all
block and blacklist ip addresses for every single request (even authorized ones!)
blacklist unauth
block and blacklist ip addresses only for unauthorized requests
blacklist noadd
block but do not add new ip addresses to blacklist
blacklist off
ignore blacklist and allow every request to go through
blacklist log <on|off>
enable or disable log output for blacklist messages