📋 Changelog

Release history and version notes for Bad IPs

← Back to Main

This page tracks all notable changes to Bad IPs. Changes are organized by version with the most recent releases first.

Legend: ✨ Added | 🔄 Changed | 🐛 Fixed | ⚠️ Deprecated | 🔒 Security

v3.5.0 LATEST
December 21, 2025
Added
  • Privilege Separation: Service now runs as non-root user (badips) with limited sudo privileges for enhanced security
  • PublicBlocklistPlugins Architecture: New extensible plugin system for integrating external IP blocklists
  • Spamhaus Plugin: Built-in plugin for Spamhaus DROP and EDROP lists
  • Expanded IPv6 Defaults: Added ff00::/8 (multicast), ::/128 (unspecified), and 2001:db8::/32 (documentation) to default never-block list
  • Multi-version Apt Repository: Repository now indexes all package versions for easy upgrades/downgrades
  • Separate IPv4/IPv6 Prompts: Install script now clearly separates IPv4 and IPv6 configuration with helpful descriptions
  • Configuration Documentation: Added comprehensive PublicBlocklistPlugins developer guide to website
🔄 Changed
  • Simplified Configuration: Removed hunter/gatherer mode distinction - now uses single unified auto_mode configuration
  • Single Configuration Template: Replaced separate hunter/gatherer templates with single badips.conf.template
  • Default Database User: Changed from bad_ips_hunter to bad_ips for consistency
  • Install Script UX: Improved prompts to clearly separate IPv4 and IPv6 network configuration
  • Documentation Rewrite: Complete overhaul of CONFIGURATION.md to reflect simplified architecture
🐛 Fixed
  • Database Config Permissions: database.conf now created with 640 permissions instead of 600 to allow badips user read access
  • Config File Ownership: All config files in /usr/local/etc/badips.d/ now properly set to root:badips ownership
  • Install Script Input Sanitization: Fixed newline handling in CIDR inputs that could corrupt INI file format
  • Config Parsing: Fixed awk patterns to prevent matching IPv6 parameters when reading IPv4 settings
  • Directory Permissions: Install script now properly sets permissions on badips.d directory during creation
⚠️ Deprecated
  • public_blocklist_urls - Replaced by [PublicBlocklistPlugins:Name] configuration sections
  • public_blocklist_refresh - Replaced by per-plugin fetch_interval parameter
  • Hunter/Gatherer mode configuration - Unified into single auto_mode setting
🔒 Security
  • Non-root Execution: Service runs as dedicated badips user instead of root
  • Limited Sudo Access: Sudoers rules restrict nftables operations to inet badips table only
  • Config File Security: Proper group permissions allow service user to read configs without requiring root
  • Password Protection: Database credentials in database.conf secured with 640 permissions
  • Supplementary Groups: Service user added to systemd-journal and adm groups for log access without elevated privileges