I’ve had a few instances where there were compromised machines in the Amazon AWS environment that were connecting and trying to brute force some logins to cPanel or a CMS like WordPress. I found amazon has a list of their ip’s here:
http://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html
and more specifically this list:
https://ip-ranges.amazonaws.com/ip-ranges.json
I wanted to block the range for a while so I ran these command from ssh:
cp -rp /etc/csf/csf.deny /etc/csf/csf.deny.backup
wget https://ip-ranges.amazonaws.com/ip-ranges.json
grep ip_prefix ip-ranges.json | awk ‘{print $2}’ | sed s/\”//g | sed s/\,//g >> /etc/csf/csf.deny
I made a backup of the csf.deny file first so it could be reverted later. Otherwise having this many ip’s in the list may slow the firewall and even the whole server down.