I’ve basically given up on the sys admins to block the DO hackers. I assume this is a problem on all VPSs, given the cost we pay these days. That is, I used to get hacked without mercy from Linode until I blocked most of Linode. I have slowly put together the IP space of DO as I’ve been hacked. Don’t expect perfection, but it will block many DO droplets.
DO IP space
It expires in a week, but just ask again if you need it.
I’m probably stating the obvious here, and this is hardly the only solution, but my workflow is look up the IP on ip2location.com. Once I determine it is a datacenter, VSP, VPN or what I determine to be a trouble maker, I put the IP address into bgp.he.net and get the AS. You can either block the one CIDR from bgp.he.net, or you can look at the IPV4 space list and select the matching names.
For example, from my nginx log:
400 22.214.171.124 - - [17/Jan/2018:03:42:43 +0000] "SSH-2.0-Go" 173 "-" "-" "-"
Clearly an IP that isn’t going to do any browsing. Ip2location show that IP is at DO SFO. The associated CIDR is 126.96.36.199/18, which you can block in the firewall of your choice from everything but maybe port 25 should you want email from the hacker.
bgp.he.net identifies the IP as the infamous stretchoid hacker, or researcher if you believe them.
Shocker, it is in the abuse database. ;-) The IP CIDR is in AS14061. The associated IPV4 space is at
which is not exclusively DO. You can cut, paste, sed the results to get it in the form you want.
There are other ways to get the contents of an AS, but they don’t seem to be up to date. That is bgp.he.net has more IP CIDRs. Here is one example of how to enumerate an AS.