Geek Answers Handbook

IP-based dynamic blacklist

People, we all know that blacklisting does not work - spammers can penetrate proxies, and legitimate users can suffer ... Nevertheless, the blacklist seems to me an effective mechanism to stop a constant attacker, given that the actual IP list It is determined dynamically based on the feedback of the application and user behavior.

For example: - someone is trying to reinstall your login screen - a poorly written bot issues very strange HTTP requests to your site - a script -kiddie uses a scanner to search for vulnerabilities in your application.

I am wondering if the following mechanism works, and if so, do you know if there are any tools that do this:

  • In a web application, the developer has a hook to report a "violation". Crime can be insignificant (wrong password), and dozens of such violations will be required to get a black list; or it can be serious, and a couple of such crimes knock you out over a 24-hour period.
  • Some form of web server level block is triggered before each page loads and determines whether the user comes from a "bad" IP address.
  • There is a built-in “forgiveness” mechanism: offenses are no longer taken into account against IP after some time.

Thanks!

Note: it would be great if the solution worked in PHP, but I would like to hear your thoughts on the approach in general, for any language / platform

+6
security apache .htaccess email-spam
source share
6 answers

Are you on a * nix machine? this kind of thing is probably best left at the OS level using something like iptables

edit:

in response to a comment, yes (sort of). however, the idea is that iptables can work independently. you can set a certain threshold for throttling (for example, block requests to port 80 TCP that exceed x requests / minute), and all this is processed transparently (i.e. your application really does not need to know anything about this to dynamically block it).

I would suggest the iptables method if you have full control over the field and would prefer your firewall to handle throttling (the advantage is that you do not need to create this logic in your web application and it can save resources since requests are deleted before how they get to your web server)

Otherwise, if you expect that blocking will not be a huge component (or your application is portable and cannot guarantee access to iptables), then it would be more reasonable to build this logic in your application.

+2
source share

Check out fail2ban . A python framework that allows you to create IP table blocks from tail log files for patterns of erroneous behavior.

+5
source share

I think it should be a combination of username and IP block. Not just IP.

0
source share

You are looking at a custom lock code. In the open source world, there are applications that contain various variations of such code. Perhaps you should take a look at some of them, although your requirements are pretty trivial, so check the IP / username combination and use this to block the IP for x time. (Note. I said that IP is blocked, not the user. The user may try to connect through a valid IP / username / pw connection.)

In fact, you can even track user logins, and when entering from an unknown IP address with 3 unsuccessful username / pw combinations, block this IP address no matter how long you choose for this username. (Note that many ISPs use IP addresses this way ....)

You may also want to delay authentication so that the IP address cannot login more than once every "y" seconds or so.

0
source share

I developed a system for a client that monitored attacks on a web server and dynamically denied IP addresses at the operating system / firewall level for variable periods of time for certain offenses, so yes, it is definitely possible. As Owen said, firewall rules are a much better place for this kind of thing than on a web server. (Unfortunately, the client decided to keep the hard code for this code, so I can’t share it.)

I usually work in Perl, not PHP, but if you have a command line interface for your firewall rule engine (e.g. / sbin / iptables), you should be able to do this quite easily from any language that has the ability execute system commands.

0
source share

err such a system is simple and common, I can give you quite easily

it is simply and briefly explained here http://www.alandoherty.net/info/webservers/

the scripts, as it is written, do not load (since no comments have been added at the moment), but write me an email from the site above, and I will drop the code on you and will gladly help debug it / server

0
source share

More articles:


All Articles