What is the best way to ban/block an ip address?

[tsruha]

Using the ban filter in the member area or is there another place on the admin cp that is better. I think the ban filter just stops somebody with that ip address from joining but what about banning or blocking the ip of a bot or spammer? Thanks.

[Aiwa]

The IP ban filter stops anyone using the IP from browsing your community.

Keep in mind they will still load your site with an error message.

The best way to really ban someone is to ban them at the server level, if you have access to do so.

[tsruha]

Thank you. :)

[Dmacleo]

fwiw I try to do it at server level using csf just to prevent it from showing in the ip admin logs.

always figured if they were blocked before they even got to the page it would just save resources.

[Aiwa]

fwiw I try to do it at server level using csf just to prevent it from showing in the ip admin logs.

always figured if they were blocked before they even got to the page it would just save resources.

Resources are consumed one way or another. At some point there is a break over point where it's fewer resources for IP.Board to handle it instead of the server.

For example, look at the csf.conf, you'll see they don't recommend putting in too many country codes to block because increasing the number of blocked IP's will result in increased load on the server when searching the iptables.

This all depends on your server configuration, but it may be fewer resources to let the http request go through and deliver the user an error page rather than blocking at the server level.

[Makoto]

The absolute best way would be to ban the IP using a hardware firewall, but few people have dedicated access to one of these.

It is most definitely better to ban at the software firewall level if you're worried about resources. I throw in iptables rules for severe offenders myself.

I've always recommend against blocking entire countries, and not just for performance reasons. But yes, if you banned all of China, you would be adding approximately 330,321,408 firewall rules to your server. Having to search through a list of 100 IP's however should not impact performance at all.

[Makoto]

Also, to add in a bit of technical information, when you have iptables "DROP" connections from a specific IP, this particularly minimizes the performance impact.

DROP means connections are dropped by the server. Imagine someone writing you a letter and expecting a response, but instead you just crumble it up and throw it in the trash bin.

REJECT means connections are refused by the sever. This means the server actually sends the client a response for each packet stating it has been rejected. Imagine someone writing you a letter, and you send them back a response saying you want nothing to do with the person anymore and to please stop writing.

If you ban your IP in iptables using DROP/DENY and try and open a connection to the server, you'll notice the connection will just hang until you reach your applications defined timeout. This is because the server never sent a response to your packet request. Your computer is still sitting there expecting a message to come back. But if you use the less common REJECT rule, your connection will be immediately refused.

It's easier to understand if you picture it out like this. Consider banning a malicious web scraper that's been hammering your forum with an excessive number of connections. For every single connection this malicious client makes to your server, this is the path the connection will have to take,

Banning the IP in IP.Board:

Client ――――> Server ――――> Web Server Daemon ――――> PHP (IP.Board) ┐

Client <―――― Server <―――― Web Server Daemon <―――― PHP (IP.Board) ┘

Banning the IP via your web server:

Client ――――> Server ――――> Web Server Daemon ┐

Client <―――― Server <―――― Web Server Daemon ┘

Banning the IP via iptables (REJECT)

Client ――――> Server ┐

Client <―――― Server ┘

Banning the IP via iptables (DROP)

Client ――――> Server (Connection dropped)

When simply banning an IP via IP.Board, every connection the client makes is still accepted by the server, sent to your web server for processing, and executed/rendered in PHP. This means every page load still eats up a connection to your web server. When you're trying to ban a malicious scraper or web crawler for eating up resources, this is generally not what you want. They're still going to be hammering your web server with connections, and PHP is still being executed, which eats up additional memory and resources.

Banning at the web server level is a little better, as PHP is no longer involved. The web server just flat out refuses the connection.

Banning via iptables will generally always be better. This means the server will refuse the connection at the kernel level. Nothing else on your server is bothered.

I may have just used this post as an excuse to draw a flow chart. Flow charts are fun!

[Grumpy]

You can block someone via iptables like... (replace ip)

iptables -A INPUT -s 0.0.0.0 -j DROP

Via CSF like... (you can also add comments for csf by just adding more to the end after a space)

csf -d 0.0.0.0

This will be most efficient way to block someone in most cases. They'll just get no response from the server what-so-ever.