Automatique Ban IP

[SoloInter]

Hi,

Every day I get some IP¨address who try lot of things like that :

 

I think it will be good if we can configure some filter. If any address IP get more than 10 error code in 1 minute, she had to be ban directly for 1 week or something like that.

I know there is CDN who can help for that, but I think it will be good to have it on IPB.

[aia]

No, it should not be in IPS. It must be implemented on different level: on your server side. fail2ban is good solution for this kind of bots.

[SoloInter]

Thanks, I will ask my host to do it. 

[SoloInter]

Host : 

Hello,

I'm sorry, but it will not be possible to put fail2ban for you, we do not install the software at the request of customers.

The loadbalancers are behind our anti-DDoS software, so it's not possible to change anything, because it applies to all customers. Plus, our anti-DDoS software can not do anything in this case, it's not a DDOS attack just someone trying to log in very often. Finally, our anti-DDoS software is not one by fire, its rules apply only in case of mitigation.

Regards,

 

... in this case, IPB can provide some rules or filter that can help. I think it will be usefull.

[SeNioR-]

I have a same problem. The only way at this time is to block this IP in htaccess but every day there is a new bot with another ip address

so it's tiring ..: /

 

On 12/14/2018 at 4:49 AM, Archimed said:

If any address IP get more than 10 error code in 1 minute, she had to be ban directly for 1 week

Great idea. Something like this http://www.site-scanners.com/smart-404-security-blocking-addon/

Edited December 16, 2018 by SeNioR-

[SoloInter]

Yes it will be great to have something like that for IPB. Cause, when we are on a share hosting, we can not do what we want on the server side. fail2ban and other can not be added.

[Aiwa]

I don't think you fully comprehend what's going on here.... The bot is attempting to access a FILE that lives on your server.  Should that file be found, IPS would be none the wiser because your SERVER would deliver the requested file before IPS knew of the request.  The ONLY reason you're seeing these errors is because the file WAS NOT found and the IPS .htaccess rewrites are funneling the unfulfilled requests into the IPS software.  Where IPS proceeds to log the error you see.

This has to be handled at the SERVER level.  You simply can't ask IPS to manage file access on your server for you when the only reason they are seeing the requests is because they failed in the first place.

Being on a shared host, you're going to be at the mercy of what the hosting company will install on their servers.  This is a common thing that happens every day all day.... If you have a server with SSH open on port 22, you better believe that some bot is attempting to log into it at least once every few seconds.  fail2ban is a wonderful tool there.  What you're experiencing isn't any different.  A bot is attempting, for lack of a better term, to brute force finding files by specific names.  Any backups you take, don't put them in a web-accessible area on the server, and don't leave them there longer than necessary.

Now, these logs are stored in the IPS DB.  You can certainly write your own CRON job that will auto-fill an .htaccess ip deny file to stop these bots at the SERVER level. Because thinking IPS can block them, should the bot guess a valid file name, is simply wrong.  It'd be an extremely false sense of security.

[SoloInter]

The problem is to be on a shared server. As you say, we are at the mercy of the goodwill of the host.

Anyway, an ip that tries to find SQL files, Wordpress login, zip file, etc etc, it's a crap IP that squats my bandwidth, filled my log file, and that does not. has nothing to do here. An IP that generates hundreds of errors per minute is just an IP to ban.

Having a simple rule that can handle it at the back office is nothing foolish to ask.

Fail2ban would already be active if it was possible. It does not, so I'm looking for an alternative solution. If IPS does not wish to propose, I would find another solution. Nevertheless, I think that it would not be too much.

Edited December 17, 2018 by Archimed

[Aiwa]

1 minute ago, Archimed said:

An IP that generates hundreds of errors per minute is just an IP to ban

Ok, ban the IP within IPS.  It's NOT going to stop the requests for files on your server.  You just won't see it in your IPS logs anymore.  The requests will continue to happen unless the IP is blocked at the SERVER level, or at least your account on that server. 

You're mistakenly thinking a ban within IPS would do any good in this scenario, it won't.

[SoloInter]

I understand that there is a distinction to be made between the server side and the software side.

Ban an ip will not prevent it from entering the server, it will stop after.

Anyway, as you say, it is possible to block access to the best with a .htaccess and it would be "cleaner".

IPS or a developer could set up a security of its kind.

[TDBF]

On 12/14/2018 at 7:10 AM, Archimed said:

Host : 

Hello,

I'm sorry, but it will not be possible to put fail2ban for you, we do not install the software at the request of customers.

The loadbalancers are behind our anti-DDoS software, so it's not possible to change anything, because it applies to all customers. Plus, our anti-DDoS software can not do anything in this case, it's not a DDOS attack just someone trying to log in very often. Finally, our anti-DDoS software is not one by fire, its rules apply only in case of mitigation.

Regards,

 

... in this case, IPB can provide some rules or filter that can help. I think it will be usefull.

Use Cloudflare to do IP Bans (if you don't have access to your server) or change Hosting.