Block IP addresses

Home Forums BulletProof Security Pro Block IP addresses

This topic contains 2 replies, has 2 voices, and was last updated by  AITpro Admin 2 years, 10 months ago.

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • #24849

    Schneider
    Participant

    Hi,

    since two weeks I face heavy attacks on one of my blogs. This is a sample entry from the security log:
    Unfortunately the IP is not blocked (there are a few others as well). I have to manually block the IP and one of them has more than 30.000 blocked accesses. I have also Wordfence installed and perform the blocking of IPs there. Could there be a conflict between BPS Pro and Wordfence that prevents the blocking of the IP by BPS Pro? I have enabled login security after 10 failed attempts and it seems that the above attempt is a login attempt. How can I configure BPS to automatically block the IP of the attacker?

    [403 GET / HEAD Request: 7. September 2015 - 13:20]
    Event Code: BFHS - Blocked/Forbidden Hacker or Spammer
    Solution: N/A - Hacker/Spammer Blocked/Forbidden
    REMOTE_ADDR: 212.38.162.92
    Host Name: 212.38.162.92
    SERVER_PROTOCOL: HTTP/1.0
    HTTP_CLIENT_IP:
    HTTP_FORWARDED:
    HTTP_X_FORWARDED_FOR:
    HTTP_X_CLUSTER_CLIENT_IP:
    REQUEST_METHOD: GET
    HTTP_REFERER:
    REQUEST_URI: /wp-login.php
    QUERY_STRING:
    HTTP_USER_AGENT:

    Thanks
    Alex

    #24850

    Schneider
    Participant

    Ok, I found this and will block the HTTP/1.0 connects: http://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/

    This topic can be closed. Thanks.

    #24854

    AITpro Admin
    Keymaster

    Blocking by IP addresses is the worst possible approach you can do.  It is time consuming, not really effective and will cause excessive server resource usage and slow down your website performance if you have large numbers of blocked IP addresses, such as blocking by Country.  The reason blocking IP addresses is not effective is because hacker/spammer payload delivery systems that send out hackerbots/spambots have the automated capability of switching IP addresses on the fly.  If you block an IP address or a range of IP addresses (CIDR blocks) then the hacker/spammer payload delivery system automatically switches to different IP addresses/IP address ranges.  So even automating IP blocking is a waste of time.

    In general, BPS uses a “bad action” approach to blocking hackerbots and spambots.  Example:  If badbot X performs bad action Y on/at your website then bad action Y is blocked.  By blocking the bad action itself there is no need to check or block by IP addresses.

    BPS Pro has JTC Anti-Spam|Anti-Hacker, which blocks 100% of all bots.  Since the Security Log entry shows that the bot was already blocked then you can add additional Bonus Custom Code to BPS Custom Code, but usually using/turning on JTC is all you need to do.  The optimum approach|method when dealing with IP addresses is whitelisting vs blacklisting.  Example:  The BPS Pro Plugin Firewall whitelists (allows) only your IP address to access any plugin files in the WordPress /plugins/ folder.  The same principle should always be used anywhere else.  Your IP address is known and can be whitelisted with very little code and effort vs trying to block|blacklist millions of unknown IP addresses.

    References|Validation:
    We spent months researching blocking by IP addresses a few years ago:  http://forum.ait-pro.com/forums/topic/buddypress-spam-registration-buddypress-anti-spam-registration/  We found that blocking by IP addresses was completely ineffective and a waste of time.  The end result of those months of research was the creation of JTC Anti-Spam|Anti-Hacker, which is 100% effective at blocking automated hackerbots and spambots because it uses a “bad action” approach to blocking badbots instead of blocking by IP addresses.

    Comments made by other people around the Internet that have discovered or know that blocking by IP addresses is a completely ineffective method and a waste of time.

    http://resources.distilnetworks.com/h/i/53822131-blocking-an-ip-doesn-t-really-block-a-bot/181642

    Before becoming a co-founder of Distil Networks, my background was in writing bots that scraped web pages. Every day I was deploying new bots that logged into websites, scraped their data and dumped it all in my local database. None of this was actually done for malicious reasons, but I was still launching 10,000+ requests an hour at a server that probably didn’t get that many requests a day.

    Eventually, they blocked my IP. The hours of work I spent writing the perfect scraper went down the drain…

    Until I took 10 seconds and changed my IP. After that I was back to scraping.

    _______________
    http://stackoverflow.com/a/2101977/689226

    Generally, trying to ban behavior is better than trying to ban users. First, for technical reasons: behavior patterns can often be detected (e.g. you can ban words).

    _______________

    It seems pointless to try to block a list of IPs. The bot networks that are involved are using hundreds if not thousands of hijacked systems all with different IPs. If you block one IP they just switch to another one. There was a period of time I was getting hit by 10 to 20 different IPs per hour. When I blocked them there would be a new set that hit me the next hour. These were password dictionary attacks but I don’t see any reason that attacks that target vulnerabilities would be any different

    x

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.