Banning IP's on the fly....

[kornmonkie]

Hey...

I have it set up on my site so if an error happens it emails me the error and the IP address of the person requesting the page. I've been getting a lot of the same errors over and over and over again of people trying to find web apps with holes (coppermine theme exploit for example).

I am wondering if there is a way to ban their IP's on the fly via .htaccess? So if they try to find the coppermine exploit and the error page pops up, it bans their IP. I have searched the forums and will continue to look, but any help would be awesome.

Thanks guys and gals.

[Spathiphyllum]

I'm not sure that's a practical solution. Since so many hack attempts float all over the web, picking out each suspect IP will cause your .htaccess file to grow ridiculously long, not to mention the risk of continually having your main server configuration file automatically reedited and the potential for an error in its recreation such that your entire site goes down.

I usually end up using mod_rewrite with some regex rule to detect patterns that get repeated. For example if you have a GET that includes what looks like a long comand-line sequence with the word "echo" in it, set up a rewrite condition/rule to redirect the GET, send them an artificial response header, or just tell 'em the resource is "Gone".

Try posting the specific exploit GET and we'll try to make a rule for you to stop them from having any impact. It's not perfect since new exploits circulate regularly, but when there's an intolerable level of annoyance, then create a rule. When the level of "attack" subsides, then comment the rule out and reuse as necessary.

Another thing to do is have an email template ready to report the offending IP to the node's network admin/abuse address. I probably do this once a month if the exploit happens from the same IP more than twice. Just notify them that they appear to have a compromised server and that they might be interested in knowing about it. Offer to send logs to them as documentation (selectively edit to restrict what they don't need to know about your system first) too. It might have some impact since there are good admins out there who frown upon having a compromised computer in their midst. All domains are required (technically) to maintain an abuse@domain.com email addy.

[Gwaihir]

I have doubts about this strategy as well, mainly because I fear it itself needs a new security hole: if you're going to write you .htaccess automatically (at least from PHP), it will need to be world writeable. That does not sound like a good idea.

I'm not sure it is a problem length wise. That is: I take it you plan on making each ban temporary anyway? Otherwise you'll have a lot of work with ISPs using dynamic IPs too. I.e. the same IP doesn't allways belong to the same (offending) person.

[gerilya]

Dynamic IP ban is definitely doable and I think it might be very effective tool to mitigate certain attacks.

Some novice 'hackers' (or should I say bored kids) might scan your site for all known vulnerabilities and therefore setting mod rewrite rules on per-vulnerability basis requires you to keep an eye on all new security advisories.

IP ban, on the other hand, can be used to block bad guests altogether. This idea was implemented, for example, in Progressive IP Blocking.

There is of course a drawback: even small implementation mistakes might make your site vulnerable to Denial of Service attacks or worse.

[kornmonkie]

Thanks for the replies. The main reason I wanted to look into this, is because it's the same "attacks" over and over again, but from different IP's. I guess IP banning on that scale would get quite large. The IP's come back as being from Asia, so I guess I will see how it goes if I email their host. I have a feeling the IP's are spoofed.

[gerilya]

I wonder what's your site target audience then.

We mainly host e-commerce sites and most of them do not allow international orders. That's why we routinely block class-C and class-B ranges allocated for some Asian countries.

[Gwaihir]

I have a feeling the IP's are spoofed.

Hmm.. I read that a lot, but AFAIK it rarely happens: spoofing IPs is by no means a simple thing to do, nor does it generally do one any good as it means the communication is 100% one way (as all replies go to the real owner of the IP used).

Far more likely that the IPs are from compromised machines. Computers that are in some way hacked and useable by someone for purposes their owners never meant them for. If it is not too much trouble, do indeed sent abuse complaints by e-mail. Any decent hosting company and a fair percentage of ISPs will take action against that sort of thing.

[gerilya]

Hmm.. I read that a lot, but AFAIK it rarely happens: spoofing IPs is by no means a simple thing to do, nor does it generally do one any good as it means the communication is 100% one way (as all replies go to the real owner of the IP used).

There is a "privacy protection" software available which will make your HTTP requests look like they are coming from different IPs.
I just googled for "faked IP address" and found these tools: http://www.snipeomatic.com/ , http://www.netconceal.com/hide_IP_address.php.