Jump to content

Archived

This topic is now archived and is closed to further replies.

Mort-lemur

Best Way to Ban IP

Recommended Posts

I have just been looking through my cpanel error log and noticed that something had been "sniffing" around the site by the following error codes:

File does not exist: /home/username/public_html/shop

there are also errors where they tried to find forum, administrator, test, site, joomla, shop etc etc

 

I know that IP banning is not the total solution to things like this but Im sure it would help, my question is : Is there a simple way to create a rule that bans the ip address if a certain file or files is searched for?

 

Many Thanks


Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Share this post


Link to post
Share on other sites

A very simple one (not directory specific):

<?php
$deny = array("111.111.111", "222.222.222", "333.333.333");
if (in_array ($_SERVER['REMOTE_ADDR'], $deny)) {
   header("location: http://www.google.com/");
   exit();
} ?>

Share this post


Link to post
Share on other sites

There are many addons, see

 

http://addons.oscommerce.com/info/7509/v,22

http://addons.oscommerce.com/info/5914

http://addons.oscommerce.com/info/5276

http://addons.oscommerce.com/info/6066

 

There are many more. The only one I have ever used as the IP trap one, and it did what it was supposed to.


REMEMBER BACKUP, BACKUP AND BACKUP

Get the latest Responsive osCommerce CE (community edition) here

It's very easy to over complicate what are simple things in life

Share this post


Link to post
Share on other sites

Banning by IP address is best done in .htaccess with DENY entries. It's the highest in the "food chain" that you can go, and the least negative impact on server performance. If an address is poking around doing suspicious things, what's the problem with totaling banning them? They're trying to break your site. Don't give them any outs.

Share this post


Link to post
Share on other sites

@@Mort-lemur If the locations you want to ban are not to be seen by anyone, then you can use something like this in the .htaccess file

RewriteCond %{REQUEST_URI} "/forum" [OR]
RewriteCond %{REQUEST_URI} "/test"
RewriteRule ^(.*)$ http://127.0.0.1 [L]

You can add as many conditions as you like. 

Share this post


Link to post
Share on other sites

These days if you are banning IPs you will find after a month or so that you have a very large list of IPs in htaccess. Mass spam styled attackers regularly update their extensive proxy lists with new IP addresses so the chances of them hitting your site multiple times with the same IP list is low. Also apache already sends a fairly low resource 404 header file not found anyways if a file does not exist, so there is little real advantage when banning an IP other than the aesthetic sense that you have taken action.

 

My general approach is to 403 ban any malicious requests targeted at the actual site code i.e index.php ( even if its a blind exploit request for another CMS ), and just let the webserver deal with the masses of other blind exploit requests to files that do not exist using as little server resources as possible.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

@@Mort-lemur If the locations you want to ban are not to be seen by anyone, then you can use something like this in the .htaccess file

RewriteCond %{REQUEST_URI} "/forum" [OR]
RewriteCond %{REQUEST_URI} "/test"
RewriteRule ^(.*)$ http://127.0.0.1 [L]

You can add as many conditions as you like. 

 

Another end game is

RewriteRule ^.* - [F,L]

SetEnvIf Request_URI would also be another way to address this.

 

Example:

SetEnvIfNoCase Request_URI "/shop/$" badrequest
SetEnvIfNoCase Request_URI "/forum/$" badrequest
SetEnvIfNoCase Request_URI "/administrator/$" badrequest

order allow,deny
allow from all
deny from env=badrequest

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

@@14steve14 @@Jack_mcs @@Taipo Thank you all for the suggestions, I have elected to try out IP Trap

 

Seems to be working well so far - never realised what a load of rubbish requests were aimed at sites until I checked the logs today.......

 

And it also helped me correct a couple of errors I was not aware of (missing logo images for payment systems etc)


Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Share this post


Link to post
Share on other sites

Update: I have uninstalled the ip trap, for two main reasons:

 

1) as mentioned by @@Taipo the logs were rapidly filling up (16 pages MINIMUM of 404 errors per day!) and it was becoming a chore to delete them one by one

 

2) The mod was giving some unpredictable results especially with respect to the whos online screen and some customers had complained they were seeing "strange error pages"

 

So I will probably revert to letting the server handle the 404 requests with a couple of .htaccess entries as above by @@Jack_mcs and @@Taipo for some of the more frequently occuring "dodgy" requests.


Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Share this post


Link to post
Share on other sites

You may want to look at View Counter. You can see such connections and ban them via admin so it can save you some work.

Share this post


Link to post
Share on other sites

@@wHiTeHaT That method is included in View Counter and, I think, the IP Block addon. But you need to be careful with it because the search engines don't always honor those rules. When I was developing View Counter, I had many hits on the trap directory from Bing. I contacted them about and, at first, they said I was mistaken. But then they ran a test and acknowledged it.  If someone is going to use that method, I suggest changing the code so that it doesn't automatically block and sends an email to you instead so you can decide, or create a list of known good bots so that they are skipped. The latter can be difficult because the search engines use many different agent names, though they are knowable.

Share this post


Link to post
Share on other sites

I did read it. It has been around for years, or one like it. The script does a whois search to see if it is a search engine and then bans it. But it will ban all of them. Later in the article it says you can whitelist the ones you don't want banned, which is what I stated in my reply.

Share this post


Link to post
Share on other sites

×