Auto block IP address based on page visit
Hi there,
I was wondering if there is a configuration mechanism to auto block IP addresses of visitors who visit pages with some criteria.
For example block IP address if they visit a page like /wp-admin.php
I don't have wordpress installed so this user could be a potential hacker.
many thanks
Otto
-
If you have CSF installed you can enable 404 error blocking which would accomplish what you are describing. 0 -
Hi GOT, I do actually have CSF. There is indeed the option of LF_APACHE_404 which sounds good. I'll try this for now and see how it goes. Thanks so much for the info. ps. You helped me previous time I wanted some help. 0 -
If you have CSF installed you can enable 404 error blocking which would accomplish what you are describing.
The problem with that is that something silly like a missing image could also trigger a 404. I was getting tons of 404s on a client's site, and the reason was a missing down arrow image in a menu. OP's idea isn't too different than what I've been working on in this thread:0 -
Hi Richard, Very interesting read the thread you posted. Thanks so much, I will have another think and perhaps change decision. thanks Otto 0 -
Hi Richard, Very interesting read the thread you posted. Thanks so much, I will have another think and perhaps change decision. thanks Otto
Thank you, Otto. I'm currently working on another script to report other attacks (ssh, etc.). It works off csf's BLOCK_REPORT feature. It's working experimentally, but it's not ready to go live yet. Richard0 -
Hi there, I was wondering if there is a configuration mechanism to auto block IP addresses of visitors who visit pages with some criteria. For example block IP address if they visit a page like /wp-admin.php I don't have wordpress installed so this user could be a potential hacker. many thanks Otto
You could also just lock down that page to a specific IP or set of IP addresses, that way you wouldn't need to worry about whether or not they do access the page.0 -
Okay, this is experimental and admittedly unpolished, but it does work: [PHP]; //ip="127.0.0.2"; // for testing $timeNow = time(); $fresh = time() - 900; $domain = "yourdomain.com"; $currentDateTime = (date("M d, Y h:i:s a")); $comment="Hit on CMS login honeypot"; // for AbuseIPDB Report and database entry $categories="21"; // for AbuseIPDB Report $con = mysqli_connect("localhost","prefix_abuse-reporter","{password}","prefix_abuse-reports"); if (!$con) { die('Could not connect: ' . mysqli_error($con)); } $result = mysqli_query($con, "SELECT * FROM reports WHERE (ip4 LIKE '$ip' AND time >= '$fresh')"); $row = mysqli_fetch_array($result); $reportDate = $row['datetime'>; if (empty($reportDate)) { // sanitize $timeNow = mysqli_real_escape_string($con, $timeNow); $ip = mysqli_real_escape_string($con, $ip); $domain = mysqli_real_escape_string($con, $domain); $currentDateTime = mysqli_real_escape_string($con, currentDateTime); // insert to db mysqli_select_db($con, "prefix_abuse-reports"); $sql = "INSERT INTO reports (datetime, time, ip4, domain, comment) VALUES ('$currentDateTime','$timeNow','$ip','$domain','comment')"; if (!mysqli_query($con,$sql)) { echo("Error description: " . mysqli_error($con)); } $data = (array( "ip" => $ip, "categories" => $categories, "comment" => $comment )); $headers = array('Key: {Your AbuseIPDB API key goes here, without the brackets}', 'Accept: application/json'); $ch = curl_init("https://api.abuseipdb.com/api/v2/report"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1 ); // Set to 0 for testing to display response from AbuseIPDB curl_setopt($ch, CURLOPT_POST, 1 ); curl_setopt($ch, CURLOPT_POSTFIELDS, $data); curl_setopt($ch, CURLOPT_HTTPHEADER, $headers); $output=curl_exec($ch); curl_close($ch); } include("401.php"); die; ?>[/PHP] There's a bit more information about it 0
Please sign in to leave a comment.
Comments
7 comments