Skip to main content

Looking to stop microsoft azure bots

Comments

19 comments

  • cPRex Jurassic Moderator
    Hey hey! It seems there isn't going to be a list of IPs available, as Microsoft says this: "Bot Framework Services is hosted in Azure data centers world-wide and the list of Azure IPs is constantly changing. That means allow-listing certain IP addresses may work one day and break the next as the Azure IP Addresses change." but just above that section on the same page they do publish a list of hostnames that are allowed. You could use that list to block traffic instead:
    0
  • jeffschips
    So in essence you are suggesting that I take the list of microsoft approved bot hosts and then ask csf to deny bots hiting my server originating from that list of domains, correct?
    0
  • ejsolutions
    Caution: AFAIK csf.dyndns is intended to IGNORE dynamic IP addresses, not to DENY! I use it to map my home ISP-derived IP, so that I don't inadvertently lock myself out of a server. ( In theory, there's no reason why csf.dyndns couldn't/shouldn't be made available for other purposes, though I suspect this isn't coded in CSF. You'd be best to confirm with WayToTheWeb and perhaps place a feature request.)
    0
  • jeffschips
    Hi ejsolutions that script is very useful. It seems to break right after here though: # Add in new IP ranges, as a group in the blocklists sed -i 's/#AZUREIP/AZUREIP/g' /etc/csf/csf.blocklists # Activate the new list /usr/sbin/csf -r It's not inserting the azure-ip.txt into the csf.blocklists I can confirm that azure-ip.txt is being created though in /usr/local/apache/htdocs Maybe something to do with paths?
    0
  • jeffschips
    I also noticed a warning in the csf.blocklists.new file: # If you want to redownload a blocklist you must first delete # /var/lib/csf/csf.block.NAME and then restart csf and then lfd Wonder if that is important. . .
    0
  • ejsolutions
    It's not inserting the azure-ip.txt into the csf.blocklists

    What it's supposed to do, is remove the prefixed # (comment) from the line in csf.blocklists Look carefully at your shell script in case your copy & paste got screwed up - quotation marks get changed by many editors, for example. Did you remember the first step? [QUOTE] Edit /etc/csf/csf.blocklists and add to the bottom, changing the FQDN hostname): AZUREIP|86400|0| # Contabo # CONTABO|86400|0| # AWSIP|86400|0| AZUREIP|86400|0|
    0
  • jeffschips
    Hello @ejsolutions Your suggestions look spot-on. I'll implement them and report back. Thanks so much.
    0
  • ejsolutions
    I should've stated the obvious?: Change your.whmserver.tld and/or mywhm.server.com to match your own server hostname. To test operation, manually run /root/azure-ip.sh to initially update the list.
    0
  • jeffschips
    Thank you @ejsolutions this works! Misison accomplished! SOLVED
    0
  • ejsolutions
    @jeffschips ( @cPRex ) ** WARNING ** Utilising this method will block email to/from outlook.com. MS in their eternal wisdom appears to use their own customer Azure network for core functions - eejits!
    0
  • jeffschips
    Yikes-er-roni!
    0
  • ejsolutions
    Note that the script works as expected, based on their (MS) own publicly available Azure IPs. If there's a list of IPs that outlook.com email servers use, then that'd be handy - would I whitelist 'em though? :rolleyes: This problem is not exclusive to Microsoft; many service providers, such as CSF, Let'sEncrypt, etc. use mirrors on well-known port scanning/hacking attempt networks, such as Hetzner, Contabo and Digital Ocean. Bad decisions, IMHO. I do wonder how much bandwidth usage and processing power would be reduced, if these rogue network packets were blocked at source, as they should be. The instigators could get jailed too! /rant.
    0
  • xpy-xpy
    Found this thread after trying to stop a bot attack coming from AWS IPs. Can confirm that it is not just Azure. Blocking AWS ranges turned out to be a bad idea too. LiteSpeed plugin was the first thing to break immediately, before I stopped the experiment.
    0
  • the one
    Trying to stop the onslaught of microsoft azure bots. I have a script that stops the amazon ones in csf but can't find one for the microsoft flavor. Also wondering if there is a third party provider that does this for the microsoft bots integrated into mod_security. Any advise appreciated.

    Could you please share the amazon script with me please :) I will then add it to the csf blocklist. The bots are flooding my forum. Many thanks
    0
  • ejsolutions
    Could you please share the amazon script with me please

    Did you actually read the rest of the (now old) thread?! Show an example of one of the entries that you are seeing, then perhaps someone will supply an appropriate mod_security rule.
    0
  • the one
    Hi, Sorry this is it below
    ec2-47-128-19-213.ap-southeast-1.compute.amazonaws.com Kind regards Malcolm.
    0
  • itworksconsulting
    use htaccess for stoping microsoft bot. let me know if you want Thanks Partha
    0
  • the one
    use htaccess for stoping microsoft bot. let me know if you want Thanks Partha

    Yes please anything to stop these amazon aws bots many thanks
    0

Please sign in to leave a comment.