Looking to stop microsoft azure bots
Trying to stop the onslaught of microsoft azure bots. I have a script that stops the amazon ones in csf but can't find one for the microsoft flavor. Also wondering if there is a third party provider that does this for the microsoft bots integrated into mod_security.
Any advise appreciated.
-
Hey hey! It seems there isn't going to be a list of IPs available, as Microsoft says this: "Bot Framework Services is hosted in Azure data centers world-wide and the list of Azure IPs is constantly changing. That means allow-listing certain IP addresses may work one day and break the next as the Azure IP Addresses change." but just above that section on the same page they do publish a list of hostnames that are allowed. You could use that list to block traffic instead: 0 -
So in essence you are suggesting that I take the list of microsoft approved bot hosts and then ask csf to deny bots hiting my server originating from that list of domains, correct? 0 -
Caution: AFAIK csf.dyndns is intended to IGNORE dynamic IP addresses, not to DENY! I use it to map my home ISP-derived IP, so that I don't inadvertently lock myself out of a server. ( In theory, there's no reason why csf.dyndns couldn't/shouldn't be made available for other purposes, though I suspect this isn't coded in CSF. You'd be best to confirm with WayToTheWeb and perhaps place a feature request.) 0 -
This looks to be a better resource and may inspire me to 'play' a little: $dir/azure-ip.txt # Reactivate IP ranges, as a group in the blocklists sed -i 's/#AZUREIP/AZUREIP/g' /etc/csf/csf.blocklists # Activate the new list /usr/sbin/csf -r
Step 3. Finally, run "crontab -e" and add a weekly task, for example:28 1 * * 1 /root/azure-ip.sh > /dev/null 2>&1
You can also access this generated list from other WHM servers by adding the same entry to /etc/csf/csf.blocklists Hope that's useful.0 -
Hi ejsolutions that script is very useful. It seems to break right after here though: # Add in new IP ranges, as a group in the blocklists sed -i 's/#AZUREIP/AZUREIP/g' /etc/csf/csf.blocklists # Activate the new list /usr/sbin/csf -r It's not inserting the azure-ip.txt into the csf.blocklists I can confirm that azure-ip.txt is being created though in /usr/local/apache/htdocs Maybe something to do with paths? 0 -
I also noticed a warning in the csf.blocklists.new file: # If you want to redownload a blocklist you must first delete # /var/lib/csf/csf.block.NAME and then restart csf and then lfd Wonder if that is important. . . 0 -
It's not inserting the azure-ip.txt into the csf.blocklists
What it's supposed to do, is remove the prefixed # (comment) from the line in csf.blocklists Look carefully at your shell script in case your copy & paste got screwed up - quotation marks get changed by many editors, for example. Did you remember the first step? [QUOTE] Edit /etc/csf/csf.blocklists and add to the bottom, changing the FQDN hostname): AZUREIP|86400|0| # Contabo # CONTABO|86400|0| # AWSIP|86400|0| AZUREIP|86400|0|0 -
Hello @ejsolutions Your suggestions look spot-on. I'll implement them and report back. Thanks so much. 0 -
I should've stated the obvious?: Change your.whmserver.tld and/or mywhm.server.com to match your own server hostname. To test operation, manually run /root/azure-ip.sh to initially update the list. 0 -
Thank you @ejsolutions this works! Misison accomplished! SOLVED 0 -
@jeffschips ( @cPRex ) ** WARNING ** Utilising this method will block email to/from outlook.com. MS in their eternal wisdom appears to use their own customer Azure network for core functions - eejits! 0 -
Yikes-er-roni! 0 -
Note that the script works as expected, based on their (MS) own publicly available Azure IPs. If there's a list of IPs that outlook.com email servers use, then that'd be handy - would I whitelist 'em though? :rolleyes: This problem is not exclusive to Microsoft; many service providers, such as CSF, Let'sEncrypt, etc. use mirrors on well-known port scanning/hacking attempt networks, such as Hetzner, Contabo and Digital Ocean. Bad decisions, IMHO. I do wonder how much bandwidth usage and processing power would be reduced, if these rogue network packets were blocked at source, as they should be. The instigators could get jailed too! /rant. 0 -
Found this thread after trying to stop a bot attack coming from AWS IPs. Can confirm that it is not just Azure. Blocking AWS ranges turned out to be a bad idea too. LiteSpeed plugin was the first thing to break immediately, before I stopped the experiment. 0 -
Trying to stop the onslaught of microsoft azure bots. I have a script that stops the amazon ones in csf but can't find one for the microsoft flavor. Also wondering if there is a third party provider that does this for the microsoft bots integrated into mod_security. Any advise appreciated.
Could you please share the amazon script with me please :) I will then add it to the csf blocklist. The bots are flooding my forum. Many thanks0 -
Could you please share the amazon script with me please
Did you actually read the rest of the (now old) thread?! Show an example of one of the entries that you are seeing, then perhaps someone will supply an appropriate mod_security rule.0 -
Hi, Sorry this is it below ec2-47-128-19-213.ap-southeast-1.compute.amazonaws.com Kind regards Malcolm. 0 -
use htaccess for stoping microsoft bot. let me know if you want Thanks Partha 0 -
use htaccess for stoping microsoft bot. let me know if you want Thanks Partha
Yes please anything to stop these amazon aws bots many thanks0
Please sign in to leave a comment.
Comments
19 comments