Interesting stuff, @RJM_Web_Design! I’ve thought about trying AbuseIPDB’s API with Fail2ban but I’m too chicken because F2b is already heavy enough on a small VPS. Sometimes I manually report IPs to AbuseIPDB (if you ever see ‘Anonymous’ laced with vulgarities, that’s me) but that gets to be heavy too. Someday I’d like to get around to something like CSF.
1 Like
The resources used by my reporting scripts don’t noticeably increase server load. I tend to underload my servers, though, so that might be part of the reason.
I do the reports to AbuseIPDB in real-time except when the IP was reported by one of the servers in the past 15 minutes. All of the servers contribute to the same shared database, so it’s easy to check whether any of them have reported the IP within the past 15 minutes:
// check database for ip report in the past 15 minutes
$fresh = time() - 900;
$con = mysqli_connect("localhost","[db user]","[password]","[db name]");
if (!$con) { die('Could not connect: ' . mysqli_error($con)); }
$result = mysqli_query($con, "SELECT * FROM reports WHERE (ip LIKE '$ip' AND time >= '$fresh')");
$row = mysqli_fetch_array($result);
$reportDate = $row['datetime'];
if (empty($reportDate)) {
// proceed to sanitize and insert data and run reports
}
Yeah, I do it old-school.
I don’t, however, check every incoming mail against AbuseIPDB. That would use crazy resources. Instead, I cron a shell script to query AbuseIPDB and create a text list, which all of the servers can then import into CSF:
#!/bin/bash
# Make a backup
cp -f /home/[site]/public_html/.some_folder/abuseipdb.txt /home/[site]/public_html/.some_folder/abuseipdb.bak
# Download the new file
curl -G https://api.abuseipdb.com/api/v2/blacklist \
-d countMinimum=50 \
-d maxAgeInDays=2 \
-d confidenceMinimum=50 \
-H "Key: my-key-goes-here" \
-H "Accept: text/plain" > /home/[site]/public_html/.some_folder/abuseipdb.txt
size=$(stat -c%s /home/[site]/public_html/.some_folder/abuseipdb.txt)
# Define the minimum acceptable size and restore from backup if the new file is too small
min="1500"
if [[ $size -lt $min ]]; then
cp -f /home/[site]/public_html/.some_folder/abuseipdb.bak /home/[site]/public_html/.some_folder/abuseipdb.txt
fi
exit
Blocking an IP that’s spewing forth spam at the firewall is much more efficient than checking every mail against the bad IP list.
The honeypots are a combination of CMS login pages that are non-existent on a hand-coded site and are redirected (using .htaccess) to land on a reporting script; and phony contact pages with clear instructions to humans not to use them. This one is an example of the latter.
Robots are pretty dumb.
The other source for bad IP’s is a behavioral spam filter on actual contact pages that I keep pretty closely-guarded. It basically looks for behaviors that robots might do, but humans wouldn’t. One example would be filling in the form faster than a human could, but there are many others. All those clearly-robotic hits are routed to a reporting script, and then to a success page, just in case there’s a human spammer watching.
If you haven’t guessed, I hate spammers and other Internet miscreants and get my jollies trapping as many as possible. I also donate resources to The Honeypot Project for this purpose, and I have many of their honeypots scattered throughout sites I own or manage.
Hey, it keeps me off the streets…
Richard
2 Likes
Another note on CSF. Simialr to the abuse databases above…
If you have many servers running CSF, it can be set up to block an ip across any or all of your servers running CSF. So if an IP is banned on 1 server, it is banned on all your servers.
3 Likes
My pet peeve is corporate scrapers and they’re a bit smarter. I tell myself ‘At least our servers don’t follow us around like smartphones try to do’ but I’m not so sure about that anymore.
1 Like
That’s true. Not all bots are as dumb as spambots.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.