tags:

views:

450

answers:

7
+4  Q: 

Dynamic IP-based blacklisting

Folks, we all know that IP blacklisting doesn't work - spammers can come in through a proxy, plus, legitimate users might get affected... That said, blacklisting seems to me to be an efficient mechanism to stop a persistent attacker, given that the actual list of IP's is determined dynamically, based on application's feedback and user behavior.

For example: - someone trying to brute-force your login screen - a poorly written bot issues very strange HTTP requests to your site - a script-kiddie uses a scanner to look for vulnerabilities in your app

I'm wondering if the following mechanism would work, and if so, do you know if there are any tools that do it:

  • In a web application, developer has a hook to report an "offense". An offense can be minor (invalid password) and it would take dozens of such offenses to get blacklisted; or it can be major, and a couple of such offenses in a 24-hour period kicks you out.
  • Some form of a web-server-level block kicks in on before every page is loaded, and determines if the user comes from a "bad" IP.
  • There's a "forgiveness" mechanism built-in: offenses no longer count against an IP after a while.

Thanks!

Extra note: it'd be awesome if the solution worked in PHP, but I'd love to hear your thoughts about the approach in general, for any language/platform

A: 

I think it should be a combination of user-name plus IP block. Not just IP.

Vaibhav  2008-09-22 03:56:20
He's referring to a situation where a user has not logged in yet, or at all. He explicitly mentions the login screen... If the user was logged in, it would be trivial.
AviD  2008-09-22 05:34:15
+2  A: 

are you on a *nix machine? this sort of thing is probably better left to the OS level, using something like iptables

edit:

in response to the comment, yes (sort of). however, the idea is that iptables can work independently. you can set a certain threshold to throttle (for example, block requests on port 80 TCP that exceed x requests/minute), and that is all handled transparently (ie, your application really doesn't need to know anything about it, to have dynamic blocking take place).

i would suggest the iptables method if you have full control of the box, and would prefer to let your firewall handle throttling (advantages are, you don't need to build this logic into your web app, and it can save resources as requests are dropped before they hit your webserver)

otherwise, if you expect blocking won't be a huge component, (or your app is portable and can't guarantee access to iptables), then it would make more sense to build that logic into your app.

Owen  2008-09-22 03:56:25
Is there a way to communicate with iptables from a web application? Like "hey IPtables, i think there's an intruder at address X, watch them to see if they behave badly in the future". I am indeed on Linux, running PHP.
Alex  2008-09-22 03:58:45
+2  A: 

Take a look at fail2ban. A python framework that allows you to raise IP tables blocks from tailing log files for patterns of errant behaviour.

Dave Cheney  2008-09-22 03:59:15
A: 

you're looking at custom lockout code. There are applications in the open source world that contain various flavors of such code. Perhaps you should look at some of those, although your requirements are pretty trivial, so mark an IP/username combo, and utilize that for blocking an IP for x amount of time. (Note I said block the IP, not the user. The user may try to get online via a valid IP/username/pw combo.)

Matter of fact, you could even keep traces of user logins, and when logging in from an unknown IP with a 3 strikes bad username/pw combo, lock that IP out for however long you like for that username. (Do note that a lot of ISPs share IPs, thus....)

You might also want to place a delay in authentication, so that an IP cannot attempt a login more than once every 'y' seconds or so.

Munger  2008-09-22 04:02:57
On your last point: delay in authentication is one of my favorite techniques. After the application determined that the credentials are invalid, but before the response is shown to the user, sleep for 1 second. This way, legitimate users aren't slowed down, but the bot is shot on its tracks.
Alex  2008-09-22 04:11:43
A: 

I have developed a system for a client which kept track of hits against the web server and dynamically banned IP addresses at the operating system/firewall level for variable periods of time for certain offenses, so, yes, this is definitely possible. As Owen said, firewall rules are a much better place to do this sort of thing than in the web server. (Unfortunately, the client chose to hold a tight copyright on this code, so I am not at liberty to share it.)

I generally work in Perl rather than PHP, but, so long as you have a command-line interface to your firewall rules engine (like, say, /sbin/iptables), you should be able to do this fairly easily from any language which has the ability to execute system commands.

Dave Sherohman  2008-09-22 04:54:09
A: 

Hi Darvish,

I hae to solve a same requirement to ban ip address dynamically against hits. Would u send me the scripts to do that ... pls

Thanks, Liju

 2008-10-05 10:30:29
A: 

err this sort of system is easy and common, i can give you mine easily enough

its simply and briefly explained here http://www.alandoherty.net/info/webservers/

the scripts as written arn't downloadable {as no commentry currently added} but drop me an e-mail, from the site above, and i'll fling the code at you and gladly help with debugging/taloring it to your server

Alan Doherty  2009-01-28 23:57:00

related questions

How do I add a MIME type to .htaccess?
Difference between the Apache HTTP Server and Apache Tomcat?
How do I support SSL Client Certificate authentication?
Why can't I connect to my CAS server with Perl's AuthCAS?
Cleanest & Fastest server setup for Django
Installing Apache Web Server on 64 Bit Mac
Running Apache alongside another web server?
Algorithm behind MD5Crypt
Can you compile Apache HTTP Server and redeploy its binaries to a different location ?
mod_rewrite rule to redirect all requests except for one specific path
How do I create a self signed SSL certificate to use while testing a web app.
Software for Webserver Log Analysis?
What is the difference between an endpoint, a service, and a port when working with webservices?
What are the proper permissions for an upload folder with PHP/Apache?
mod_rewrite to alias one file suffix type to another
How do you redirect HTTPS to HTTP?
Using mod_rewrite to Mimic SSL Virtual Hosts?
User authentication on Resin webserver
How do you set up Python scripts to work in Apache 2.0?
Block user access to internals of a site using HTTP_REFERER
.htaccess directives to *not* redirect certain URLs
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP