views:

450

answers:

7

Folks, we all know that IP blacklisting doesn't work - spammers can come in through a proxy, plus, legitimate users might get affected... That said, blacklisting seems to me to be an efficient mechanism to stop a persistent attacker, given that the actual list of IP's is determined dynamically, based on application's feedback and user behavior.

For example: - someone trying to brute-force your login screen - a poorly written bot issues very strange HTTP requests to your site - a script-kiddie uses a scanner to look for vulnerabilities in your app

I'm wondering if the following mechanism would work, and if so, do you know if there are any tools that do it:

  • In a web application, developer has a hook to report an "offense". An offense can be minor (invalid password) and it would take dozens of such offenses to get blacklisted; or it can be major, and a couple of such offenses in a 24-hour period kicks you out.
  • Some form of a web-server-level block kicks in on before every page is loaded, and determines if the user comes from a "bad" IP.
  • There's a "forgiveness" mechanism built-in: offenses no longer count against an IP after a while.

Thanks!

Extra note: it'd be awesome if the solution worked in PHP, but I'd love to hear your thoughts about the approach in general, for any language/platform

A: 

I think it should be a combination of user-name plus IP block. Not just IP.

Vaibhav
He's referring to a situation where a user has not logged in yet, or at all. He explicitly mentions the login screen... If the user was logged in, it would be trivial.
AviD
+2  A: 

are you on a *nix machine? this sort of thing is probably better left to the OS level, using something like iptables

edit:

in response to the comment, yes (sort of). however, the idea is that iptables can work independently. you can set a certain threshold to throttle (for example, block requests on port 80 TCP that exceed x requests/minute), and that is all handled transparently (ie, your application really doesn't need to know anything about it, to have dynamic blocking take place).

i would suggest the iptables method if you have full control of the box, and would prefer to let your firewall handle throttling (advantages are, you don't need to build this logic into your web app, and it can save resources as requests are dropped before they hit your webserver)

otherwise, if you expect blocking won't be a huge component, (or your app is portable and can't guarantee access to iptables), then it would make more sense to build that logic into your app.

Owen
Is there a way to communicate with iptables from a web application? Like "hey IPtables, i think there's an intruder at address X, watch them to see if they behave badly in the future". I am indeed on Linux, running PHP.
Alex
+2  A: 

Take a look at fail2ban. A python framework that allows you to raise IP tables blocks from tailing log files for patterns of errant behaviour.

Dave Cheney
A: 

you're looking at custom lockout code. There are applications in the open source world that contain various flavors of such code. Perhaps you should look at some of those, although your requirements are pretty trivial, so mark an IP/username combo, and utilize that for blocking an IP for x amount of time. (Note I said block the IP, not the user. The user may try to get online via a valid IP/username/pw combo.)

Matter of fact, you could even keep traces of user logins, and when logging in from an unknown IP with a 3 strikes bad username/pw combo, lock that IP out for however long you like for that username. (Do note that a lot of ISPs share IPs, thus....)

You might also want to place a delay in authentication, so that an IP cannot attempt a login more than once every 'y' seconds or so.

Munger
On your last point: delay in authentication is one of my favorite techniques. After the application determined that the credentials are invalid, but before the response is shown to the user, sleep for 1 second. This way, legitimate users aren't slowed down, but the bot is shot on its tracks.
Alex
A: 

I have developed a system for a client which kept track of hits against the web server and dynamically banned IP addresses at the operating system/firewall level for variable periods of time for certain offenses, so, yes, this is definitely possible. As Owen said, firewall rules are a much better place to do this sort of thing than in the web server. (Unfortunately, the client chose to hold a tight copyright on this code, so I am not at liberty to share it.)

I generally work in Perl rather than PHP, but, so long as you have a command-line interface to your firewall rules engine (like, say, /sbin/iptables), you should be able to do this fairly easily from any language which has the ability to execute system commands.

Dave Sherohman
A: 

Hi Darvish,

I hae to solve a same requirement to ban ip address dynamically against hits. Would u send me the scripts to do that ... pls

Thanks, Liju

A: 

err this sort of system is easy and common, i can give you mine easily enough

its simply and briefly explained here http://www.alandoherty.net/info/webservers/

the scripts as written arn't downloadable {as no commentry currently added} but drop me an e-mail, from the site above, and i'll fling the code at you and gladly help with debugging/taloring it to your server

Alan Doherty