Blocking access to site by banned IP addresses

Question

I have a list of IP addresses of bots/hackers that are constantly attacking one of my sites. I want to block these visitors by IP and am trying to work out a \"best\" approa

Answer 1

I'd stick the code in a place where it will run as soon as possible, before the server consumes too many resources .

I would say you should send back as little information as possible, ideally HTTP status 503 (Temporarily unavailable) with a short message linking to an acceptable-use page, or a page explaining to people some reasons why they MIGHT have been blocked and what to do if they feel them are blocked unfairly. You may wish to do this in text/plain instead of HTML as it will use fewer bytes :)

Using an in-memory list of blocked IPs also breaks when you have a large number of blocked addresses (say 1 million) because scanning it becomes prohibitive (remember you need to do this for every request to the relevant resource).

Ultimately you will want a way to distribute the lists of blocked IPs to all your web servers and/or keep it centralised - depending on exactly what kind of abuse you are getting or anticipating.

Having said that, you should definitely apply the YAGNI principle. If you aren't experiencing real capacity problems, don't bother blocking abusers at all. Very few sites actually do this, and most of them are things where there is a significant cost associated with running the site (such as Google search)

Answer 2

I'd have to agree with David on this for several reasons.

1. By blocking via software hackers/bots will still be able to abuse your resources (bandwidth, processor time, etc).

2. Software cant protect your site against dos attacks.

3. If a hacker is good they'll find a way around software blocks.

4. Updating blocking code will require recompiling of your application.

Your answer is in the firewall. Set up rules to block out the users and they wont be able to connect.

Sending an "under maintenance" page is a terrible idea because it'll confuse normal users and won't deter a good hacker...

Answer 3

While you could block the IP addresses on your outward facing servers (your web servers obviously but you may have others) this list will need to be replicated across all. By blocking on a server you're not only overcomplicating the solution but also providing a method which is not wholly secure.

The proper point to block network traffic, whether it be a select list of ports or IP addresses, is as far out on your network as you can get. This is typically a firewall/router at your entry point. These networking devices are optimized for this very purpose, as well as far beyond that. Depending on the manufacturer of your networking equipment the feature set will widely vary.

I suggest you:

• Identify all routers/firewalls at the outermost boundary. It is possible you only have one unless you're load balancing.
• Learn how to configure the ACL (access control list) for those devices.
• Modify the ACL based on your IP addresses list to block.
• Always save a backup of your network device config elsewhere.

Obviuosly this is just the tip of the iceberg in security. Perhaps at some point you'll need to contend with DOS (Denial of Service attacks) and then some - oh the fun.

Good luck.

Answer 4

If you feel your site is being "hacked" from a specific IP, you should not be blocking that IP in software, the very thing that they intend to compromise. Blocked IPs should be blocked at the firewall.