[XTR] IP Threat Monitor 1.0.7

• Refactored options page into a tabbed layout (General, Rate Limit, VPN & ASN, Exemptions).
• Added ASN (Autonomous System Number) based blocking system.
• Added Country Flags display in user postbit information.
• Added xentr_ipt_country column to xf_user table.
• Added option to white-list Apple iCloud Private Relay traffic.
• Fixed array/string conversion error in Blocked ASN list input.
• Refactored Setup.php structure (Install/Upgrade/Uninstall) for better maintainability.
• Updated Test Configuration tool to include database schema checks and new feature validation.

This update brings a major leap in both usability and protection capabilities! The admin panel is now cleaner, and blocking capabilities are more precise than ever.

1. Modern Tabbed Interface:
No more endless scrolling! All options are now organized under logical tabs. Finding the setting you need takes just seconds.

2. ASN Blocking (Stop the Bots!):
Beyond simple IP blocking, you can now block entire network providers based on their ASN.
Example: You can block entire data centers hosting AI scrapers (e.g., specific DigitalOcean or AWS ASNs) in one go.

3. Country Flags :
See where your users are connecting from at a glance. Country flags are now automatically displayed next to usernames in posts. (Integrated seamlessly with the VPN detection system).

4. iCloud Private Relay Friendly:
Don't lose real users! Added a new option to whitelist traffic from Apple iCloud Private Relay, ensuring legitimate Apple users aren't blocked by VPN filters.

Update Note:
After upgrading, it is recommended to run the "Test Configuration" tool in the Admin Panel to verify that the database schema and settings are correctly applied.

• Added "Allow iCloud Private Relay" option to prevent false positives.
• Exempts legitimate Apple iCloud Private Relay traffic from VPN/Proxy blocks.

This update introduces full support for Apple's iCloud Private Relay. A new option "Allow iCloud Private Relay" has been added (enabled by default) which ensures that users browsing via iCloud Private Relay are not mistaken for VPN/Proxy abusers. This allows you to keep strict VPN protection enabled (e.g., "First Visit" mode) without blocking legitimate Apple users.

New

• Added "VPN Check Mode" option with 3 modes: Aggressive, Moderate, and First Visit
• Moderate mode allows balanced API usage while maintaining security
• First Visit mode provides proactive VPN detection for high-security sites

Fixed

• Fixed IPv6 address validation error ("String offset cast occurred")
• Cloudflare IPv6 addresses are now properly checked against IP ranges

Improved

• Test Configuration page now includes VPN detection status
• Test Configuration shows VPN Check Mode with API usage warnings
• Added recommendation when "First Visit" mode uses high API quota

This update introduces a new "VPN Check Mode" setting that gives you control over when VPN/Proxy checks are performed. You can now choose between minimal API usage (Aggressive), balanced approach (Moderate - recommended), or maximum protection (First Visit).

An important bug fix resolves an error that occurred when checking IPv6 addresses such as Cloudflare IPs.

Fixed
Critical Performance Fix: VPN/Proxy API check no longer runs on every HTTP request
API Quota Exhaustion: System now gracefully handles ProxyCheck.io quota limits without hammering the API
Auto-Ban in Captcha Modes: Fixed issue where Auto-Ban rules were not working when protection mode was set to "Captcha (Soft)" or "Captcha (Hard)"

Changed

• VPN check now only executes when an IP exceeds the rate limit threshold
• API errors are now cached for 1 hour to prevent repeated failed calls
• API quota exhaustion triggers a 1-hour cooldown instead of continuous retries
• Consecutive API errors (5 within 5 minutes) trigger a 30-minute API cooldown
• Auto-Ban now works in all protection modes, not just "Block Only"

Improved

• Reduced API calls by 90-99% for typical forum traffic
• Added global API health monitoring
• Better error handling with three-state cache (VPN/safe/pending)

This release focuses on performance optimization and bug fixes related to the VPN/Proxy detection feature. Users experiencing high API usage with ProxyCheck.io will see a dramatic reduction in API calls.

Key Highlights
Performance Optimization
The VPN/Proxy detection system has been completely rearchitected for efficiency:

• Before: API was called on every HTTP request for every unique IP
• After: API is only called when an IP actually exceeds the rate limit threshold

This change reduces API usage by 90-99% for typical forum traffic, making the free ProxyCheck.io tier (1,000 requests/day) viable for most forums.
Improved Error Handling
The system now intelligently handles API failures:

• Individual IP errors are cached for 1 hour
• Global quota exhaustion triggers a 1-hour cooldown
• 5 consecutive errors within 5 minutes triggers a 30-minute cooldown
• Your forum continues to work normally even when the API is unavailable

Auto-Ban Fix
Fixed a critical issue where the Auto-Ban feature was not working when using Captcha protection modes. Now, repeated violators will be permanently blacklisted regardless of which protection mode you use.

[NEW] Bot IP Range Detection

• Added primary bot detection using official IP ranges (Google, Bing, Yandex, Baidu, DuckDuckBot)
• Instant bot verification without DNS lookup overhead
• 99% coverage of legitimate search engine traffic
• New BotIPRanges service with CIDR matching support

[IMPROVED] Multi-Layer Bot Protection

• 3-tier bot detection: IP Range → User-Agent → rDNS
• Bot rDNS Verification remains as secondary protection layer
• Reduced false positives for legitimate crawlers
• Enhanced SEO safety with faster bot recognition

[NEW] Admin Tools

• Added "Bot IP Range Detection" test in Test Configuration page
• Added "Bot rDNS Verification" test with clear recommendations
• New CLI command: xentr:ipt:clear-blacklist (remove blacklisted IPs)
• New CLI command: xentr:ipt:analyze-bots (analyze bot detection)

[ENHANCED] Performance & Reliability

• IP range checks are instant (no DNS latency)
• Reduced server load with cached IP range matching
• Better handling of new bot IP addresses
• Improved error handling in bot verification

This major update introduces a revolutionary 3-tier bot detection system that protects your SEO while blocking malicious traffic.

KEY HIGHLIGHTS:

INSTANT BOT DETECTION
No more waiting for DNS lookups! Bot IP Range Detection instantly recognizes legitimate search engine crawlers using their official IP ranges. This means:

• Zero DNS overhead
• 99% faster bot recognition
• No more false positives from DNS timeouts

TRIPLE-LAYER PROTECTION
Our new system checks bots in 3 ways:

1. IP Range (primary - instant)
2. User-Agent (fast)
3. rDNS Verification (secondary - for unknown IPs)

SEO BULLETPROOF

• Google, Bing, Yandex bots are NEVER blocked
• DNS issues won't affect your SEO anymore
• Comprehensive coverage of all major search engines

SMART & EFFICIENT

• Cached IP range matching for blazing-fast performance
• Reduced server load
• Better handling of new crawler IPs

ADMIN-FRIENDLY

• New diagnostic tests in Test Configuration
• Clear recommendations for optimal setup
• CLI tools for bulk operations

Fixed: Duplicate entry database errors

• Resolved race condition issues in blacklistIP(), blockIP(), and trustIP() methods
• Improved concurrent request handling with proper error recovery
• Enhanced database integrity with unique constraint protection

Fixed: PHP 8+ compatibility warnings

• Eliminated string offset cast warnings in IPv6 CIDR validation
• Added proper bounds checking for binary string operations
• Updated CloudflareIPs and RateLimiter services

Code Quality Improvements

• Enhanced error handling with try-catch blocks
• Improved entity creation logic to prevent duplicate entries
• Optimized performance by reducing unnecessary database operations

This critical update fixes severe production errors that were causing database exceptions and PHP warnings on live servers.

What's Fixed:

• MySQL duplicate entry errors for IP addresses (Error 1062)
• PHP 8+ string offset cast warnings in Cloudflare IP validation
• Race condition handling for concurrent requests
• IPv6 CIDR range validation accuracy

Impact:
These fixes eliminate all server error log entries related to IP Threat Monitor, ensuring smooth operation on production environments.

• [New] Added "Enable Bot rDNS Verification" option to validate search engine bots via reverse DNS lookup and prevent User-Agent spoofing.
• [Improvement] Enhanced logic for "Block Only (No Captcha)"mode:
  • Initial threshold breach triggers a standard 429 Too Many Requests response.
  • Persistent attacks after the 429 warning now result in a permanent 403 Forbidden ban.

This update introduces critical security enhancements to the bot verification process and improves the blocking logic for aggressive requesters.

New Feature: Bot rDNS Verification We have added a new security layer to prevent User-Agent spoofing. The "Enable Bot rDNS Verification" option ensures that visitors claiming to be major search engine bots (Googlebot, Bingbot, Yandex, etc.) are legitimate.

• How it works: It performs a Reverse DNS (rDNS) lookup to verify the hostname.
• Why it matters: Attackers often spoof User-Agent headers (e.g., pretending to be "Googlebot") to bypass rate limiting. This feature blocks those attempts effectively.