1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

IP address blocking

Discussion in 'XenForo Pre-Sales Questions' started by Warren Block, Aug 26, 2014.

  1. Warren Block

    Warren Block New Member

    We're looking at converting our existing forums, but have an extensive IP address blocking system using PF tables. Are there any existing methods to automate uploading lists of IP addresses and ranges non-interactively? Like with scp, for example?
     
  2. Mike

    Mike XenForo Developer Staff Member

    There is nothing built-in that allows IP blocks to be managed non-interactively.
     
  3. Robust

    Robust Well-Known Member

    I might be misunderstanding what you're saying, but it sounds like this is something to be done server side.
     
  4. Walter

    Walter Well-Known Member

    Way better to block the IPs directly at the firewall than in the forum, this way it uses less ressources.
     
  5. Tracy Perry

    Tracy Perry Well-Known Member

    Depends on how extensive the IP list is. If it's fairly extensive it would probably benefit from using ipset instead of listing them in the iptables (if using a software firewall on the box - hardware firewall would be another matter). :)
     
  6. Warren Block

    Warren Block New Member

    Thanks for all the responses!

    For our usage in a FreeBSD jail, firewall access will not be available. Another method that sounds like it will work is setting up our own private DNSBL. Given the amount of traffic, the overhead is not likely to be a problem. But something that requires less setup would be nice. Maybe a cron job could clear and reimport the IP address table in the database, if there is a plain table for that.
     
  7. WoodiE

    WoodiE Well-Known Member

    If your server uses Apache you could use htaccess to block IP's too.
     
  8. Warren Block

    Warren Block New Member

    We don't know yet whether the provided web server will be Apache, but that might be a reason to request it. Will check, thanks!
     
  9. Dan Hawkins

    Dan Hawkins Active Member

  10. Ridemonkey

    Ridemonkey Well-Known Member

    Sure, in theory that's definitely true.

    In practice, it needs to be weighed against the impact that the blocked IPs are having on the server. If they're being forwarded to a zero-query, lightweight page, that's often enough relief for the server that it's not worth the additional overhead of manually managing IP block lists.

    Two add-ons, FoolBotHoneyPot and DeDos (both by the same author) are currently managing this for us - the former for bots attempting to register, and the latter for content scrapers - and the advantage is that it exposes the management of the modules right into the XF interface, meaning it can be managed easily at the front end by myself or anyone I grant access to. I could manage it in IP tables but not as conveniently.

    Of course, if the IP ranges you're trying to block are causing massive problems, or if your server is constantly running low on resources, there are absolutely advantages to cutting it off in the firewall. Just mentioning that there are trade-offs.
     
  11. Robust

    Robust Well-Known Member

    Or at the software end. I do this on nginx quite easily and in an organised manner.

    include inc/ipblock;

    ipblock:
    include blocks/country1
    include ....

    Relatively easy, it's completely tidy too.
     

Share This Page