IP address blocking

[Warren Block]

We're looking at converting our existing forums, but have an extensive IP address blocking system using PF tables. Are there any existing methods to automate uploading lists of IP addresses and ranges non-interactively? Like with scp, for example?

 

[Mike]

There is nothing built-in that allows IP blocks to be managed non-interactively.

 

[Robust]

I might be misunderstanding what you're saying, but it sounds like this is something to be done server side.

 

[Walter]

Way better to block the IPs directly at the firewall than in the forum, this way it uses less ressources.

 

[TPerry]

Way better to block the IPs directly at the firewall than in the forum, this way it uses less ressources.

Depends on how extensive the IP list is. If it's fairly extensive it would probably benefit from using ipset instead of listing them in the iptables (if using a software firewall on the box - hardware firewall would be another matter).

 

[Warren Block]

Thanks for all the responses!

For our usage in a FreeBSD jail, firewall access will not be available. Another method that sounds like it will work is setting up our own private DNSBL. Given the amount of traffic, the overhead is not likely to be a problem. But something that requires less setup would be nice. Maybe a cron job could clear and reimport the IP address table in the database, if there is a plain table for that.

 

[WoodiE]

If your server uses Apache you could use htaccess to block IP's too.

 

[Warren Block]

We don't know yet whether the provided web server will be Apache, but that might be a reason to request it. Will check, thanks!

 

[Dan Hawkins]

You can get add-on's to prevent IP Address's (registering and accessing the form) I.E.
https://xenforo.com/community/resources/*******-block-registrations-from-same-ip.1384/
https://xenforo.com/community/resou...or-spam-bot-scrapers.3305/update?update=1059/

But I would advise doing this on the server rather than using extra queries/scripts to get XenForo to do it.

 

[Ridemonkey]

Way better to block the IPs directly at the firewall than in the forum, this way it uses less ressources.

Sure, in theory that's definitely true.

In practice, it needs to be weighed against the impact that the blocked IPs are having on the server. If they're being forwarded to a zero-query, lightweight page, that's often enough relief for the server that it's not worth the additional overhead of manually managing IP block lists.

Two add-ons, FoolBotHoneyPot and DeDos (both by the same author) are currently managing this for us - the former for bots attempting to register, and the latter for content scrapers - and the advantage is that it exposes the management of the modules right into the XF interface, meaning it can be managed easily at the front end by myself or anyone I grant access to. I could manage it in IP tables but not as conveniently.

Of course, if the IP ranges you're trying to block are causing massive problems, or if your server is constantly running low on resources, there are absolutely advantages to cutting it off in the firewall. Just mentioning that there are trade-offs.

 

[Robust]

Depends on how extensive the IP list is. If it's fairly extensive it would probably benefit from using ipset instead of listing them in the iptables (if using a software firewall on the box - hardware firewall would be another matter).

Or at the software end. I do this on nginx quite easily and in an organised manner.

include inc/ipblock;

ipblock:
include blocks/country1
include ....

Relatively easy, it's completely tidy too.