[XTR] IP Threat Monitor [Paid] 1.0.5

[Osman]

Osman submitted a new resource:

[XTR] IP Threat Monitor - Smart IP monitoring system protecting your forum from bots and DDoS attacks, boosting performance

View attachment 330468

IP Threat Monitor is a professional security addon that protects your XenForo forum from malicious bots, DDoS attacks, and excessive request traffic. With its cache-first architecture, it reduces database load by 98% while delivering 5-10x faster response times. SEO-friendly design protects search engines while never affecting your real users' experience.

IP Threat Monitor - Smart Security & Performance​

Is your forum constantly...

Read more about this resource...

 

[Dannymh]

This looks interesting, but how similar is it to Cloudflare rules doing the same.
My cloudflare stats are horrific when you look at all the scraping and AI bots hitting it as well as the threat count going up.

Have been using some bot rules and tuning that as I go as well some country blocking, China, INdia, Singapore and Vietnam as those seem to be majority of traffic. I am still getting hit massively from the US and can't block the entire country as I have genuine users there, so now need to go into IP Blocks

 

[Osman]

Osman updated [XTR] IP Threat Monitor with a new update entry:

1.0.1

• [New] Added "Enable Bot rDNS Verification" option to validate search engine bots via reverse DNS lookup and prevent User-Agent spoofing.
• [Improvement] Enhanced logic for "Block Only (No Captcha)"mode:
  • Initial threshold breach triggers a standard 429 Too Many Requests response.
  • Persistent attacks after the 429 warning now result in a permanent 403 Forbidden ban.

This update introduces critical security...

Read the rest of this update entry...

 

[Osman]

Osman updated [XTR] IP Threat Monitor with a new update entry:

1.0.2

Fixed: Duplicate entry database errors

• Resolved race condition issues in blacklistIP(), blockIP(), and trustIP() methods
• Improved concurrent request handling with proper error recovery
• Enhanced database integrity with unique constraint protection

Fixed: PHP 8+ compatibility warnings

• Eliminated string offset cast warnings in IPv6 CIDR validation
• Added proper bounds checking for binary string operations
• Updated CloudflareIPs and RateLimiter...

Read the rest of this update entry...

 

[Osman]

Osman updated [XTR] IP Threat Monitor with a new update entry:

1.0.3

[NEW] Bot IP Range Detection

• Added primary bot detection using official IP ranges (Google, Bing, Yandex, Baidu, DuckDuckBot)
• Instant bot verification without DNS lookup overhead
• 99% coverage of legitimate search engine traffic
• New BotIPRanges service with CIDR matching support

[IMPROVED] Multi-Layer Bot Protection

• 3-tier bot detection: IP Range → User-Agent → rDNS
• Bot rDNS Verification remains as secondary protection layer
• Reduced...

Read the rest of this update entry...

 

[ES Dev Team]

Do you have some before/after results with cloudflare..
Or a site that runs this so i can see your bot traffic?

 

[Osman]

Do you have some before/after results with cloudflare..
Or a site that runs this so i can see your bot traffic?

We don’t provide a public demo site or share raw traffic statistics due to security and privacy reasons. However, I’ve sent you a private message with more details regarding this.

 

[Paul]

@Osman - What exactly is the "proxycheck.io" key for, and when is it called?
I only ask as my forum isnt massive, however i have hit 573 queries within the first 30 mins (so the "less than 1k" free package is going to be out of the window!)...

More worryingly, what happens when it runs out completely?!

EDIT : Exceeded 1k after around an hour!!

 

[Osman]

@Osman - What exactly is the "proxycheck.io" key for, and when is it called?
I only ask as my forum isnt massive, however i have hit 573 queries within the first 30 mins (so the "less than 1k" free package is going to be out of the window!)...

More worryingly, what happens when it runs out completely?!

EDIT : Exceeded 1k after around an hour!!

What does the “proxycheck.io” API key do?
This API key is used for VPN, Proxy, and Tor detection. When enabled, it checks whether visitor IP addresses are coming through a VPN or proxy service. The main purpose is to detect and block potentially malicious traffic hidden behind anonymization services.

Why were there so many API requests?
In a previous version, there was a performance issue where the API was being called on every request instead of only when necessary. This resulted in excessive API usage, especially on high-traffic forums.

As of version 1.0.4, we believe this issue has been resolved, and API calls are now properly optimized.

 

[Osman]

Osman updated [XTR] IP Threat Monitor with a new update entry:

1.0.4

Fixed
Critical Performance Fix: VPN/Proxy API check no longer runs on every HTTP request
API Quota Exhaustion: System now gracefully handles ProxyCheck.io quota limits without hammering the API
Auto-Ban in Captcha Modes: Fixed issue where Auto-Ban rules were not working when protection mode was set to "Captcha (Soft)" or "Captcha (Hard)"

Changed

• VPN check now only executes when an IP exceeds the rate limit threshold
• API errors are now cached for 1...

Read the rest of this update entry...

 

[Paul]

@Osman - thats great - thank you....

Is there a good half-way-house somewhere which might be configurable in the settings? I dont want to compromise security but on the flip side I dont have an issue in paying for the service provided by proxycheck.io as their prices are reasonable.

Interestingly since updating to 1.04 last night, i have had zero queries to proxycheck.io in the last 14 hours, which is maybe a little worrying...

 

[Paul]

also seem to be getting an error...

Server error log

• ErrorException: IP Threat Monitor: [E_WARNING] String offset cast occurred
• src/addons/XENTR/IPThreatMonitor/Service/CloudflareIPs.php:239
• Generated by: Unknown account
• Dec 11, 2025 at 10:34 AM

Stack trace​

#0 src/addons/XENTR/IPThreatMonitor/Service/CloudflareIPs.php(239): XF::handlePhpError(2, '[E_WARNING] Str...', '/home/pinball/p...', 239)
#1 src/addons/XENTR/IPThreatMonitor/Service/CloudflareIPs.php(173): XENTR\IPThreatMonitor\Service\CloudflareIPs->ipInRange('2a06:98c0:3600:...', '2a06:98c0::/29')
#2 src/addons/XENTR/IPThreatMonitor/Service/RateLimiter.php(393): XENTR\IPThreatMonitor\Service\CloudflareIPs->isCloudflareIP('2a06:98c0:3600:...')
#3 src/addons/XENTR/IPThreatMonitor/Service/RateLimiter.php(83): XENTR\IPThreatMonitor\Service\RateLimiter->isTrustedIP('2a06:98c0:3600:...')
#4 src/addons/XENTR/IPThreatMonitor/Listener.php(89): XENTR\IPThreatMonitor\Service\RateLimiter->checkRateLimit()
#5 src/XF/Extension.php(86): XENTR\IPThreatMonitor\Listener::appPubStartEnd(Object(XF\Pub\App))
#6 src/XF/App.php(3366): XF\Extension->fire('app_pub_start_e...', Array, NULL)
#7 src/XF/Pub/App.php(255): XF\App->fire('app_pub_start_e...', Array)
#8 src/XF/App.php(2820): XF\Pub\App->start(true)
#9 src/XF.php(806): XF\App->run()
#10 index.php(23): XF::runApp('XF\\Pub\\App')
#11 {main}

Request state​

array(4) {
["url"] => string(57) "/community/threads/stern-galaxy-serial-number-1411.51721/"
["referrer"] => bool(false)
["_GET"] => array(0) {
}
["_POST"] => array(0) {
}
}

 

[Osman]

Hi,

Thank you for reporting these issues! I've investigated and prepared fixes for both concerns.

Issue 1: Server Error (String offset cast occurred)​

This was a compatibility issue with newer PHP versions (8.0+) when handling IPv6 addresses like Cloudflare IPs. It has been fixed in the upcoming update.

Issue 2: Zero API Queries in 14 Hours​

This is actually expected behavior with version 1.0.4! The optimization we made was quite aggressive - VPN checks only happen when someone actually exceeds the rate limit threshold. Since your forum didn't have any rate limit violations during those 14 hours, no API calls were made.

However, I understand your concern. You want a balance between security and API usage. So I've added a new option called "VPN Check Mode" with three settings:

1. Aggressive - Only checks VPN when rate limit is exceeded (current behavior, minimal API usage)
2. Moderate (Recommended) - Checks VPN when an IP gets blocked for the first time (good balance)
3. First Visit - Checks every new visitor immediately (maximum protection, uses more API credits)

The default is now set to Moderate, which should give you the balance you're looking for. If you want more proactive protection and have a paid ProxyCheck.io plan, you can set it to "First Visit" mode.

These changes will be included in version 1.0.5.

For any other issues you encounter with the add-on, please feel free to submit a support ticket through our website.

https://xentr.net/support-tickets/

Best regards

 

[Osman]

Osman updated [XTR] IP Threat Monitor with a new update entry:

1.0.5

New

• Added "VPN Check Mode" option with 3 modes: Aggressive, Moderate, and First Visit
• Moderate mode allows balanced API usage while maintaining security
• First Visit mode provides proactive VPN detection for high-security sites

Fixed

• Fixed IPv6 address validation error ("String offset cast occurred")
• Cloudflare IPv6 addresses are now properly checked against IP ranges

Improved

• Test Configuration page now includes VPN...

Read the rest of this update entry...

 

[Paul]

Previously i was running Ozzmods registration spaminator (https://snogssite.com/resources/ozzmodz-registration-spaminator.87/).

Interestingly i started getting spam registrations as soon as i disabled it (and enabled this). I am guessing this is expected behaviour??

 

[Osman]

Yes, this is expected. IP Threat Monitor and Registration Spaminator serve different purposes:

• Registration Spaminator → Catches spam bots using hidden form fields (honeypot technique)
• IP Threat Monitor → Blocks IPs making too many requests (rate limiting) Protects your entire site from DDoS and brute-force attacks

A spam bot that fills out the registration form once won't trigger rate limiting. You can use both add-ons together - they complement each other.