Threshold of attempts

[laryn]

Thanks for pointing me to this module! One thing that Path2Ban had that I found useful was the ability to set a threshold number of attempts before blocking occurred -- e.g. the defaults were 5 attempts to any forbidden path within an hour. This means that someone who tries one URL out of curiousity, or mis-types a path once, will not be blocked immediately.

What do you think about that type of setting?

[findlabnet]

This module is not about human interaction, only against bad robots. From my long time monitoring for activity of such scanners, they do not so often try the same path more than once per attempt, but different paths at the same time or within a short period of time, e.g. /simple.php, /sellers.json, /settings.json and so on simultaneously.

Since all such blocked attempts (from some of my sites) have been reported to AbuseIPDB, you can easily verify - there are no humans, only bots.

Besides, if someone tries to visit restricted URL out of curiosity - this person should know how to change his compromised IP ;-).

Anyway, the module provides option to automatically unblock blocked IPs after some time: 1, 7, 30 or 365 days. Maybe it would be worth to add some shorter periods like 5 minutes or 1 hour?

[laryn]

An immediate block after 1 attempt seems harsh -- but to your concern, I think that Path2Ban tracks attempts to any blocked path, not necessarily the same one, within a short period of time. I'm just thinking of times when I visit a site and I'm trying to determine which CMS it is using, sometimes I'll try a known path just as a quick check. I'd feel more comfortable with an option to warn for the first attempt, or something along those lines.

A shorter unblock time limit option could also potentially be useful.

[findlabnet]

I'm trying to determine which CMS it is using,

When I try to determine which CMS is in use - I just press Ctrl+U (View page source) because I personally prefer less interaction with site where I'm not sure what it is. (And this site will open in a new private / incognito window with javascript disabled.)

option to warn for the first attempt

One researcher among 10000 bots? Less relevant (to me) if more than one or two sites need to be protected.

[findlabnet]

So, I've added shorter unblocking time limit options and a note on the admin screen about module behavior. I think that should be enough for now. A threshold is inappropriate here in my opinion - have you ever seen a mousetrap with a second chance? Thanks for your interest and suggestions.

[laryn]

I respect your position but I'm personally considering locations with many people sharing an IP and I do not want to potentially increase site admin overhead -- for example, having to field calls and go in and manually unblock when somebody blocks the shared IP after one attempt to check a Wordpress URL.

[findlabnet]

I think I can add this feature as an option.

[laryn]

That would be great! And obviously the default setting for this could be 1 as the attempt limit, which would end up with the current functionality still as default.

[laryn]

I believe Path2Ban does this using the Flood Control mechanism. (flood_is_allowed(), flood_register_event(), etc.)

[findlabnet]

Yes, Path2Ban does this using the Flood Control mechanism.

I think I can add this feature as an option.

So, when/if this option is enabled - any threshold limit and window can be set.

[findlabnet]

Done

[laryn]

Amazing, thanks! I will try this out.

[findlabnet]

@laryn, I would like to know if you are satisfied with the realization of your request?

[laryn]

@findlabnet Yes, I believe so! If any issues arise in the future I'll open a ticket. Thanks again.