Feature Request: Global tracking/blocking

[ppetree]

We need a global database to insert all the bad actor IP addresses.

I have 4 domains on two ISP's, three on one ISP (share server) and one on another. Without fail and with 24-36 hours the same IP addresses are used to try to hack into each domain.

My idea is to let the BFStop plugin report permanent blocks to the global database and the plugin can check the database and if the hacker is in there just go straight to a permanent block bypassing the temp blocks altogether.

To monetize this, charge the ISP's to get their IP addresses out of hock. This will motivate the ISPs to stop the nonsense on their end. A similar strategy is used by anti-spam processes and once an IP address gets added to their database it's usually a short time before the ISP bans that account.

Periodically, the site admin can run a sync and clear out blocked IP addresses that have been cleared.

[codeling]

In principle a good idea; but I don't believe a new database targeted only for usage within bfstop is necessary - a quick search revealed that there are a few such databases around already, see for example https://www.reddit.com/r/cybersecurity/comments/sz2qrx/public_list_of_knownmalicious_ip_addresses/, https://www.abuseipdb.com/, https://www.ipqualityscore.com/ip-reputation-check, https://www.projecthoneypot.org/list_of_ips.php

At the moment I don't have time unfortunately, but if you are willing to implement a link to one or more of those existing services, contributions are always welcome!

[ppetree]

I run 6 (was 4) small joomla sites and usually within 12-24 (they're getting faster) hours I see the same BF attacks from the same IP addresses on each of those servers. Unfortunately, like you, I don't have the time to dig in and write it.

[codeling]

Creating a separate database for this purpose I currently believe would come with more hassle than its worth (required money to run, effort for administration, potential legal issues etc.).

I've found yet another potential provider of info on IP addresses though: https://www.criminalip.io. I have to dig a bit deeper there, if there is such a service with a good public API, I might consider including a check against such an existing, external database in the future. See also https://github.com/codeling/bfstop/issues/76 for other ideas on potential additional checks.

[ppetree]

Like I said in my earlier post, charging the ISP to unblock their blocked IP addresses would be the way to monetize this. With millions of Joomla sites in use, it wouldn't take long for the bad actors to be forced to clean up their acts.

They do this same thing with spammers. Once that IP is tagged as a spammer then basically you're locked out and can't even send legitimate emails. Then the spammer has to move somewhere else and the ISP has to clean up the mess which means tracking down the IP through several online databases and paying to lift the ban. Hostgator and other hosting providers really cap those outbound emails for this very reason.

As for the other ideas in #76 I'd have to sit and play with each of the hacks. Since I moved from hostgator to a2hosting I rarely see a bf attempt so that might be a bit harder.