Automatically ban suspicious IPs

mozilla / releases_insights

Parse various sources (hg log, apis, crashes…) to get some insights on past releases such as uplifts per beta, top crash signatures per nightly…

Mozilla Public License 2.0

27 stars 8 forks source link

Automatically ban suspicious IPs #40

Closed pascalchevrel closed 1 year ago

pascalchevrel commented 1 year ago

Some visitors are looking for Wordpress vulnerabilities which is causing log spam with 404s. Maybe just collecting IPs that try to load an url starting with /wp-admin/ or /wp-content and immediately banning them would work.

Detect the IP on access to wordpress-like urls
Add the IP to a cached array
start the router work by comparing a visitor IP with this list and display an error message

The downside would be that this list would be cleared on each deploy as we empty the cache.

pascalchevrel commented 1 year ago

This is done. Caveats:

IPs are reset every 24h when heroku restarts the dyno
IPs are reset on every deploy as it flushes the cache
the json file is not necessarily synced between dynos. Since we have 2 dynos a refresh of the page works 50% of the time but it seems that after 15mn they are synced again.

Probably enough to remove most of the log spam.