Hostname blocking doesn’t work

  • Resolved justatest47

    (@justatest47)


    7 years, 10 months ago

    I am unable to block a few hostnames I am having severe problems with. They act like DDOS attacks constantly hammering the website. amazonaws.com bglan.net poneytelecom.eu and your-server.de
    Out of all those 4 the most aggressive are amazonaws.com and bglan.net
    They are shown in Live Traffic as this:

    United States Ashburn, United States was blocked for Manual block by administrator at http://www.website.com/bla-bla-url
    7/22/2018 2:08:26 PM (51 seconds ago)
    IP: 54.237.125.34 Hostname: ec2-54-237-125-34.compute-1.amazonaws.com
    Human/Bot: Bot
    Browser: undefined
    Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.2.8) Googlebot-Compatible Gecko/20100723 Ubuntu/10.04 (lucid) Firefox/3.6.8

    and

    Bulgaria Sofia, Bulgaria was blocked for Manual block by administrator at http://www.website.com/bla-bla-url
    7/22/2018 2:08:14 PM (1 minute ago)
    IP: 151.237.25.65 Hostname: 151.237.25.65.bglan.net
    Human/Bot: Bot
    Browser: Edge version 16.0 running on Win10
    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299

    I went to Wordfence, Firewall, Blocking and under Hostname I said amazonaws.com but nothing. It does not block the entire domain. Then I said in Referrer amazonaws still nothing. It only works when I manually block their IPS but no matter how many I block they always come with new IPs. This is perhaps the most inefficient way to block such an attack, by IP… I know I can block IP ranges but I still find this highly inefficient as they can always come up with new IP ranges. So I want to block their entire hostnames.

    I am running Apache 2.4 and I even tried adding various blocking codes in .htaccess but still nothing, their hits show up in live traffic. Why?

    Here’s what I tried:
    <RequireAll>
    Require all granted
    Require not host amazonaws.com
    Require not host bglan.net
    Require not host poneytelecom.eu
    Require not host your-server.de
    </RequireAll>

    And this code doesn’t work because since they are blocked in .htaccess directly by Apache, they shouldn’t even show up in Wordfence live traffic. Since they DO show up I guess my blocking codes from .htaccess don’t work for some reason. Does anyone have a correct .htaccess blocking code for blocking these bots from ever accessing the site or an explanation why Wordfence isn’t blocking their hostnames? Please help. Thank you

Viewing 7 replies - 1 through 7 (of 7 total)
  • mountainguy2

    (@mountainguy2)

    7 years, 10 months ago

    Are you using wildcards in your Wordfence blocking rules? Examples from my Wordfence
    Hostname
    *.sadecehosting.net
    *.amazonaws.com

    Or referrer
    *notey*

    Using .htaccess is a convenient way of doing some Apache configuration, but it’s resource intensive as it reloads during every every page load, so it’s best to keep it short and not including demanding routines. Blocking using Wordfence application firewall is less resource intensive.

    Consider working your defense from the “application side.” IN other words, concentrate on configuring Wordfence and perhaps use a few more security plugins:
    WPS Hide Login
    IQ Block Country with Admin Block enabled ($5.00 year)

    Two things with Wordfence 1)When frequency blocking, set with fairly lengthy block times, I use two days 2)If you study your logs and such, you’ll see certain types or specific URLs the bots are attacking, develop your own rules with wildcards, and create a robust list of blocks in the Wordfence Immediatly Block URLs feature.

    Thread Starter justatest47

    (@justatest47)

    7 years, 10 months ago

    Yes I used wildcards, here’s an example:
    Advanced Block User Agent – amazonaws, Hostname – *.amazonaws.com 21/07/2018 16:08 Hammering Permanent 0 Never
    As you can see, 0 blocks….?

    Nothing…. I don’t want to block the entire USA just because of amazonaws.com
    So that is out of the question. I don’t know how .htaccess would consume more resources than Wordfence, it makes absolutely zero sense as Wordfence has to go through Apache in order to make the blocks so if anything .htaccess should consume less resources. Anyway that’s not the issue, I only resorted to .htaccess because Wordfence hostname blocking doesn’t work and surprise, .htaccess hostname blocking also doesn’t work.

    Here’s a very interesting experiment I made:
    I added my own IP in .htaccess and it only partially works. I am getting blocked from visiting any wordpress dashboard page, but I am not getting blocked from visiting the external website. Like an article for example. What the heck? I don’t understand, it makes my head explode! I need to mention that I’m using WP-Supercache and Cloudflare at the same time. Can this be some sort of caching issue???

    Thanks for your help mountainguy2 ! I really appreciate it!

    mountainguy2

    (@mountainguy2)

    7 years, 10 months ago

    Caching will drive you crazy with this sort of thing, while testing eliminate all caching possible, and of course clear browser cache before any testing. I use an entirely separate computer on a VPN IP address for testing.

    The speed issue is nuanced. I’ve tested Wordfence for overhead and it’s amazingly fast. WordFence tech support told me once that it’s better and faster in many ways than .htacces, due to how Wordfence performs blocking, etcettera. My tests verified that. The main problem with .htaccess is that it loads over and over and over again, if it’s got slow stuff in it, like reverse DNS lookups and huge IP tables, plus lots of redirects, it’s resource intensive. Google it up, this is common knowledge. To actually utilize Apache efficiently requires setting up security at the upper level, using software such as CSF or ModSecurity. Doing so is good because it helps limit the server login and SFTP login attacks that neither .htaccess nor Wordfence have any effect on. I spent years tweaking .htaccess, with a high traffic site at issues with bandwidth, in my experience it’s better to keep the .htaccess simple and short, and use either application firewalls or again, full-on server firewalls such as CSF. My two cents, anyway.

    MTN

    Thread Starter justatest47

    (@justatest47)

    7 years, 10 months ago

    I already have CSF installed but in CSF you can only block IPs, not hostnames, check and see for yourself if you don’t believe me. I don’t know about mod_security though if you can block hostnames in it. I appreciate your advises but don’t worry my .htaccess is pretty clean. Its not too loaded with junk. Adding a few hostnames in it shouldn’t be a problem for a decent VPS anyway. Besides I simply am unable to find a way of blocking hostnames. Nothing works, not even Wordfence can block hostnames. I can block IPs through various ways, I don’t need help with that, I need help with blocking hostnames. That is what doesn’t work for me no matter what I do and I don’t know why.

    This amazonaws is driving me crazy. After more indepth study I learned that this is an attack from CCBOT: http://commoncrawl.org/big-picture/frequently-asked-questions/ which uses Amazon AWS
    Don’t worry, I already added this User-agent: CCBot Disallow: /
    to my robots.txt but such a bad bot doesn’t give a …. you know what about robots.txt
    It completely ignores it and goes on doing its job hammering with thousands of requests per day. I think Im getting somewhere around 10.000-20.000 hits from this bot! This is basically no different than DDOS! I blocked all its IPs but it always comes with new IPs! I need to block the entire hostname amazonaws. HOW??? Can anyone help please?

    mountainguy2

    (@mountainguy2)

    7 years, 10 months ago

    In any case, again, perhaps try approaching this from the “other” side using Wordfence, working on your frequency blocking and blocking specific URLs that the bots perhaps are attacking. I’ve found the frequency blocking to be super effective, as well as the URL blocking. Sorry, I’m as mystified as you are as to why you can’t simply block everything coming from amazonaws, perhaps someone from Wordfence could chime in here. MTN

    wfalaa

    (@wfalaa)

    7 years, 10 months ago

    Hi @justatest47

    I’ve tested the option to block hostnames in Wordfence and I can see it’s working fine, there is an easy way to test that, you can go to (Wordfence > Blocking > Advanced Blocking) and -temporarily- block “*.amazonaws.com” hostname (please don’t fill in the useragent or any other field except the reason field), then go to “GeoPeeker” website to generate traffic for your site, now you can see these blocked requests in Live Traffic log.

    These request has no “amazonaws.com” as their user agent, perhaps that’s why your rule isn’t working.

    Let me know how it goes,
    Thanks.

    wfalaa

    (@wfalaa)

    7 years, 8 months ago

    Hi @justatest47

    Since we haven’t heard from you for a while I’m going to go ahead and resolve this thread. If you have any other questions or concerns, don’t hesitate to open a new one.

    Thanks.

Viewing 7 replies - 1 through 7 (of 7 total)

The topic ‘Hostname blocking doesn’t work’ is closed to new replies.

Tags