Support » Plugin: IP Geo Block » tor and aws

Viewing 8 replies - 1 through 8 (of 8 total)
  • Plugin Author tokkonopapa

    (@tokkonopapa)

    Hi djsteveb,
    Thank you for your interesting proposal!

    I know this plugin is not perfect and almighty to block malicious accesses to the WP core. So I can understand your proposal.

    Speaking about banning tor exit nodes, several thousands of IPs can be found in the tor listing services. I think those IPs are better to be handled by the server level access control e.g. .htacces than by PHP level if you wish to block the acceses to the specified files such as wp-login.php and xmlrpc.php.

    May be I can provide some functionarities to get such IPs in background process (with If-Modified-Since HTTP header) and save them into the cache which data size will be less than a few KB in case of IPv4, in order to minimize the load on the server.

    But I can’t decide if I should implement these because the tor blocking plugin is not so popular in WP.org.

    So I’d like to try to investigate how many malicious IPs in the tor list posted on my site (like a honey pot). And I keep this thread open to enjoy myself with this kind of discussion.

    I’ll appreciate @djsteveb and anyone to join to this thread.

    Thanks!

    Thank you for considering this!
    I think the wp community would greatly benefit from having a new plugin that is similar to the ip geo block and similar to how the tor block gives option to allow or disallow “viewing your site” “logging in” making “post” (instead of just get) – and all that – with the list of Amazon AWS ips..

    even if you do not add options for blocking tor – it would be great to see you consider making one to block amazon aws –

    I just added ~ 1.5 million ips (using several cdir)s from amazon’s cloud data center to a few sites’ htaccess to block them.. but I know I did not get them all, and I know there will be more hacking attempts from that datacenter within 24 hours – I see them in my logs from sucuri, and other logs.

    I am tracking and looking for other large datacenters that are doing / allowing similar amount of abusive hacking / logging in / registering attempts as well.

    Thanks again for this much needed system you have put together here!

    Plugin Author tokkonopapa

    (@tokkonopapa)

    Hi djsteveb,

    Some thoughts about “1.5 million of IPs”…

    If all of them are IPv4, the size of database may be approximately 6MB. As compared with the MaxMind Geo IP database for IPv6 which size is 1.5MB, it’s not fable.

    By the way, I have some questions:

    1. AFAIK, amazon AWS maps their IPs both statically and dynamically. And even if the IPs are mapped dynamically, I assume that the routing information would not be changed so frequently. Am I right?

    2. If we can get the name server for such IPs from AWS, it always would include “AWSDNS”. Is it right?

    Thanks in advance.

    They have a json file posted –
    https://ip-ranges.amazonaws.com/ip-ranges.json

    52 Kb ? size?

    I was able to (or at least trying to block)
    1.5 mill of their ips by adding these two cidr’s to firewall and htaccess:
    deny from 54.72.0.0/13
    deny from 54.80.0.0/12

    (I think that is 1 million ips – I’m trying to learn / understand how the math works on this stuff – this shows it being 1.5 mill – http://myip.ms/info/whois/54.91.142.8

    Of course they have many more outside these ranges.. and I’m, not an expert on this stuff – so best practices – dunno.

    looks like their reverse dns does include : amazonaws . com

    Plugin Author tokkonopapa

    (@tokkonopapa)

    Hi djsteveb,

    I see, 1.5 million ips with CIDR. That’s great!

    In the next release, I will add the white/black list of IPs with CIDR notation to bypass/block the specified IPs which was proposed by Fabiano.

    I have tried to put all the ips you provide by json (# of entries is 502, with comma separated) into the above black list. I found that the impact to the site performace is not heigh.

    In the next release (may be 2.2.0), I’m planning to equip this plugin some new features to enhance the protection ability. So I’m happy if you assess the new features in near future!!

    @tokkonopapa

    I am glad you are considering this. Right now AWS is the most abused network trying to brute force login on several of our sites.

    I would like to note that with one of our servers that runs free-bsd – the cidr notation does not seem to work well when blocking via htaccess – allow / deny for some reason – works fine with our other apache servers though it seems.

    with our free bsd system (has all kinds of custom settings by our server management company – I have to have them add cidrs to ip tables system, or run the ip blocks in htaccess like:
    123.456.789.
    (to block .1 – .255 )
    and in some cases, 123.456.
    to get whatever 255 * 255 ips is..

    side note – I found several errors in our error log with regards to the tor blocker plugin – I reported them there – but not sure that one is as well thought out and coded as your system is – so perhaps you may consider adding an option to download and add tor ips to your cool system here (?)

    thanks again – you are solving a very large problem that many are only starting to learn about – this is going to be very useful for many people.

    Plugin Author tokkonopapa

    (@tokkonopapa)

    Hi djsteveb,
    I got your situation.

    One thing I would like to say is that I will implement the basic functions to validate specific set of IPs with CIDR in the next release (may be 2.2.0). Then you can extend the functionarity to fit your demand.

    Please look at this sample. It shows how to extend the basic behavior of this plugin to get IPs from AWS on background and keep them in cache then validate them only when someone request xmlrpc and login. You can also use http://pike.hqpeak.com/ or other services like https://www.dan.me.uk/tornodes in the similar way.

    I’d like to keep the core of this plugin simple and lite but maximze the extensibility.

    Once I close this thread but feel free to post your opinions. I’m very glad to hear from you.

    Thanks.

    Beside Tor now we support ASN blocking, so you can block / monitor any isp/datacenter/cloud/hosting provider. It is simple google search to fins asn for any subject.

    Proxies, i2p and some another networks enumerations are in phase of testing and preparing for deployment to the service.

    https://wordpress.org/plugins/tor-exit-nodes-blocker/

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘tor and aws’ is closed to new replies.