My site has been having issues with scanners for some months now, with the unfiltered traffic bringing it down in just a few seconds. Cloudflare is (unfortunately) not currently an option for technical reasons.
Solutions tried:
1. disabling guest users for most forums
2. iptables blocks on a couple of thousand /16 subnets
3. country code blocking - this is what I'm currently doing
Here is part of a histogram of a minute's worth of unfiltered traffic:
The traffic I let through in that same minute:
My custom geoip stuff in my <VirtualHost> block (after enabling mod geoip and mod rewrite in apache)
I was happy to be able to remove my hacky /16 blocks with this approach, but I would be much happier if I could specifically identify this traffic. I still have no reliable logging method to distinguish the scanners from real users who are not logged in, despite my having added custom logging statements to the phpbb code to show me what each IP address is doing.
Solutions tried:
1. disabling guest users for most forums
2. iptables blocks on a couple of thousand /16 subnets
3. country code blocking - this is what I'm currently doing
Here is part of a histogram of a minute's worth of unfiltered traffic:
As you can see, Brazil is the main (though not only) source for this traffic by some orders of magnitude. The traffic appears not to be scanning the site, but rather hitting the login and memberlist pages.<snip>
10 JO
11 KE
16 MA
17 PK
17 US
18 EC
20 UA
20 UZ
25 ZA
31 BD
31 IQ
35 RU
40 AR
45 TR
48 -
946 BR
The traffic I let through in that same minute:
By let through, I mean that I am filtering quite a few country codes at the apache level with geoip. The bot traffic, when I did allow it through, was making login attempts and trying to view the member list.1 BG
1 CA
1 CN
1 CY
1 CZ
1 GR
1 LK
1 MK
2 DE
2 HU
2 RO
4 FI
15 US
46 -
My custom geoip stuff in my <VirtualHost> block (after enabling mod geoip and mod rewrite in apache)
Code:
<IfModule mod_geoip.c> # For performance reasons, it's not recommended to turn GeoIP on serverwide, # but rather only in <Location> or <Directory> blocks where it's actually # needed. GeoIPEnable On #GeoIPDBFile /usr/share/GeoIP/GeoIP.dat</IfModule>LogFormat "%h %{GEOIP_COUNTRY_CODE}e %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" geoipCustomLog ${APACHE_LOG_DIR}/access.log geoipRewriteEngine onRewriteCond %{ENV:GEOIP_COUNTRY_CODE} ^(MX|PH|BR|IN|AR|BD|EC|VE|UZ|NP|MA|ZA|TR|RU|IQ|PK|KE|UA|OM|CO|AZ|PY|KZ|DZ|TN|JM|PE|EG|AE|JO|UY|LB|BY|RS|KG|CL|PS|SV|GA|PR|PA|MD|HR|BW|AM|GE|AL|SG|IL|CR|SY|SN|DO|HN|CR|BH|BO|NG|MN|CG|UG|KW|KH|GY|ET|BA|BN|ID|VN|NI|GT|ML|LA|CI|AO|SA|QA|TH|TG|IR)$RewriteRule ^(.*)$ - [F]Statistics: Posted by textkit — Sun Mar 16, 2025 1:13 pm