When to Block an IP

Posted: Fri Apr 14, 2006 11:13 am

I have a question regarding blocking ip addys.. I was reviewing my server logs which I do on a daily basis and I saw a few ips I did not recognize. One was from the uk and was a site view as they only viewed my index.php.. The other was from Vienna Virginia and they viewed the index.php and Admin.php.. Why weren't they blocked?? Anyways I added them manually.. Is this a bad practice?? Am I being over protective?? As I am a newbie Im not sure what is really a legit issue and what is not.. I gain all my knowledge from veteran Nukers

registered · Posted: Fri Apr 14, 2006 12:30 pm

You don't have a link to your admin.php from your main index page do you? Regardless, with HTTPAuth they should not get in AND if they had tried to go "deeper" than admin.php by providing a "op" command, then, yes, they would have been blocked!

Posted: Fri Apr 14, 2006 5:06 pm

Thanks I will take that as I should have blocked them then.. There i no link to my Admin page.. So this person knew what to look for..

registered · Posted: Fri Apr 14, 2006 9:25 pm

Usually robots.. you can ignore them. Or like I do on some sites, rename the admin script and make the admin.php autoban anyone that even tries to hit it Smile

Posted: Sat Apr 15, 2006 6:44 am

Out of curiosity, what do you have in your robots.txt file ?

What I tend to do is view my tracked IP's via Sentinel - anything showing more than 50 hits gets investigated and if I find that more than 50 hits were logged during one day AND they were only hitting index.php I lookup there whois data.
If I dont 'feel' that IP has a legitimate reason for hitting index.php like that I ban it.

Posted: Sat Apr 15, 2006 8:56 am

Here is the contents of my robots.txt. I believe you helped me with this subject as well.

User-agent: *
Disallow: /modules.php?name= [Edited by Guardian]
Disallow: /abuse/
Disallow: /admin/
Disallow: /blocks/
Disallow: /cgi-bin/
Disallow: /db/
Disallow: /images/
Disallow: /includes/
Disallow: /language/
Disallow: /modules/
Disallow: /themes/
Disallow: /admin.php
Disallow: /config.php
Disallow: /conf/
Disallow: /chat/
Disallow: /other/
Disallow: /scripts/

I hve been looking around a few search engines and I was amazed to see exactly what has been crawled prior to my updating the robots.txt I had to manually add a bot called inktomi slurp to my harvester list. They have crawled my site several times using various ips

Worker Joined: Nov 22, 2004 Posts: 208 Location: Italy

well, you kicked out yahoo.... Very Happy

Posted: Sat Apr 15, 2006 12:01 pm

Robots.txt is good.
inktom/Slurp/inktomisearch.com can be a real pain.
Adding 'Slurp' (without the single quotes) to Sentinels referer blocker should banish the majority.

Posted: Sat Apr 15, 2006 4:19 pm

LOL thanks for editting that line of code Gaurdian I never even thought about editing out that line.. Will add the slurp and pay close attention to high volume hits that are not trusted members.. Thanks for all the guidance everyone I guess Im a bit ban happy.. But I will say its far better to be safe than sorry.. My question has once again been answered thanks again.....

Posted: Sat Apr 15, 2006 5:06 pm

No problem.
For the sake of completeness, Slurp and Intomi are bots associated with Yahoo.
The main issue arises because Yahoo makes its bots available for others to use, so therefore they can be quite bandwidth hungry at times.

Posted: Sat Apr 15, 2006 11:38 pm

Guardian2003 wrote:

Robots.txt is good.
inktom/Slurp/inktomisearch.com can be a real pain.
Adding 'Slurp' (without the single quotes) to Sentinels referer blocker should banish the majority.

You are right, it can be a pain.. but since 60% of my traffic comes from yahoo seach i'm more than happy to have a dozen of inktomi bots hanging around 24/7 Very Happy

Guido

Posted: Sun Apr 30, 2006 9:52 am

I do not have issue with yahoo. But there bots are not following the robots text so they will get the boot. I was amazed to see just what info they had posted when I searched my site in there search engine. I do offer yahoo search though. I may remove that as well kinda seems unfair lol. But if they complied with the robots text this would not be an issue..

Regular Joined: Jun 22, 2003 Posts: 54

Quote:

What I tend to do is view my tracked IP's via Sentinel - anything showing more than 50 hits gets investigated and if I find that more than 50 hits were logged during one day AND they were only hitting index.php I lookup there whois data.
If I dont 'feel' that IP has a legitimate reason for hitting index.php like that I ban it.

My question is this:

I have someone who is staying on my site for long periods of time but I cant tell who it is because their IP address shows as none () in Sentinel.

When I view display tracked IPs in one day I had 153 hits. This makes me suspicious but obviously when I do a who-is there is no information on this person sitting at my site. Maybe he's enjoying the music? LOL How do I pin point this IP and ban them? I am assuming it's a guest and not a registered user? If a user how do I find out. Please help.

Thanks guys!

Posted: Fri Dec 01, 2006 10:37 pm

I'm surprised the tracked IP isn't working. There is an IP Tracking module that I've seen, also I believe MS_Analysis can give you that data. Perhaps some other security addons to.

Besides that, you'd have to go to the server level.. access logs that may or may not be provided by your host