tor and aws

Resolved djsteveb
(@djsteveb)

10 years, 7 months ago

Thank you SO much for this awesome and needed plugin!

I am wondering if you could make another plugin, like this one, but one that will pull the amazon aws json and add an option to block from all IPs that come from there?

I was thinking if someone could take the tor blocker plugin
( https://ww.wp.xz.cn/plugins/tor-exit-nodes-blocker/ )

and mod that so it read the amazon json info.. and instead of going to a 3rd party site to lookup the info, the info was cached on our site (like ip geo block does)…

and the tor blocker plugin gives option to just block people from accessing comments, logins, post.. and still let them read / visit the pages..
having these options is interesting..

Some people will want the default “let people visit site, but not post data if from tor (or what I want is tor and amazon aws) ip addy”

However some of us want to prevent all visits from amazon aws – I know there is debate on that.. some people use amazon aws for vpn connections and legit proxies – however many others use amazon aws to run scraper bots..

however my main problem is after enabling ip geo block, the hackers are now trying to brute force login via login form and xmlrpc using cheap or hacked amazon aws vps servers.

A fork of the tor blocker would be cool – adding an option for tor lookups into ip geo block would be cool too – I see many of our hackers are switching to use that method as well when they are locked out from using Ukraine and Brazil to attack our sites.

Thanks again for the excellent plugin. Wish you had a donation button here.

https://ww.wp.xz.cn/plugins/ip-geo-block/

Viewing 8 replies - 1 through 8 (of 8 total)

Plugin Author tokkonopapa
(@tokkonopapa)

10 years, 7 months ago

Hi djsteveb,
Thank you for your interesting proposal!

I know this plugin is not perfect and almighty to block malicious accesses to the WP core. So I can understand your proposal.

Speaking about banning tor exit nodes, several thousands of IPs can be found in the tor listing services. I think those IPs are better to be handled by the server level access control e.g. .htacces than by PHP level if you wish to block the acceses to the specified files such as wp-login.php and xmlrpc.php.

May be I can provide some functionarities to get such IPs in background process (with If-Modified-Since HTTP header) and save them into the cache which data size will be less than a few KB in case of IPv4, in order to minimize the load on the server.

But I can’t decide if I should implement these because the tor blocking plugin is not so popular in WP.org.

So I’d like to try to investigate how many malicious IPs in the tor list posted on my site (like a honey pot). And I keep this thread open to enjoy myself with this kind of discussion.

I’ll appreciate @djsteveb and anyone to join to this thread.

Thanks!

Thread Starter djsteveb
(@djsteveb)

10 years, 7 months ago

Thank you for considering this!
I think the wp community would greatly benefit from having a new plugin that is similar to the ip geo block and similar to how the tor block gives option to allow or disallow “viewing your site” “logging in” making “post” (instead of just get) – and all that – with the list of Amazon AWS ips..

even if you do not add options for blocking tor – it would be great to see you consider making one to block amazon aws –

I just added ~ 1.5 million ips (using several cdir)s from amazon’s cloud data center to a few sites’ htaccess to block them.. but I know I did not get them all, and I know there will be more hacking attempts from that datacenter within 24 hours – I see them in my logs from sucuri, and other logs.

I am tracking and looking for other large datacenters that are doing / allowing similar amount of abusive hacking / logging in / registering attempts as well.

Thanks again for this much needed system you have put together here!

Plugin Author tokkonopapa
(@tokkonopapa)

10 years, 7 months ago

Hi djsteveb,

Some thoughts about “1.5 million of IPs”…

If all of them are IPv4, the size of database may be approximately 6MB. As compared with the MaxMind Geo IP database for IPv6 which size is 1.5MB, it’s not fable.

By the way, I have some questions:

1. AFAIK, amazon AWS maps their IPs both statically and dynamically. And even if the IPs are mapped dynamically, I assume that the routing information would not be changed so frequently. Am I right?

2. If we can get the name server for such IPs from AWS, it always would include “AWSDNS”. Is it right?

Thanks in advance.

Thread Starter djsteveb
(@djsteveb)

10 years, 7 months ago

They have a json file posted –
https://ip-ranges.amazonaws.com/ip-ranges.json

52 Kb ? size?

I was able to (or at least trying to block)
1.5 mill of their ips by adding these two cidr’s to firewall and htaccess:
deny from 54.72.0.0/13
deny from 54.80.0.0/12

(I think that is 1 million ips – I’m trying to learn / understand how the math works on this stuff – this shows it being 1.5 mill – http://myip.ms/info/whois/54.91.142.8

Of course they have many more outside these ranges.. and I’m, not an expert on this stuff – so best practices – dunno.

looks like their reverse dns does include : amazonaws . com

Plugin Author tokkonopapa
(@tokkonopapa)

10 years, 7 months ago

Hi djsteveb,

I see, 1.5 million ips with CIDR. That’s great!

In the next release, I will add the white/black list of IPs with CIDR notation to bypass/block the specified IPs which was proposed by Fabiano.

I have tried to put all the ips you provide by json (# of entries is 502, with comma separated) into the above black list. I found that the impact to the site performace is not heigh.

In the next release (may be 2.2.0), I’m planning to equip this plugin some new features to enhance the protection ability. So I’m happy if you assess the new features in near future!!

Thread Starter djsteveb
(@djsteveb)

10 years, 7 months ago

@tokkonopapa

I am glad you are considering this. Right now AWS is the most abused network trying to brute force login on several of our sites.

I would like to note that with one of our servers that runs free-bsd – the cidr notation does not seem to work well when blocking via htaccess – allow / deny for some reason – works fine with our other apache servers though it seems.

with our free bsd system (has all kinds of custom settings by our server management company – I have to have them add cidrs to ip tables system, or run the ip blocks in htaccess like:
123.456.789.
(to block .1 – .255 )
and in some cases, 123.456.
to get whatever 255 * 255 ips is..

side note – I found several errors in our error log with regards to the tor blocker plugin – I reported them there – but not sure that one is as well thought out and coded as your system is – so perhaps you may consider adding an option to download and add tor ips to your cool system here (?)

thanks again – you are solving a very large problem that many are only starting to learn about – this is going to be very useful for many people.

Plugin Author tokkonopapa
(@tokkonopapa)

10 years, 7 months ago

Hi djsteveb,
I got your situation.

One thing I would like to say is that I will implement the basic functions to validate specific set of IPs with CIDR in the next release (may be 2.2.0). Then you can extend the functionarity to fit your demand.

Please look at this sample. It shows how to extend the basic behavior of this plugin to get IPs from AWS on background and keep them in cache then validate them only when someone request xmlrpc and login. You can also use http://pike.hqpeak.com/ or other services like https://www.dan.me.uk/tornodes in the similar way.

I’d like to keep the core of this plugin simple and lite but maximze the extensibility.

Once I close this thread but feel free to post your opinions. I’m very glad to hear from you.

Thanks.

hqpeak
(@hqpeak)

10 years, 5 months ago

Beside Tor now we support ASN blocking, so you can block / monitor any isp/datacenter/cloud/hosting provider. It is simple google search to fins asn for any subject.

Proxies, i2p and some another networks enumerations are in phase of testing and preparing for deployment to the service.

https://ww.wp.xz.cn/plugins/tor-exit-nodes-blocker/

Viewing 8 replies - 1 through 8 (of 8 total)

The topic ‘tor and aws’ is closed to new replies.

Tags