Jamit Software Forum

Jamit Job Board Customers => Plugins => Topic started by: Adam on August 01, 2009, 11:10:36 am



Title: Traffic Filter Plugin
Post by: Adam on August 01, 2009, 11:10:36 am
Just released the traffic filter plugin today. Available to download from http://www.jamit.com/plugins/TrafficFilter.zip

Description: Filters (redirects, blocks) traffic depending on country, User-Agent, IP address, IP range, IP mask (CIDR), usage of proxy by redirection to customizable URL(s). Uses both blacklisting and whitelisting. This plugin can be used for improving security, filtering or blocking undesirable traffic, or just redirecting specific users to another localized job board. NOTE: After enabling this plugin, you must install database tables by selecting Configure->Install Tables.

See README.txt for installation details


Title: Re: Traffic Filter Plugin
Post by: CompuDave on August 01, 2009, 02:29:15 pm
Excellent idea for a plugin - this is going to make a huge difference - thanks!


Title: Re: Traffic Filter Plugin
Post by: Peter on August 03, 2009, 06:19:06 am
This plugin was released as beta, although we have taken great care developing it. The version may soon be upped to full 1.0.

We hope that those of you who will install it and use it will give us some feedback!

Enjoy!


Title: Re: Traffic Filter Plugin
Post by: dotmagic on August 03, 2009, 10:22:53 am
Excellent plugin and well done.

I see that u have added 239 country codes destinations and I have a list of 246 codes, should you need that for update plzz let me know I will send a copy of the codes.

Thanks.



Title: Re: Traffic Filter Plugin
Post by: Peter on August 04, 2009, 02:24:53 am
Yes, I am aware of that. This may need to be "corrected" in the final release.

For example, the codes that are not listed in the pop-up window are: eu, uk. From my own experience, the code 'uk' does not occurr, although those IP ranges must be used somewhere. The code 'eu' is used for sure.

However, you are allowed to use these codes in the configuration and the plugin will work.


Title: Do you know who "accesses" your website?
Post by: Peter on August 06, 2009, 02:21:33 am
Do you know who "accesses" your website?

Notice that I used the word "accesses" and not "visits". That's because a website is being accessed by people and robots alike.

Best if you carefully study and analyze your access and error logs. Visitor analysis service such as "Google Analytics" are quite useless, although they provide visually attractive interface. What really needs to be done is analysis of every request, including IP address, host name, the requested URI, user-agent string, geographic location (country) and timing, among many.

If you do your job thoroughly, you will find that majority of requests (often as high as 99%) are by robots. These are not just your regular Googlebots and Yahoo! crawlers. Most of them are robots by some unknown company that collects data and resells it to others. Apparently, data mining is a big, big business.

"So what?", you may say. "These robots collect information about me and my customers." Another threat may be, that these rogue robots are trying to discover 'backdoors' and vulnerabilities of your system. They may be zombie computers, infected with a virus, and they try to find another victim to infect and turn your website into virus-spreading tool.

On daily basis, my own sites record visits by robots who try requesting URLs such as /login.php, /install.php, /readme.txt, /install.txt, /cgi-bin/, .... Yes, they are probing for weaknesses, a forgotten installation file. They are trying to detect which system my site is using, so they could explore a known vulnerability (if they know one).

I have also noticed that many robots switch their user-agent like a chameleon. I call that being dishonest (I am trying to not use expletives).

Rogue robots also consume your bandwidth, taking away resources from your legitimate users, and slowing down your server. You may also incur charges for excess bandwidth consumption.

This is where our TRAFFIC FILTER can help!

Blocking Countries
Let's say that your server is in the UK and your visitors are mostly in the UK. The employers are in the UK, and so are the job seekers. There may be few instances, when a legitimate user is on holidays somewhere overseas ..... But why should your site be accessible to visitors (and robots) in Russia, Ivory Coast, Brazil,....?

Yes, there are some basic security precautions you can take by blocking certain countries, which are likely to pose the highest threat. From my own experience, I could name these as being such countries: Ivory Coast, Niger, Russia, Brazil, China, Israel, Netherlands, Germany, and even the US. Simply because I have seen many malicious requests from these locations.

When your website is serving only a limited region, you should have a security policy, which denies access to users from outside of this region.

CAUTION: If you decide to block some countries, such as the US, beware that you will also be blocking legitimate search engine robots (Googlebot, MSN, Yahoo!), unless you make an exception in the whitelist.

Blocking User-Agent
The TRAFFIC FILTER has an option to redirect (block) users based on their user-agent string. Keep in mind that the user-agent string can easily be forged. However, it is just another usable identifier, and it can be used with some success to achieve your security policy's objectives.

I can recommend these few settings to block some obviously forged user-agents:
Code:
AGENT#^$#@DEF
......... empty (or none) user-agent
Code:
AGENT#^\.$#@DEF
....... only one dot (.)
Code:
AGENT#^\.+#@DEF
....... only one or more dots (.)
Code:
AGENT#^[a-z\ ]{1,}$#[email protected]
........ randon alpha-only string with white spaces
Code:
AGENT#^[0-9\ ]{1,}$#@DEF
........ random numeric-only with white spaces
Code:
AGENT#^[a-z0-9]{1,}$#[email protected]
...... random alpha-numeric without white spaces (most likely an MD5 hash etc.)
Code:
AGENT#^(Mozilla\ ?|Mozilla/[0-9]{1,}\.[0-9]{1,})$#[email protected]
......... user-agent like 'Mozilla/4.0' is very likely to be some rogue robot
Code:
AGENT#(Perl|curl|libwww)#[email protected]
....... this will stop many rogue robots

I often see the Googlebot user-agent string being used by robots that don't belong to Google. This is a common tactic for these rogue robots to gain unimpeded access to your site. Unfortunately, the present version of the TRAFFIC FILTER cannot distinguish when this happens.

I would be happy to answer anyone's questions regarding the use of this plugin. Having for feedback will help us make this plugin even better. I have developed this plugin based on my 1-year experience of using the same function on my own sites. I block over 200 IP ranges (could easily be millions of IP addresses), over 20 countries, many user-agent strings.

Additionally, the TRAFFIC FILTER keeps a log of all blocks/redirects, so you can see for yourself what exactly is happening.

Cheers!


Title: Re: Traffic Filter Plugin
Post by: dotmagic on August 06, 2009, 06:43:22 am
Hmm sounds great,

Traffic filter is certainly good to restrict certain countries like Nigeria as u mentioned. Data mining is a big business indeed but when it comes to publishing information online we are bound to expose data to the users and only if the data reached as many targets as it can, we can expect a visitor to return and use the service.

Dont you feel it will affect the number of visitors to the site? Why not have such sensitive data for registered users only? and just block spammer IP's from the logs we find?

Does it just block IP's we specify or have u enabled any feature that prevents DDOS attacks? If it were to have a feature that prevents DDOS attacks, this would be the most advanced plugin that no other cms can match with it.

If you were to develop with DDOS protection, I would suggest/welcome/request you encrypt the script at that point and give it for users for security reasons.

To what I see, this plugin look the best and very well developed with lots of time, research and energy spent to bring it to a shape.

Keep it up.

Good luck and Thanks,
BV.


Title: Re: Traffic Filter Plugin
Post by: Peter on August 06, 2009, 07:08:08 am
Whom and what you block is at the discretion of the user (admin). The plugin does not block anything on its own. It must be configured by the user.

Most likely, every user (admin) will have their own security policy and access policy.

Blocking a range of IP's is not necessarily a bad thing. Out there are plenty of businesses that will let you rent a server. They have many servers to rent, easily hundreds, thousands. They also have the same number of IP addresses. But these IP's are not the same IP's as that of your job seeker or employer. Job seeker and employer are on IP's that belong to Internet providers, or some corporate IP's. There are ways to identify one from the other.

DDoS prevention is a different subject altogether. Probably the best (or only) way to deal with DDoS attacks is on the Apache level through iptables. I believe that there are some adequate open-source solutions for DDoS available.


Title: Re: Traffic Filter Plugin
Post by: dotmagic on August 06, 2009, 07:50:20 am
Sounds great.

As a developer you know better than us about the plugin, I did not have opportunity to use your plugin effectively in 2 days of its release, will use the plugin for sure and do my contribution if any I can.

Thanks.


Title: Re: Traffic Filter Plugin
Post by: Peter on August 09, 2009, 10:35:55 pm
Does it just block IP's we specify or have u enabled any feature that prevents DDOS attacks? If it were to have a feature that prevents DDOS attacks, this would be the most advanced plugin that no other cms can match with it.

Few hours ago, my own sites were out for few hours due to a DDoS attack. But all is fine now.

Actually, it was not my sites that were under attack, but my host, GODADDY.COM. My site's outage was a collateral damage. Perhaps GODADDY's DDoS outage has something to do with recent wave of attacks of Twitter?? So if you are using GODADDY as your hosting provider, your sites were out too! This just shows that having a protection against DDoS on your site may be useless, if you are not in full control of your servers (incl. DNS).

I am not a 'security expert' yet, and definitely not expert on DDoS, but what I gather, DDoS is the extreme attack and very difficult to fend off. The only way (that I know of) of defense is by not answering requests (no connection), which is pretty much like switching the server off, and that is the purpose of DDoS attacks. Even some of the large, famous and rich companies seem to have no defense for DDoS.

I am sure that most of you heard of the recent incident when a film festival site in Australia got hacked, most likely by Chinese hackers, and defaced with Chinese flags. This is probably because the hackers knew the backdoor or vulnerability.

Security is a difficult subject to understand to most users and webmasters, because they can't see the benefits of it, until it is too late. As children, most of us receive some kind of inoculation - tetanus, rubella, hepatitis, .... - but we never know if and when it saves our lives. Same with website security - it is a preventative effort.

Security always is an uphill battle. You can try to make your site secure, you can make it very secure. But the hackers will always be at least one step ahead. They can outsmart us, or they can hire a criminal gang who will.

I really have no material interest is selling you this plugin, but I believe that it is useful and it helps in terms of security.

As I said, anyone's feedback will be highly appreciated and having it will help us to make it even better.


Title: Re: Traffic Filter Plugin
Post by: dotmagic on August 10, 2009, 01:56:19 pm
Quote
I am sure that most of you heard of the recent incident when a film festival site in Australia got hacked, most likely by Chinese hackers, and defaced with Chinese flags. This is probably because the hackers knew the backdoor or vulnerability.

Is not just this, can u imagine UK Home Office website had a link to porn site? Yes it had, it was fixed later, just google it, you can get the news about it.  Was one of the shocking and funniest news I ever read a couple of months back.


Quote
Security always is an uphill battle. You can try to make your site secure, you can make it very secure. But the hackers will always be at least one step ahead. They can outsmart us, or they can hire a criminal gang who will.

Well that's why I just came up with an idea to give a secured solution at that point of release of your plugin, no need to be commercial if you dont like to (even if it were commercial I will buy for sure). Secured version just trims off a way for the hackers to study the system and bring an alternative to diffuse the hard work in micro seconds.  No need a security if there is no issue of theft.


To what I had come across, no CMS has a plugin or an inbuilt system to face DDoS. May be these is, but I am not aware of. A year back or so, I believe many many job sites were under attack, Even Australian websites were attacked n I remember reading such news before as serious security issue about the users DB in those employment sites.

Thats why, when you came up with this plugin I was very curious to study its efficiency with such attacks.

Thanks.


Title: Re: Traffic Filter Plugin
Post by: Peter on August 10, 2009, 08:51:22 pm
As far as the TRAFFIC FILTER plugin, the discussion about DDoS is off the subject. However, because there appears to be interest, I recommend this article:
http://en.wikipedia.org/wiki/Denial-of-service_attack (http://en.wikipedia.org/wiki/Denial-of-service_attack)

Following the above link will also give you links to other sites, including those with solution to fighting DDoS and open-source (free) solutions.

I'd say that JAMIT is unlikely to be developing any kind of DDoS related product and rather stay focused on the JOB BOARD and support of customers.


Title: Re: Traffic Filter Plugin
Post by: Adam on August 12, 2009, 09:56:15 am
Perhaps you could look at getting a hardware based firewall, eg. Cisco ASA 5505 to guard against denial-of-service attacks and other unwanted traffic in conjunction with the traffic filter plugin.


Title: Re: Traffic Filter Plugin
Post by: Peter on August 21, 2009, 02:48:45 am
Perhaps you could look at getting a hardware based firewall, eg. Cisco ASA 5505 to guard against denial-of-service attacks and other unwanted traffic in conjunction with the traffic filter plugin.

I don't have any experience with the Cisco ASA5505, but I am sure that is is a good solution, especially if one has the budget to buy it. I'd like to add that the TRAFFIC FILTER is a cheaper (free) alternative to the ASA5505. The TRAFFIC FILTER can achieve improvements in your site's security, including protection against botnets.

The Cisco ASA5505 and the TRAFFIC FILTER are very different animals, working on a different level. Good security system should also work on different levels and in parallel and in conjunction, as Adam already mentioned.


Title: Using the TRAFFIC FILTER in conjuction with .htaccess
Post by: Peter on September 02, 2009, 11:55:39 pm
Just wanted to share with you all how I use the TRAFFIC FILTER to fend off a great number of attacks every day.

I run a few small sites. They don't have whole lot of traffic, but all of my sites are being scanned by ROGUE ROBOTS and SQL injection attempts are a daily occurrence. If this happens to my sites, I am certain that it happens to your sites as well. Who knows, you site may already be infected with a backdoor script and you are not aware of it.

The TRAFFIC FILTER plugin needs to be configured first. You need to define some conditions, which will make the TRAFFIC FILTER block undesirable traffic (requests). One place to start is by setting a country you want to block. If your Job Board is for example in the UK and serves mainly to UK (and Eropean) audience, there probably is no reason why you should allow requests from Africa. Especially Ivory Coast (Cote D'Ivoire) is famous for malicious attacks. So are China and all of the countries of the former Soviet Union.

Another condition for blocking should be the user-agent string. (Please refer to web resources to find out more about the user-agent string, such as http://en.wikipedia.org/wiki/List_of_HTTP_headers (http://en.wikipedia.org/wiki/List_of_HTTP_headers) .)

The user-agent string can easily be spoofed, however, it is a wonderful means for hackers to initiate MySQL attacks, and for you, it is a way to detect ROGUE ROBOTS and fend off attacks.

I have already suggested some user-agent conditions in my earlier post. (Please scroll up.) I will list a few again:

Code:
AGENT/^$/@DEF ......... empty
AGENT/^\ +$/@DEF ....... 1 or more white spaces (only white spaces)
AGENT/^\.+$/@DEF ........ 1 or more dots (only dots)
AGENT/^Mozilla$/@DEF ....... string is only 'Mozilla' (definitely spoofed user-agent)
AGENT/^Mozzila$/@DEF ...... string is only 'Mozzila' and obviously misspelled (I had such request on my site!)
AGENT/^Mozilla/?[0-9]{1,}\.[0-9]{1,}$/@DEF ..... this is NOT a human visitor
AGENT/^Mozilla/?[0-9]{1,}\.[0-9]{1,}\ ?\(compatible;?\)$/@DEF ...... this is NOT a human visitor
AGENT/^[a-zA-Z0-9]{1,}$/@DEF ..... alphanumeric string, such as '7yT2gB1kcWiP2'
AGENT/^[a-zA-Z\ \.]{1,}$/@DEF ........ alphabetical string with optional spaces or dots, such as 'Morfeus strikes again.' (I had such requests on my site!)
AGENT/^[0-9\ ]{1,}$/@DEF ....... numeric string with optional spaces, such as '8346456 383 38 5494'
... and most important for last ....
AGENT/(\'|\"|\`)/@DEF ..... blocks MySQL injection attacks

Okay, once you enter these into your TRAFFIC FILTER plugin configuration, the plugin will start blocking malicious traffic. The wonderful thing about the plugin is that every single event is being logged in the database table named jb_log_redirects, and daily aggregate counts are in table named jb_log_redir_aggr. You should study these logs daily to see how effective the setting of your TRAFFIC FILTER are, whether the settings need any adjustments or corrections.

In my case, after I see some repeat offenders bombarding my site too much and stealing CPU resources, I write a line for the .htaccess file.

The .htaccess file is a better solution than TRAFFIC FILTER, with the only disadvantage that it doesn't log events, and therefore difficult to know what is going on. I use it as a last option, once I am sure that a rule (or regular expression) is correct and effectively blocks evil requests.

Here are a few lines from one of my own .htaccess files:

Code:
# Creates error 403 for unauthorized access to a directory
Options All -Indexes

# secure htaccess file
<Files .htaccess>
order allow,deny
deny from all
</Files>

<ifmodule mod_rewrite.c>
rewriteEngine On
rewriteBase /

### Hong Kong, FAKE Googlebot agent
RewriteCond %{REMOTE_HOST} ^118\.142\.36\.230$ [OR]
RewriteCond %{REMOTE_HOST} ^203\.218\.132\.103$ [OR]
RewriteCond %{REMOTE_HOST} ^203\.218\.122\.154$ [OR]
RewriteCond %{REMOTE_HOST} ^203\.210\.8\.4$ [OR]
RewriteCond %{REMOTE_HOST} ^203\.210\.8\.8$ [OR]
RewriteCond %{REMOTE_HOST} ^203\.210\.8\.16$ [OR]
RewriteCond %{REMOTE_HOST} ^203\.210\.8\.20$ [OR]
RewriteCond %{REMOTE_HOST} ^203\.210\.8\.31$ [OR]
RewriteCond %{REMOTE_HOST} ^210\.3\.52\.174$ [OR]
RewriteCond %{REMOTE_HOST} ^218\.188\.157\.166$ [OR]
RewriteCond %{REMOTE_HOST} ^218\.103\.164\.175$ [OR]
RewriteCond %{REMOTE_HOST} ^218\.250\.112\.57$ [OR]
RewriteCond %{REMOTE_HOST} ^219\.78\.50\.39$ [OR]
RewriteCond %{REMOTE_HOST} ^219\.77\.184\.10$ [OR]
RewriteCond %{REMOTE_HOST} ^219\.77\.188\.196$ [OR]
RewriteCond %{REMOTE_HOST} ^219\.77\.189\.154$ [OR]
RewriteCond %{REMOTE_HOST} ^219\.77\.189\.95$ [OR]
RewriteCond %{REMOTE_HOST} ^202\.155\.235\.126$ [OR]
RewriteCond %{REMOTE_HOST} ^59\.188\.229\.54$ [OR]

### UK, datamining
RewriteCond %{REMOTE_HOST} ^91\.209\.196\.70$ [OR]

### USA, IVE GOT A PHANG INC., 72.94.249.32 - 72.94.249.39 (72.94.249.32/29)
RewriteCond %{REMOTE_HOST} ^72\.94\.249\.(3[2-9])$ [OR]

### USA, Bluecoat Systems, 208.115.128.0 - 208.115.143.255 (208.115.128.0/20)
RewriteCond %{REMOTE_HOST} ^208\.115\.(1(2[8-9]|3[0-9]|4[0-3]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$ [OR]

### USA, CYVEILLANCE, 38.0.0.0 - 38.255.255.255 (38.0.0.0/8)
RewriteCond %{REMOTE_HOST} ^38\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$ [OR]

### USA, Websense Inc., 66.194.6.0/24 = 66.194.6.0 - 66.194.6.255
RewriteCond %{REMOTE_HOST} ^66\.194\.6\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$ [OR]
# 208.80.192.0/21 = 208.80.192.0 - 208.80.199.255
RewriteCond %{REMOTE_HOST} ^208\.80\.(1(9[2-9]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$ [OR]
# 204.15.64.0/21 = 204.15.64.0 - 204.15.71.255
RewriteCond %{REMOTE_HOST} ^204\.15\.(6[4-9]|7[0-1])\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$ [OR]

### FDC Servers ###
### 66.90.64.0 - 66.90.127.255
RewriteCond %{REMOTE_HOST} ^66\.90\.(6[4-9]|[7-9][0-9]|1([0-1][0-9]|2[0-7]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$ [OR]
### 208.53.128.0 - 208.53.191.255
RewriteCond %{REMOTE_HOST} ^208\.53\.(1(2[8-9]|[3-8][0-9]|9[0-1]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$ [OR]
### 67.159.0.0 - 67.159.63.255
RewriteCond %{REMOTE_HOST} ^67\.159\.([0-9]|[1-5][0-9]|6[0-3])\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$ [OR]
### 74.63.64.0 - 74.63.127.255
RewriteCond %{REMOTE_HOST} ^74\.63\.(6[4-9]|[7-9][0-9]|1([0-1][0-9]|2[0-7]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$ [OR]

### USA, Bluecoat Systems Inc., 65.46.48.192/30 = 65.44.0.0 - 65.47.255.255
RewriteCond %{REMOTE_HOST} ^65\.(4[4-7])\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$ [OR]
# 65.160.238.176/28 = 65.160.238.176 - 65.160.238.191
RewriteCond %{REMOTE_HOST} ^65\.160\.238\.(1(7[6-9]|8[0-9]|9[0-1]))$ [OR]
# 204.246.128.0/20 = 204.246.128.0 - 204.246.151.255
RewriteCond %{REMOTE_HOST} ^204\.246\.(1(2[8-9]|[3-4][0-9]|5[0-1]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$ [OR]
# 208.115.138.0/23 = 208.115.138.0 - 208.115.139.255
RewriteCond %{REMOTE_HOST} ^208\.115\.(1(3[8-9]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$ [OR]
# 217.169.46.96/28 = 217.169.46.96 - 217.169.46.111
RewriteCond %{REMOTE_HOST} ^217\.169\.46\.(9[6-9]|1(0[0-9]|1[0-1]))$ [OR]

### USA, Fremont, California, Hurricane Electric, datamining, 64.62.128.0 - 64.62.255.255
RewriteCond %{REMOTE_HOST} ^64\.62\.(1(2[8-9]|[3-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$ [OR]
### USA, Fremont, California, Hurricane Electric, datamining, 65.19.128.0 - 65.19.191.255
RewriteCond %{REMOTE_HOST} ^65\.19\.(1(2[8-9]|[3-8][0-9]|9[0-1]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$ [OR]
### USA, Fremont, California, Hurricane Electric, datamining, 65.19.154.160 - 65.19.154.191
RewriteCond %{REMOTE_HOST} ^65\.19\.154\.(1([6-8][0-9]|9[0-1]))$ [OR]

### USA, The Planet, 74.52.0.0 - 74.55.255.255 (74.52.0.0/14)
RewriteCond %{REMOTE_HOST} ^74\.(5[2-5])\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$ [OR]
### USA, The Planet, 174.132.0.0 - 174.133.255.255 (174.132.0.0/15)
RewriteCond %{REMOTE_HOST} ^174\.(1(3[2-3]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$ [OR]

### USA, Texas, VRT Servers, 64.56.64.0 - 64.56.79.255 (64.56.64.0/20)
RewriteCond %{REMOTE_HOST} ^64\.56\.(6[4-9]|7[0-9])\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$ [OR]

### USA, Columbus Network Access Point, Inc., 209.190.0.0 - 209.190.127.255 (209.190.0.0/17)
RewriteCond %{REMOTE_HOST} ^209\.190\.([0-9]|[1-9][0-9]|1([0-1][0-9]|2[0-7]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$ [OR]

### NETHERLANDS, LeaseWeb, 85.17.134.0 - 85.17.134.255
RewriteCond %{REMOTE_HOST} ^85\.17\.134\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$ [OR]

### HUNGARY, Dreamshow Partnership, 212.52.164.0 - 212.52.167.255
RewriteCond %{REMOTE_HOST} ^212\.52\.(1(6[4-7]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$ [OR]

### SWITZERLAND, Backslash AG, 193.135.56.0 - 193.135.58.255
RewriteCond %{REMOTE_HOST} ^193\.135\.(5[6-8])\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$ [OR]

### SPAIN, Rango de IPs HOSTINGLMI, 213.194.149.0 - 213.194.149.255
RewriteCond %{REMOTE_HOST} ^213\.194\.149\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$ [OR]

### robots, spiders ###
RewriteCond %{HTTP_USER_AGENT} "(screenshot|thumbnail|ia_archiver|Yandex|GingerCrawler|Plukkie|plukkie|nu_tch|princeton\ crawler|speedy_spider|entireweb\.com|SurveyBot|Whois|whois|who\ is|apnoti\.com|Baiduspider|baidu\.jp|Mail\.Ru|Netcraft\ SSL\ Server\ Survey|Ruky-Bot|ruky\.de|KaloogaBot|kalooga|Yeti|naver\.com|Trend\ Micro|Exabot|fisuna\.com|Fisuna-Bot|StackRambler|GrubNG|grub\.org|Huasai|Python-urllib|MLBot|metadatalabs\.com|FollowSite\ Bot|followsite\.com|Servage|servage\.net|psbot|picsearch\.com|my-robot|Nutch|mmonitor|dotnetdotcom|DotBot|Microsoft\ Data\ Access\ Internet\ Publishing\ Provider|Tagoobot|80legs\.com|parchmenthill\.com|eurosoftware|Eurosoft-Bot|yacybot|libwww|curl|perl|Plesk|larbin|User-Agent|core-project|panscient\.com|Morfeus\ Fucking\ Scanner|Comodo\ SSL\ Checker|Jakarta\ Commons|Windows\ 95|lwp-trivial)" [OR]

RewriteCond %{HTTP_USER_AGENT} "^$" [OR]

RewriteCond %{HTTP_USER_AGENT} "^\ +$" [OR]

RewriteCond %{HTTP_USER_AGENT} "^\.+$" [OR]

RewriteCond %{HTTP_USER_AGENT} "^Mozilla$" [OR]

RewriteCond %{HTTP_USER_AGENT} "Mozzila" [OR]

RewriteCond %{HTTP_USER_AGENT} "^Mozilla/?[0-9]{1,}\.[0-9]{1,}$" [OR]

RewriteCond %{HTTP_USER_AGENT} "^Mozilla/?[0-9]{1,}\.[0-9]{1,}\ ?\(compatible;?\)$" [OR]

RewriteCond %{HTTP_USER_AGENT} "^[a-zA-Z0-9]{1,}$" [OR]

RewriteCond %{HTTP_USER_AGENT} "^[a-zA-Z\ \.]{1,}$" [OR]

RewriteCond %{HTTP_USER_AGENT} "^[0-9\ ]{1,}$"

RewriteRule .* http://www.google.com/ [L,R=301]

</ifmodule>

PLEASE NOTE: This post should not focus too much on the .htaccess file, but only as much as it relates to the use of the TRAFFIC FILTER. We could probably start another discussion on that theme separately.

The TRAFFIC FILTER is now in beta stage and available for free download by existing Jamit customers. Future releases will include additional improvements and additional security plugins are being considered.

Happy jobboarding,
Peter


Title: Country Blocking - comments and additional resources
Post by: Peter on September 03, 2009, 02:43:16 am
Limitations
The TRAFFIC FILTER's country blocking function is based on a database table, which converts an IP address to a country, in some cases to EU (Europe) and AP (Asia-Pacific). As you already might know, IP address allocations are not permanent. They change from time to time. There will always be some inaccuracy, small amounts of error.

I want to give another example to demonstrate what the country blocking filter can and cannot do.

Let's say that you want to block country 'X' completely. Perhaps you don't want the country X' government (or a commercial entity) to have access to your site. If you block country 'X' using the TRAFFIC FILTER or any similar IP address based solution, the country 'X' users still may be able to access your site. They can do it either through a proxy, an anonymous proxy, or by having a computer (or server) in a country which is not on your blacklist.

Jamit intends to periodically update the TRAFFIC FILTER with enhancements, as well as the IP-to-country database.

IP Blocking Resources
The TRAFFIC FILTER is suitable (and easily configurable) for country blocking (based on IP address). Another solution for country blocking is .htaccess file, but you need to know the IP address ranges or blocks. I have found this website which will give you IP ranges and CIDR blocks of various countries in a format ready to use in your .htaccess file. Of course, I have no idea how accurate these IP ranges are....

http://www.countryipblocks.net/country-blocks/select-formats/ (http://www.countryipblocks.net/country-blocks/select-formats/)

However, I do not recommend using the IP ranges from the above site in the TRAFFIC FILTER, because the TRAFFIC FILTER already has its own database of IP addresses.

Be careful when you use the .htaccess file for country blocking, because some countries have too many IP blocks and your .htaccess can easily become hundreds of kB or even few MB in size and (I wonder if) this could slow down your server. This is why the TRAFFIC FILTER is a good solution for country blocking.


Title: Re: Using the TRAFFIC FILTER in conjuction with .htaccess
Post by: promotionbox.de on September 04, 2009, 12:24:58 pm
Code:
AGENT/^$/@DEF ......... empty
AGENT/^\ +$/@DEF ....... 1 or more white spaces (only white spaces)
AGENT/^\.+$/@DEF ........ 1 or more dots (only dots)
AGENT/^Mozilla$/@DEF ....... string is only 'Mozilla' (definitely spoofed user-agent)
AGENT/^Mozzila$/@DEF ...... string is only 'Mozzila' and obviously misspelled (I had such request on my site!)
AGENT/^Mozilla/?[0-9]{1,}\.[0-9]{1,}$/@DEF ..... this is NOT a human visitor
AGENT/^Mozilla/?[0-9]{1,}\.[0-9]{1,}\ ?\(compatible;?\)$/@DEF ...... this is NOT a human visitor
AGENT/^[a-zA-Z0-9]{1,}$/@DEF ..... alphanumeric string, such as '7yT2gB1kcWiP2'
AGENT/^[a-zA-Z\ \.]{1,}$/@DEF ........ alphabetical string with optional spaces or dots, such as 'Morfeus strikes again.' (I had such requests on my site!)
AGENT/^[0-9\ ]{1,}$/@DEF ....... numeric string with optional spaces, such as '8346456 383 38 5494'
... and most important for last ....
AGENT/(\'|\"|\`)/@DEF ..... blocks MySQL injection attacks
Hi! Where do I put the code above? In the field of "Redirects", "Whitelisted IP Addresses (Optional)" or "Whitelisted User-Agents (Optional)". Thanks for your help. Does this code works with German hompages too?


Title: Re: Traffic Filter Plugin
Post by: Peter on September 04, 2009, 01:26:21 pm
Hi Promotionbox,

That code (you asked about) goes in the control panel of the TRAFFIC FILTER, namely the section 1.1 (Redirects).

Ignore the comments, so just enter:

Code:
AGENT/(\"|\'|\`)/@DEF

... and each entry on new line. Do not put in my comments (those things with ........).

Sure, it will work for German homepages too. Wirklich!


Title: Re: Traffic Filter Plugin
Post by: promotionbox.de on September 04, 2009, 01:33:53 pm
You're ok Peter!
Thanks for your quick assistance. I'll try it and will give you a feedback. And it's nice to read a German word 'Wirklich'. So I've some homefeeling  ;). If your German is more don't hesitate to write me in German. I would appreciate that.

Best greetings from Germany to you!
-Thorsten


Title: Re: Traffic Filter Plugin
Post by: Peter on September 04, 2009, 02:14:32 pm
Thorsten,

Sehr toll! Das ist alles was ich wollte auf Deutsch schreiben. I am not German, but rather a mix of everything. But I get the 'home feeling" just reading your messages.

Greeting from Hongkong to you and all Jamit customers!

Peter


Title: Re: Traffic Filter Plugin
Post by: promotionbox.de on September 04, 2009, 02:31:46 pm
So macht das Forum richtig SpaƟ - klasse!!!!
Thank you all for the nice support the last months you gave me. I love you.......Michael Jackson would say.

Stay the way you are.

-Thorsten


Title: Version 1.0 of the plugin is out!
Post by: Peter on September 07, 2009, 08:36:11 am
Today, the real version 1.0 of the TRAFFIC FILTER was released with some small improvements.

If you are UPGRADING from the BETA version, and you already have some blocking/redirection settings saved, this is what I recommend that you do:
-- Go to the admin panel
-- Go to the control panel for the TRAFFIC FILTER plugin
-- Using Ctrl c and Ctrl c keyboard keys copy and paste the settings to a text editor.
-- Install the version 1.0 plugin
-- Copy the settings from your text editor to the plugin's control panel and save

And you are done!


Title: Re: Traffic Filter Plugin
Post by: screen_mates on September 09, 2009, 03:28:05 am
Would you mind posting those malicious IP ranges here?

Keep up the good work...

Thanks!


> I block over 200 IP ranges (could easily be millions of IP addresses), over 20 countries, many user-agent strings.


Title: Re: Traffic Filter Plugin
Post by: screen_mates on September 09, 2009, 03:30:21 am
How about a plugin to validate if other installed plugins are up to date or outdated? With an option to apply updates/upgrades?

Thanks!


Title: Re: Traffic Filter Plugin
Post by: screen_mates on September 09, 2009, 04:07:39 am
How about a plugin to validate if other installed plugins are up to date or outdated? With an option to apply updates/upgrades?

Thanks!

We need "comments" columns to record reasons why some IP's or expressions were added to the Redirects, Whitelist, etc.


Title: CONFIGURATION example
Post by: Peter on September 09, 2009, 04:18:48 am
Okay, here is a list of some BAD IP ranges and other redirect rules for the Traffic Filter. Please use it at your own risk. Jamit makes no claim or warranty regarding the accuracy of these IPs. You should consider that you may not want to block all of these IP ranges, but I do block them.

Code:
AGENT/^$/@DEF...empty
AGENT/^\.+$/@DEF...dots
AGENT/^[a-z0-9]{1,}$/[email protected] without whitespace
AGENT#^(Mozilla|Mozilla/[0-9]{1,}\.[0-9]{1,})$#[email protected] Mozilla
AGENT/^[a-z\ \.]{1,}$/[email protected] only
AGENT/^[0-9\ \.]{1,}$/@DEF...numeric only
AGENT/Mozzila/[email protected]EF...misspelled
AGENT#(\'|\`|\*|\?|>|<|script|eval|base64_decode)#[email protected] injection
AGENT#MSIE\ [0-9]{1,1}\.[0-9]{1,1};\ MSIE\ [0-9]{1,1}\.[0-9]{1,1}#@DEF...2 browsers
[email protected] d'ivoire
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
65.213.208.128/[email protected], Cyveillance Inc.
65.222.176.96/[email protected], Cyveillance Inc.
65.222.185.72/[email protected], Cyveillance Inc.
151.173.0.0/[email protected], Cyveillance Inc.
65.46.48.192/[email protected], Bluecoat Systems Inc.
65.160.238.176/[email protected], Bluecoat Systems Inc.
204.246.128.0/[email protected], Bluecoat Systems Inc.
208.115.138.0/[email protected], Bluecoat Systems Inc.
217.169.46.96/[email protected], Bluecoat Systems Inc.
66.194.6.0/[email protected], Websense Inc.
208.80.192.0/[email protected], Websense Inc.
204.15.64.0/[email protected], Websense Inc.
208.17.184.0/[email protected], Verisign
69.36.144.0/[email protected], Verisign
206.169.110.0/[email protected], Secure Computing
64.124.14.0/[email protected], Markmonitor
82.80.248.0/[email protected] - Bezeqint-Hosting
62.0.8.0/[email protected]
206.28.72.0/[email protected] images
200.31.42.0/[email protected], VULCO S.A.
213.246.51.0/[email protected], Ikoula Hosting
213.246.52.0/[email protected], Ikoula Hosting
209.120.218.128/[email protected], Technology Universe
83.172.144.0/[email protected], hacker attack
149.226.0.0/[email protected], BSH Bosch und Siemens Hausgeraete GmbH
216.120.128.0/[email protected], Trivalent Group Inc.
216.120.192.0/[email protected], Trivalent Group Inc.
74.52.0.0/[email protected], Houston, Texas, The Planet Internet Services
213.183.192.0/[email protected], Intares, Hamburg
216.38.192.0/[email protected], Denver, Colorado, ViaWest
94.76.219.16/[email protected], BlueConnex Ltd.
208.91.8.0/[email protected], Texas, PRONSS
128.104.0.0/[email protected], University of Wisconsin-Madison, computer lab
206.51.224.0/[email protected], Tampa, Florida, NOC4Hosts Inc.
64.62.128.0/[email protected], Fremont, California, Hurricane Electric
65.19.128.0/[email protected], Fremont, California, Hurricane Electric
208.88.120.0/[email protected], Biznesshosting Inc.
131.107.0.0/[email protected], Microsoft, secret robot
69.71.208.0/[email protected], MoveClicks LLC, Sitedossier.com
209.167.50.16/[email protected], SevenTwentyFour Incorporated
206.183.1.0/[email protected] Search
189.104/[email protected], Tele Norte, HACKER
66.90.64.0/[email protected], FDC Servers
67.159.0.0/[email protected], FDC Servers
208.53.128.0/[email protected], FDC Servers
74.63.64.0/[email protected], FDC Servers
72.232.0.0/[email protected], Layered Technologies
72.233.0.0/[email protected], Layered Technologies
64.92.160.0/[email protected], Layered Technologies
69.58.176.0/[email protected], Verisign
67.215.224.0/[email protected], Secured Private Network
64.246.160.0/[email protected], Whois, Compass Communications, Inc.
66.231.176.0/[email protected]InfoRelay Online Systems, Inc.
72.249.0.0/[email protected] and USA, Colo4Dallas LP, Visvo Bot
72.249.128.0/[email protected] and USA, Colo4Dallas LP, Visvo Bot
66.34.0.0/[email protected], Texas, CI Host, Keyword Spy
208.99.192.0/[email protected], Seattle, Swift Ventures
208.94.240.0/[email protected], Aarons.net, Joe's Data Center
208.43.0.0/[email protected], Softlayer Technologies
74.86.0.0/[email protected], Softlayer Technologies
38.*@DEF...USA, PSI (same as 38.0.0.0/8)
208.115.96.0/[email protected], Topshoppingcart.com, Wowcrack.com
66.232.96.0/[email protected], NOC4Hosts Inc., Hivelocity Inc.
65.98.0.0/[email protected], New Jersey, Fortress ITX
64.69.32.0/[email protected], Los Angeles, CoreExpress
208.138.176.0/[email protected], Dow Jones & Company, Savvis
208.138.192.0/[email protected], Dow Jones & Company, Savvis
208.139.0.0/[email protected], Dow Jones & Company, Savvis
208.140.0.0/[email protected], Dow Jones & Company, Savvis
208.144.0.0/[email protected], Dow Jones & Company, Savvis
208.152.0.0/[email protected], Dow Jones & Company, Savvis
208.156.0.0/[email protected], Dow Jones & Company, Savvis
208.157.0.0/[email protected], Dow Jones & Company, Savvis
208.157.128.0/[email protected], Dow Jones & Company, Savvis
71.48.0.0/[email protected], Embarq Corporation
69.84.192.0/[email protected], Arrival Communications
207.241.224.0/[email protected], San Francisco, Internet Archive
158.237.0.0/[email protected] Military, Quantico, Virginia
138.162.0.0/[email protected] Navy Network Information Center, Pensacola, Florida
74.207.224.0/[email protected], Linode, proxies
199.85.208.0/[email protected], Hostventures, proxies
216.104.0.0/[email protected], Cupertino, TrendMicro.com
65.49.0.0/[email protected], Fremont, California, Hurricane Electric
157.63.0.0/[email protected], University of Tokyo
157.64.0.0/[email protected], University of Tokyo
157.80.0.0/[email protected], University of Tokyo
157.82.0.0/[email protected], University of Tokyo
[email protected], Los Angeles, Vrtservers Inc.
65.23.128.0/[email protected], Datarealm Internet Services
[email protected], NG Marketing
[email protected], Guam, 624 North Marine Corp Drive
77.91.224.*@DEF...RUSSIA, Web Alta search engine
217.20.138.*@DEF...HUNGARY, Interware hosting company
[email protected]
194.153.113.*@DEF...GERMANY, Cobion AG
[email protected], Concepts ICT BV
[email protected]
[email protected] suspicious activity
[email protected], Rambler Telecom
[email protected], Munax AB
[email protected], Bezeq International, previously Trendline
[email protected], GoViral IP Space, forged User-Agent
82.161.231.*@DEF...NETHERLANDS, Demon NL co-location customer
94.102.49.*@DEF...NETHERLANDS, Ecatel LTD
[email protected], Business Network JV, suspicious sniffing
[email protected], I'VE GOT FANG INC
85.17.49.*@DEF...NETHERLANDS, Leaseweb
84.244.189.*@DEF...NETHERLANDS, I3D Interactive
[email protected], We Dare BV
194.165.42.*@DEF...NETHERLANDS, NASHIRNET-SA
[email protected], Netdirekt
[email protected], Netdirekt
[email protected], Netdirekt
[email protected], ServerKompetenz, Strato Rechenzentrum, Berlin
[email protected], KEYWEB
[email protected], KEYWEB
[email protected], KEYWEB
[email protected]
[email protected], NetSource Communications, Inc
[email protected], construktiv GmbH
85.94.203.128-85.94.2[email protected], LESALAB
205.205.208.*@DEF...CANADA, SureFire Commerce Inc.
[email protected], Novgorod Datacom
[email protected], Cityscape Wireless Internet
[email protected], NOA Technology INC
209.85.32.*@DEF...USA, EV1 Houston
213.236.208.*@DEF...Norway, Opera Software ASA
[email protected], Webair Internet Development, Swish robot
69.[email protected] Creek Telephone Company, FAKE
[email protected], Limit Group Ltd.
[email protected], Access IT
[email protected], Webazilla B.V.
[email protected], Digiweb robot
150.70.84.*@DEF...JAPAN, sniffing
[email protected], hacking attempts
[email protected], uses FORGED Cuill user-agent
[email protected], Lerkins, probing
[email protected], Melbourne Information Technologies
[email protected], Sony Corporation (accessing folder /admin/bin/)
[email protected], Bigfinder.de, Great New Media
[email protected], TheNewPush, LLC
[email protected] REPUBLIC, SELECT-SYSTEMS
[email protected], NAVER robot
[email protected], Aruba SPA Dedicated Servers
209.133.94.*@DEF...USA, Attributor Corp.
[email protected], iWeb Dedicated
[email protected], Playstar Music Corporation
69.65.0.0/[email protected], Arliongton Heights, GigeNET
212.117.160.0/[email protected], LUXEMBOURG, King Servers
212.227.*@DEF...GERMANY, 1&1 Internet AG
65.79.128.0/[email protected], CT, Greenwich, Lamont Digital Systems, Inc.
[email protected], SC MetroNetwork SRL
[email protected], Verso QTS
[email protected], Yellow Register Online AB
209.17.186.*@DEF...CANADA, Esecure Data
[email protected], Palo Alto, Danger.com (Microsoft Corp.)
[email protected], Ignatius Ziekenhuis
212.112.229.*@DEF...GERMANY, IPX Server GmbH
212.247.*@DEF...SWEDEN, SwipeNet, spamming
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected], UK, CareerJet, employment database
93.190.138.*@DEF...NETHERLANDS, WorldStream
[email protected], Fingan, Ltd.
193.200.150.*@DEF...GERMANY, SEYCHELES, Anonymouse proxy
[email protected], Netvision, proxy
[email protected], AltusHost
[email protected], Instanbul, TECHNET BILISIM ve ILETISIM HIZMETLERI
[email protected], Sichuan, Zigong Sciences Informations Academy
[email protected], KDDI Corporation, proxy
[email protected], Softlayer Technologies
207.62.*@DEF...USA, California State University
[email protected], Paris, Dedibox SAS
[email protected], National Sun Yat Sen University, hacking
[email protected], Shanghai, Unicom
216.168.32.0/[email protected], digital.forest, Inc
70.84.0.0/[email protected], The Planet
[email protected], Proxyfire
64.182.*@DEF...USA, TX, Bedford, C I Host
[email protected], proxy amenworld.com
[email protected], Linode proxy, host
62.0.18.*@DEF...ISRAEL, Netvision, proxy
216.55.182.*@DEF...USA, Abacus host, bootnetworks.com proxy
[email protected], The Planet
77.68.38.*@DEF...UK, Fast Hosts LTD
93.174.93.*@DEF...NETHERLANDS, Ecatel LTD
[email protected], Dow Jones Telerate
[email protected], XO Communications
[email protected], PaeTec Communications, Inc.
201.17/[email protected], NET Servicos de Comunicadho S.A.
[email protected], Hetzner Online AG
[email protected], BIS Ltd.
76.73.0.0/[email protected], FDC Servers
[email protected], Red Rocks Data Center, LLC
[email protected], 3t Systems, Inc.
[email protected], Netdirekt
[email protected], Abovenet Communications, Inc
[email protected], GANDI DEDICATED SERVERS
[email protected], Wildblue Communications, Inc.
[email protected], Wildblue Communications, Inc.
[email protected], Dinahosting S.L.
[email protected], Big Pipe Inc.
[email protected], Ritter Communications, Inc.
174.142.*@DEF...CANADA, iWeb Technologies Inc.
67.228.*@DEF...USA, SoftLayer Technologies Inc.
[email protected], City of Jacksonville, Florida
[email protected], BroadRiver Communication Corp.
189.32/[email protected], NET Servicos de Comunicadho S.A.
[email protected], ENTANET International Ltd
[email protected], OVH Dedicated Servers
[email protected], Colostore.com
209.190.0.0/[email protected], Columbus Network Access Point, Inc.
[email protected], Leaseweb
[email protected], Dreamshow Partnership
[email protected], Backslash AG
[email protected], Rango de IPs HOSTINGLMI
[email protected], FirstDigital Communications, LLC
206.135.*@DEF...USA, MegaPath Networks Inc.
194.72.238.*@DEF...UK, Netcraft Limited
[email protected], Fedem AS, Trondheim
[email protected], Optic Fusion
[email protected], The Planet
[email protected], Texas, VRT Servers
188.40.0.0/[email protected], Hetzner Online AG
[email protected], Charter Communications
[email protected], MSTAR.net LLC
[email protected], GloboTech Communications GTCOMM
75.125.*@DEF...USA, The Planet
[email protected], Ecatel LTD
[email protected], Hivelocity Ventures Corp.
[email protected], GleSYS Customer servers

(The above code updated on 2009-10-15, 11:29 GMT.) Please update your Traffic Filter to version 1.2. Please see the post dated 16 Oct 2009 for the latest configuration settings for Traffic Filter v 1.2.

The above code includes my notes (comments), because you need to know what each IP range is. If you are using the TRAFFIC FILTER version 1.1 and higher, you can keep the comments in place. If you are using an older version of the plugin, you need to remove the comments before entering this code into the plugin's blacklist. (The comments start with 3 dots ...).

REMEMBER, IP address allocations change from time to time. It is recommended that in the future, you review all those blocked IP ranges against a WHOIS record. Speaking of which, I found this excellent WHOIS website: http://cqcounter.com/whois/ (http://cqcounter.com/whois/)


Title: Re: Version 1.0 of the plugin is out!
Post by: promotionbox.de on September 09, 2009, 09:35:42 am
Today, the real version 1.0 of the TRAFFIC FILTER was released with some small improvements.
Hi, where to find the version 1.0? On your homepage is still version 0.9 beta. Thanks!

-Thorsten


Title: Re: Traffic Filter Plugin
Post by: screen_mates on September 09, 2009, 02:33:02 pm
The proposed plugin to update/upgrade other plugins should have options to update plugins by trusted vendors (Jamit ofcourse). All other vendors should be optional and not to be included in the default updates/upgrades.


Title: IP ranges (blocking) updated!
Post by: Peter on October 13, 2009, 02:47:22 am
Please note that in the post above (CONFIGURATION example), I have updated the extensive list.

Here is what has changed:
  • Added user-agent rules to block rogue robots (those that are badly forged)
  • Added some countries
  • Added a few more IP ranges (immediately following the Optic Fusion record - [email protected]).
  • CORRECTED error. Wrong record was [email protected], Ecatel LTD. Correctly should be [email protected], Ecatel LTD.

Remember,if you are using version less than 1.1, the plugin settings require syntax such as [email protected]
so you will have to delete the 3 dots and the comment. Better that you upgrade the plugin to version 1.1.

If you are using version 1.1 of the TRAFFIC FILTER plugin, you can keep the comments in place.

Again, please use the IP ranges at your own risk. You may want to review each entry for correctness. Thank you.


Title: Version 1.1 of the Traffic Filter released
Post by: Peter on October 13, 2009, 04:00:15 am
The version 1.1 has just been released, and it includes fixes of very minor bugs and some enhancements, namely:

Now you can add a memo (comment) on each line of the blacklist.

Use of the memo (comment) is optional. If you want to use the memo, it must start with 3 dots (...) immediately following the blacklist rule. Example:

[email protected]://www.domain.com...United States users

DOWNLOAD the version 1.1 from: http://www.jamit.com/plugins.htm (http://www.jamit.com/plugins.htm)

UPDATING FROM EARLIER VERSIONS
 
If you are already using an earlier version of the TRAFFIC FILTER, this is the best way to update:

Do not uninstall the existing plugin! Just overwrite all the files in the folder /TrafficFilter/ with the new files that are supplied in the download package.

EXAMPLE OF CONFIGURATION (IP ranges, countries, user-agent strings)

This thread, several lines up, also has an example of blocking configuration. Please scroll up and look it up. I just updated the IP ranges today and corrected some serious errors in the example list.

USE WITH EARLIER VERSIONS OF JOB BOARD

The TRAFFIC FILTER requires JB version 3.6.0+, however, it can be used with earlier versions, if you follow the simple procedure outlined in the README file. It only requires that you add one line of code into your /include/functions.php file. (If you don't, the filter just won't work.)


Title: Catching hackers
Post by: Peter on October 15, 2009, 08:38:26 am
I have installed the TRAFFIC FILTER on my Job Board site yesterday, and in 24 hours, I have blocked 45 events! Some of them were robots from Russia, trying to sign up as an employer! Definitely many attempts to hack in. The Traffic Filter made it harder to break in.

Here is one setting for the Traffic Filter, which helps in preventing code injection and MySQL injection:

Code:
AGENT#(\'|\`|\*|\?|>|<|script|eval|base64_decode)#[email protected] injection, code injection

(The above example is already included in the complete example of configuration few posts up in this thread.)


Title: v 1.2 of the Traffic Filter released!
Post by: Peter on October 16, 2009, 03:59:39 am
The version 1.2 has just been released, and it includes fixes of very minor bugs and some enhancements, namely:

Now you can add a memo (comment) on each line of the blacklist.
The plugin has a simple function to validate regular expressions.

Use of the memo (comment) is optional. If you want to use the memo, it must start with 3 dots (...) immediately following the blacklist rule. A whole line is treated as a comment if it starts with #. Examples:

Code:
########################
# COUNTRIES
[email protected]://www.domain.com...United States users
########################

DOWNLOAD the version 1.2 from: http://www.jamit.com/plugins/TrafficFilter.zip (http://www.jamit.com/plugins/TrafficFilter.zip)


UPDATING FROM EARLIER VERSIONS
 
If you are already using an earlier version of the TRAFFIC FILTER, this is the best way to update:

Do not uninstall the existing plugin! Just overwrite all the files in the folder /TrafficFilter/ with the new files that are supplied in the download package.

EXAMPLE OF CONFIGURATION (IP ranges, countries, user-agent strings)

Code:
#
# user agents
#
AGENT/^$/@DEF...empty
AGENT/^\.+$/@DEF...dots
AGENT/^[a-z0-9]{1,}$/[email protected] without whitespace
AGENT#^(Mozilla|Mozilla/[0-9]{1,}\.[0-9]{1,})$#[email protected] Mozilla
AGENT/^[a-z\ \.]{1,}$/[email protected] only
AGENT/^[0-9\ \.]{1,}$/@DEF...numeric only
AGENT/Mozzila/[email protected]
AGENT#(\'|\`|\*|\?|>|<|script|eval|base64_decode)#[email protected] injection
AGENT#MSIE\ [0-9]{1,1}\.[0-9]{1,1};\ MSIE\ [0-9]{1,1}\.[0-9]{1,1}#@DEF...2 browsers
#
# countries
#
[email protected] d'ivoire
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
#
# IP ranges
#
65.213.208.128/[email protected], Cyveillance Inc.
65.222.176.96/[email protected], Cyveillance Inc.
65.222.185.72/[email protected], Cyveillance Inc.
151.173.0.0/[email protected], Cyveillance Inc.
65.46.48.192/[email protected], Bluecoat Systems Inc.
65.160.238.176/[email protected], Bluecoat Systems Inc.
204.246.128.0/[email protected], Bluecoat Systems Inc.
208.115.138.0/[email protected], Bluecoat Systems Inc.
217.169.46.96/[email protected], Bluecoat Systems Inc.
66.194.6.0/[email protected], Websense Inc.
208.80.192.0/[email protected], Websense Inc.
204.15.64.0/[email protected], Websense Inc.
208.17.184.0/[email protected], Verisign
69.36.144.0/[email protected], Verisign
206.169.110.0/[email protected], Secure Computing
64.124.14.0/[email protected], Markmonitor
82.80.248.0/[email protected] - Bezeqint-Hosting
62.0.8.0/[email protected]
206.28.72.0/[email protected] images
200.31.42.0/[email protected], VULCO S.A.
213.246.51.0/[email protected], Ikoula Hosting
213.246.52.0/[email protected], Ikoula Hosting
209.120.218.128/[email protected], Technology Universe
83.172.144.0/[email protected], hacker attack
149.226.0.0/[email protected], BSH Bosch und Siemens Hausgeraete GmbH
216.120.128.0/[email protected], Trivalent Group Inc.
216.120.192.0/[email protected], Trivalent Group Inc.
74.52.0.0/[email protected], Houston, Texas, The Planet Internet Services
213.183.192.0/[email protected], Intares, Hamburg
216.38.192.0/[email protected], Denver, Colorado, ViaWest
94.76.219.16/[email protected], BlueConnex Ltd.
208.91.8.0/[email protected], Texas, PRONSS
128.104.0.0/[email protected], University of Wisconsin-Madison, computer lab
206.51.224.0/[email protected], Tampa, Florida, NOC4Hosts Inc.
64.62.128.0/[email protected], Fremont, California, Hurricane Electric
65.19.128.0/[email protected], Fremont, California, Hurricane Electric
208.88.120.0/[email protected], Biznesshosting Inc.
131.107.0.0/[email protected], Microsoft, secret robot
69.71.208.0/[email protected], MoveClicks LLC, Sitedossier.com
209.167.50.16/[email protected], SevenTwentyFour Incorporated
206.183.1.0/[email protected] Search
189.104/[email protected], Tele Norte, HACKER
66.90.64.0/[email protected], FDC Servers
67.159.0.0/[email protected], FDC Servers
208.53.128.0/[email protected], FDC Servers
74.63.64.0/[email protected], FDC Servers
72.232.0.0/[email protected], Layered Technologies
72.233.0.0/[email protected], Layered Technologies
64.92.160.0/[email protected], Layered Technologies
69.58.176.0/[email protected], Verisign
67.215.224.0/[email protected], Secured Private Network
64.246.160.0/[email protected], Whois, Compass Communications, Inc.
66.231.176.0/[email protected] Online Systems, Inc.
72.249.0.0/[email protected] and USA, Colo4Dallas LP, Visvo Bot
72.249.128.0/[email protected] and USA, Colo4Dallas LP, Visvo Bot
66.34.0.0/[email protected], Texas, CI Host, Keyword Spy
208.99.192.0/[email protected], Seattle, Swift Ventures
208.94.240.0/[email protected], Aarons.net, Joe's Data Center
208.43.0.0/[email protected], Softlayer Technologies
74.86.0.0/[email protected], Softlayer Technologies
38.*@DEF...USA, PSI (same as 38.0.0.0/8)
208.115.96.0/[email protected], Topshoppingcart.com, Wowcrack.com
66.232.96.0/[email protected], NOC4Hosts Inc., Hivelocity Inc.
65.98.0.0/[email protected], New Jersey, Fortress ITX
64.69.32.0/[email protected], Los Angeles, CoreExpress
208.138.176.0/[email protected], Dow Jones & Company, Savvis
208.138.192.0/[email protected], Dow Jones & Company, Savvis
208.139.0.0/[email protected], Dow Jones & Company, Savvis
208.140.0.0/[email protected], Dow Jones & Company, Savvis
208.144.0.0/[email protected], Dow Jones & Company, Savvis
208.152.0.0/[email protected], Dow Jones & Company, Savvis
208.156.0.0/[email protected], Dow Jones & Company, Savvis
208.157.0.0/[email protected], Dow Jones & Company, Savvis
208.157.128.0/[email protected], Dow Jones & Company, Savvis
71.48.0.0/[email protected], Embarq Corporation
69.84.192.0/[email protected], Arrival Communications
207.241.224.0/[email protected], San Francisco, Internet Archive
158.237.0.0/[email protected] Military, Quantico, Virginia
138.162.0.0/[email protected] Navy Network Information Center, Pensacola, Florida
74.207.224.0/[email protected], Linode, proxies
199.85.208.0/[email protected], Hostventures, proxies
216.104.0.0/[email protected], Cupertino, TrendMicro.com
65.49.0.0/[email protected], Fremont, California, Hurricane Electric
157.63.0.0/[email protected], University of Tokyo
157.64.0.0/[email protected], University of Tokyo
157.80.0.0/[email protected], University of Tokyo
157.82.0.0/[email protected], University of Tokyo
[email protected], Los Angeles, Vrtservers Inc.
65.23.128.0/[email protected], Datarealm Internet Services
[email protected], NG Marketing
[email protected], Guam, 624 North Marine Corp Drive
77.91.224.*@DEF...RUSSIA, Web Alta search engine
217.20.138.*@DEF...HUNGARY, Interware hosting company
[email protected]
194.153.113.*@DEF...GERMANY, Cobion AG
[email protected], Concepts ICT BV
83.168.240.[email protected]
[email protected] suspicious activity
[email protected], Rambler Telecom
[email protected], Munax AB
[email protected], Bezeq International, previously Trendline
[email protected], GoViral IP Space, forged User-Agent
82.161.231.*@DEF...NETHERLANDS, Demon NL co-location customer
94.102.49.*@DEF...NETHERLANDS, Ecatel LTD
[email protected], Business Network JV, suspicious sniffing
[email protected], I'VE GOT FANG INC
85.17.49.*@DEF...NETHERLANDS, Leaseweb
84.244.189.*@DEF...NETHERLANDS, I3D Interactive
[email protected], We Dare BV
194.165.42.*@DEF...NETHERLANDS, NASHIRNET-SA
[email protected], Netdirekt
[email protected], Netdirekt
[email protected], Netdirekt
[email protected], ServerKompetenz, Strato Rechenzentrum, Berlin
[email protected], KEYWEB
[email protected], KEYWEB
[email protected], KEYWEB
[email protected]
[email protected], NetSource Communications, Inc
[email protected], construktiv GmbH
[email protected], LESALAB
205.205.208.*@DEF...CANADA, SureFire Commerce Inc.
[email protected], Novgorod Datacom
[email protected], Cityscape Wireless Internet
[email protected], NOA Technology INC
209.85.32.*@DEF...USA, EV1 Houston
213.236.208.*@DEF...Norway, Opera Software ASA
[email protected], Webair Internet Development, Swish robot
[email protected] Creek Telephone Company, FAKE
[email protected], Limit Group Ltd.
[email protected], Access IT
[email protected], Webazilla B.V.
[email protected], Digiweb robot
150.70.84.*@DEF...JAPAN, sniffing
[email protected], hacking attempts
[email protected], uses FORGED Cuill user-agent
[email protected], Lerkins, probing
[email protected], Melbourne Information Technologies
[email protected], Sony Corporation (accessing folder /admin/bin/)
[email protected], Bigfinder.de, Great New Media
[email protected], TheNewPush, LLC
[email protected] REPUBLIC, SELECT-SYSTEMS
[email protected], NAVER robot
[email protected], Aruba SPA Dedicated Servers
209.133.94.*@DEF...USA, Attributor Corp.
[email protected], iWeb Dedicated
[email protected], Playstar Music Corporation
69.65.0.0/[email protected], Arliongton Heights, GigeNET
212.117.160.0/[email protected], LUXEMBOURG, King Servers
212.227.*@DEF...GERMANY, 1&1 Internet AG
65.79.128.0/[email protected], CT, Greenwich, Lamont Digital Systems, Inc.
[email protected], SC MetroNetwork SRL
[email protected], Verso QTS
[email protected], Yellow Register Online AB
209.17.186.*@DEF...CANADA, Esecure Data
[email protected], Palo Alto, Danger.com (Microsoft Corp.)
[email protected], Ignatius Ziekenhuis
212.112.229.*@DEF...GERMANY, IPX Server GmbH
212.247.*@DEF...SWEDEN, SwipeNet, spamming
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]r
[email protected]
[email protected], UK, CareerJet, employment database
93.190.138.*@DEF...NETHERLANDS, WorldStream
[email protected], Fingan, Ltd.
193.200.150.*@DEF...GERMANY, SEYCHELES, Anonymouse proxy
[email protected], Netvision, proxy
[email protected], AltusHost
[email protected], Instanbul, TECHNET BILISIM ve ILETISIM HIZMETLERI
[email protected], Sichuan, Zigong Sciences Informations Academy
[email protected], KDDI Corporation, proxy
[email protected], Softlayer Technologies
207.62.*@DEF...USA, California State University
[email protected], Paris, Dedibox SAS
[email protected], National Sun Yat Sen University, hacking
[email protected], Shanghai, Unicom
216.168.32.0/[email protected], digital.forest, Inc
70.84.0.0/[email protected], The Planet
[email protected], Proxyfire
64.182.*@DEF...USA, TX, Bedford, C I Host
[email protected], proxy amenworld.com
[email protected], Linode proxy, host
62.0.18.*@DEF...ISRAEL, Netvision, proxy
216.55.182.*@DEF...USA, Abacus host, bootnetworks.com proxy
[email protected], The Planet
77.68.38.*@DEF...UK, Fast Hosts LTD
93.174.93.*@DEF...NETHERLANDS, Ecatel LTD
[email protected], Dow Jones Telerate
[email protected], XO Communications
[email protected], PaeTec Communications, Inc.
201.17/[email protected], NET Servicos de Comunicadho S.A.
[email protected], Hetzner Online AG
[email protected], BIS Ltd.
76.73.0.0/[email protected], FDC Servers
[email protected], Red Rocks Data Center, LLC
[email protected], 3t Systems, Inc.
[email protected], Netdirekt
[email protected], Abovenet Communications, Inc
[email protected], GANDI DEDICATED SERVERS
[email protected], Wildblue Communications, Inc.
[email protected], Wildblue Communications, Inc.
[email protected], Dinahosting S.L.
[email protected], Big Pipe Inc.
[email protected], Ritter Communications, Inc.
174.142.*@DEF...CANADA, iWeb Technologies Inc.
67.228.*@DEF...USA, SoftLayer Technologies Inc.
[email protected], City of Jacksonville, Florida
[email protected], BroadRiver Communication Corp.
189.32/[email protected], NET Servicos de Comunicadho S.A.
[email protected], ENTANET International Ltd
[email protected], OVH Dedicated Servers
[email protected], Colostore.com
209.190.0.0/[email protected], Columbus Network Access Point, Inc.
[email protected], Leaseweb
[email protected], Dreamshow Partnership
[email protected], Backslash AG
[email protected], Rango de IPs HOSTINGLMI
[email protected], FirstDigital Communications, LLC
206.135.*@DEF...USA, MegaPath Networks Inc.
194.72.238.*@DEF...UK, Netcraft Limited
[email protected], Fedem AS, Trondheim
[email protected], Optic Fusion
[email protected], The Planet
[email protected], Texas, VRT Servers
188.40.0.0/[email protected], Hetzner Online AG
[email protected], Charter Communications
[email protected], MSTAR.net LLC
[email protected], GloboTech Communications GTCOMM
75.125.*@DEF...USA, The Planet
[email protected], Ecatel LTD
[email protected], Hivelocity Ventures Corp.
[email protected], GleSYS Customer serve

USE WITH EARLIER VERSIONS OF JOB BOARD

The TRAFFIC FILTER requires JB version 3.6.0+, however, it can be used with earlier versions, if you follow the simple procedure outlined in the README file. It only requires that you add one line of code into your /include/functions.php file. (If you don't, the filter just won't work.)


Title: Re: Traffic Filter Plugin
Post by: wclang on October 17, 2009, 06:28:10 am
This is great. Thanks for the hard work.

Question:

I setup my rules to follow your example (except I removed the USA ip's you blocked since I want users from USA to access my site) the question I have does anyone know of a proxy server that we can use from other contries to test if we get redirected/blocked?

Thanks,

-wclang


Title: Re: Traffic Filter Plugin
Post by: Peter on October 17, 2009, 11:44:31 pm
Thanks for your praise.

For your information, most of those USA-based IP addresses belong to servers that harvest data. Personally, I don't block USA users, but I am not interested in my website's data being resold, nor I am interested in these robots to put excess load on my site.

To find a free proxy, just google it! http://www.google.com.hk/#hl=en&source=hp&q=free+proxy&btnG=Google+Search&meta=&aq=f&oq=free+proxy&fp=9bb0c63c4ba974ec (http://www.google.com.hk/#hl=en&source=hp&q=free+proxy&btnG=Google+Search&meta=&aq=f&oq=free+proxy&fp=9bb0c63c4ba974ec)

There are MANY sites which provide lists of proxies. One that I found and has some free and well functioning proxies is http://www.proxy4free.com/page1.html (http://www.proxy4free.com/page1.html) .

On this site, I found a TRULY ANONYMOUS proxy in Myanmar, 203.81.81.37, port 80. This one is impossible to detect.


Title: Re: Traffic Filter Plugin
Post by: wclang on October 18, 2009, 04:28:07 am
Oh wow, I didn't know that was why you had them in the list. Thanks for informing me; I will re-add those ip's so they are blocked as well.

Thanks for the proxy links.. I sorta forgot to look on Google.. lol..


Title: Re: Traffic Filter Plugin
Post by: Peter on October 18, 2009, 11:04:34 pm
It is good to be selective -- my "example" list of blocked IP's may possibly contain some errors. (I hope not!) And yes, you may not want to block all those IP ranges that I block. ;)

You may need to double check the IP addresses from time to time. This is a good Whois service site: http://cqcounter.com/whois/ (http://cqcounter.com/whois/)

HOW TO VERIFY/CHECK WHETHER THE TRAFFIC FILTER IS WORKING

The plugin records every single redirection (blocking) event into a datatbase table. The table's name is jb_log_redirects. You can access this table using phpMyAdmin and see which requests were redirected. The table has other valuable information, such as the reason why (the redirect rule and condition).

You may want to look at the table jb_log_redirects periodically and see if your redirect rules work correctly, if you have any errors in your redirect rules.

Additionally, the database has another table called jb_log_redir_aggr, which is only the daily aggregate numbers of all redirects. Still, the most valuable table is jb_log_redirects.


Title: Re: Traffic Filter Plugin
Post by: wclang on October 24, 2009, 07:18:39 pm
Also, as a last resort or first attempt you can use your host provider to block ip ranges. For instance I use a hosting service that uses cpanels for easier setup and such. I noticed one of the options is security and within there is a link for "IP Deny Manager - This feature will allow you to block a range of IP addresses to prevent them from accessing your site. You can also enter a fully qualified domain name, and the IP Deny Manager will attempt to resolve it to an IP address for you."

(http://i218.photobucket.com/albums/cc282/Jathor9000/ipdeny.png)


Just thought I would share another option with everyone.

Hope it helps...

-wclang


Title: Re: v 1.2 of the Traffic Filter released!
Post by: steve on November 13, 2009, 11:57:47 pm
The TRAFFIC FILTER requires JB version 3.6.0+, however, it can be used with earlier versions, if you follow the simple procedure outlined in the README file. It only requires that you add one line of code into your /include/functions.php file. (If you don't, the filter just won't work.)

should that read ...version 3.5.0+?

I've looked and the most recent version of Jamit is 3.5.3  :)


Title: Re: Traffic Filter Plugin - Possible Option / Addition - IP Blocker
Post by: mshanley on February 22, 2010, 05:30:03 am
I like the traffic filter concept, i will probably install it as well. But - I have been in need for a good IP filter for some time without using / overloading the web server.
I was playing around with PeerGuardian and a couple other tools.. but they seemed a little buggy and the new version locks up once i add all the countries..

Anyway.. I'm int he USA and I don't want / need anyone on my web server or my e-mail server..  so  I found a new tool.. after the trial i bought it.. it's under $50.. and works great (much better then peer guardian ever did)

Take a look.. runs as it's own apllication - has a lot of cool features..  then you can add the special blocks to httaccess or traffic filter

If your interested it's called Beethink IP Blocker....  http://www.beethink.com/  $29 after trial...  :)  IT also LOGs the IP's
you can download complete country ip lists and use them.


Title: Re: v 1.2 of the Traffic Filter released!
Post by: Peter on March 21, 2010, 11:41:49 pm
...

should that read ...version 3.5.0+?

I've looked and the most recent version of Jamit is 3.5.3  :)
....

Yes, the most recent version is 3.5.3. Yes, the plugin requires JB version 3.6.0+, however, a simple modification outlined in the instructions will allow you to use it with earlier versions.


Title: Server-side vs. Client-side
Post by: Peter on March 21, 2010, 11:46:20 pm
I like the traffic filter concept, i will probably install it as well. But - I have been in need for a good IP filter for some time without using / overloading the web server.
I was playing around with PeerGuardian and a couple other tools.. but they seemed a little buggy and the new version locks up once i add all the countries..

Anyway.. I'm int he USA and I don't want / need anyone on my web server or my e-mail server..  so  I found a new tool.. after the trial i bought it.. it's under $50.. and works great (much better then peer guardian ever did)

Take a look.. runs as it's own apllication - has a lot of cool features..  then you can add the special blocks to httaccess or traffic filter

If your interested it's called Beethink IP Blocker....  http://www.beethink.com/  $29 after trial...  :)  IT also LOGs the IP's
you can download complete country ip lists and use them.

You are referring to a system which runs on client side and has nothing to do with the server (which holds your Job Board). The systems you mention (incl. Peer Guardian) will not protect anything on the server, but only on your home PC.


Title: Re: IP Deny Manager and .htaccess
Post by: Peter on March 22, 2010, 12:14:17 am
Also, as a last resort or first attempt you can use your host provider to block ip ranges. For instance I use a hosting service that uses cpanels for easier setup and such. I noticed one of the options is security and within there is a link for "IP Deny Manager .......

-wclang

Yes, thank you for mentioning this. Your hosting account uses cPanel, where you can access the IP Deny Manager. Effectively, the IP Deny manager writes (or edits) the .htaccess file, which tells the Apache server how to process HTTP requests.

I believe that I have also mentioned in my earlier post that you can create/edit your own .htaccess file. (You don't have to use the cPanel's IP Deny Manager.)

Here is an example of code inside the .htaccess file:
Code:
<Limit GET HEAD POST>
order allow,deny
# Country: COTE D'IVOIRE
# ISO Code: CI
# Total Networks: 16
# Total Subnets:  112,896
deny from 41.189.32.0/19
deny from 41.189.96.0/19
deny from 41.191.68.0/22
deny from 41.202.64.0/19
deny from 41.202.96.0/19
deny from 41.202.128.0/19
deny from 41.206.64.0/19
deny from 41.207.0.0/19
deny from 41.207.192.0/19
deny from 41.216.240.0/20
deny from 41.223.208.0/22
deny from 196.47.128.0/18
deny from 196.201.64.0/19
deny from 196.223.4.0/24
deny from 213.136.96.0/19
deny from 213.150.192.0/19
#
allow from all
</Limit>

ADVANTAGE OF USING .htaccess
Since .htaccess controls Apache's behavior, you have effectively moved your traffic filtering down one level, and the server will not have to work as hard.

DISADVANTAGE OF USING .htaccess AND WHY THE TRAFFIC FILTER IS USEFUL
The Traffic Filter plugin takes advantage of the power of the PHP code, which is more powerful than the notation in .htaccess. The Traffic Filter can do more. The Traffic Filter will log all events in the database and you know whom you are blocking, when and how many. You will also know if you are blocking legitimate traffic. If you rely only .htaccess, you have no idea what is going on.

As I have suggested earlier, you could verify your redirect (blocking) rules inside the Traffic Filter first. After that, you move those rules into the .htaccess file.

There are many resources on the web about the .htaccess file. One of them is http://www.askapache.com/htaccess/htaccess.html (http://www.askapache.com/htaccess/htaccess.html) .

You should exercise extreme CAUTION when messing with the .htaccess file.


Title: Re: Traffic Filter Plugin
Post by: Stranger on April 24, 2010, 07:43:43 pm
My email server (hmailserver) is currently under attack from China.

I host my board on my server here behind me.

I'm trying to configure the Traffic Filter and I get the following error when I click the link to install the Database tables;

"Fatal error: Maximum execution time of 30 seconds exceeded in E:\webservices\htdocs\XXXXXXXXXjobs\db.php on line 40"

How do I get around this?

I have included the code for the 2 lines in "include/functions.php.

I will be getting a new router that will allow me to block certain IP addresses in the very near future, also.

Any help is appreciated.

Thanks.


Title: Re: Traffic Filter Plugin
Post by: Peter on May 10, 2010, 09:52:05 am
......
I'm trying to configure the Traffic Filter and I get the following error when I click the link to install the Database tables;

"Fatal error: Maximum execution time of 30 seconds exceeded in E:\webservices\htdocs\XXXXXXXXXjobs\db.php on line 40"

How do I get around this?........

Hi Stranger,

Sorry for late reply.

Here is the fix for your situation. (Not every user needs to do this. Apparently, your server is very, very slow.)

In the folder /TrafficFilter/ is a file called install_tables.php . Open it and in the top part of the file you will find:
Code:
$queryLimit  = 5000; // how many queries to be executed in each step; suggested 5000
$pageRefresh = 5;   // seconds for each installation step; suggested 5 sec

Change the above number to:
Code:
$queryLimit  = 1000;
$pageRefresh = 20;

This will make the database installation very slow, which is OK, since it is done only when installing the Traffic Filter (database).

If your server is very slow, you may need to make the number even smaller.

Peter


Title: Traffic Filter version 2.2 available!
Post by: Peter on May 10, 2010, 09:55:07 am
Version 2.2 of the Traffic Filter has been released and is available at http://market.jamit.com/ (http://market.jamit.com/).

The new version includes bug fixes, functionality enhancements (redirect/blocking rules by host name, referrer), performance, user interface (GUI).

Included is also an EXAMPLE CONFIGURATION file, which contains millions of malicious IP addresses and settings to prevent many other threats, spamming and data mining robots. I have been compiling this file since August 2008, so the value of this file is tremendous!

My plan is to publish a new version with updated example configuration file about every 6 months unless I have some other major improvements that warrant earlier release.

Existing users are advised to upgrade.

Peter


Title: Version 3.0 renamed to TRAFFIC COP!
Post by: Peter on May 20, 2010, 10:52:53 pm
Blokes and gals,

It is my pleasure to announce that version 3.0 is out!

Most noticeably, the plugin boasts a new name, TRAFFIC COP. The intention was to better express what this plugin does.

Most importantly, the version 3.0 includes MAJOR revamp of functions, enhancements (functional and GUI), as well as bug fixes.

Do I recommend this plugin? You bet!

Please read more under the topic "TRAFFIC COP". Thanks.