Page 1 of 1

Blocking VPN's / Proxies that are up to no good - IPVanish, etc.

Posted: Wed Feb 12, 2020 10:59 am
by head_dunce
Had a problem with Proxies/VPN's from someone/something hitting my site acting as regular users. Came up with a simple script to block them using Perl to do a whois lookup and then an API call to CloudFlare to block the IP. Just sharing in case someone else sees this too. You can play around with the sleep or select line below it depending on how fast you want things noticed and blocked. This is a quick and dirty script that could be improved upon, but works well for now.

Code: Select all

#!/usr/bin/perl

my $cftoken = 'YOURTOKEN';
my $cfuser = 'YOUREMAIL';

my $linesinloglast = `wc -l < /var/log/httpd/access_log`; # USE YOUR APACHE LOG LOCATION

while(1){
        my $newlines = 0;
        $linesinlog = `wc -l < /var/log/httpd/access_log`; # USE YOUR APACHE LOG LOCATION
        if($linesinloglast < $linesinlog){
                $newlines = $linesinlog - $linesinloglast;
        } elsif ($linesinloglast > $linesinlog){
                $newlines =  $linesinlog;
        }
        my $logfile = `tail -n $newlines /var/log/httpd/access_log`;
        my @ips = $logfile =~ /^(\S+)/gm;

        my %dedupehash   = map { $_ => 1 } @ips;
        @ips = keys %dedupehash;

        my $ipcount = scalar(@ips);

        my $totalbanned = 0;

        foreach my $ip (@ips){
                my $whois = `timeout 5 whois $ip`;
                $whois = lc($whois);

                my $blockflag = 0;
                if (index($whois, 'highwinds') != -1) { $blockflag = 1; print "\nHIGHWINDS\n";}
                if (index($whois, 'strongvpn') != -1) { $blockflag = 1; print "\nSTRONGVPH\n";}
                if (index($whois, 'stackpath') != -1) { $blockflag = 1; print "\nSTACKPATH\n";}
                if (index($whois, 'ipvanish') != -1) { $blockflag = 1; print "\nIPVANISH \n"; }
                if (index($whois, 'strongtechnology') != -1) { $blockflag = 1; print "\nSTRONGTECHNOLOGY\n"; }
                if (index($whois, 'strong technology') != -1) { $blockflag = 1; print "\nSTRONGTECHNOLOGY\n"; }
                if (index($whois, 'm247') != -1) { $blockflag = 1; print "\nM247\n"; }
                if (index($whois, 'bandcon') != -1) { $blockflag = 1; print "\BANDCON\n"; }
                if (index($whois, 'netprotect') != -1) { $blockflag = 1; print "\nNETPROTECT\n"; }

                if ( $blockflag == 1) {
                        print "IP: $ip\n";
                        my $cfaction = "curl -s -o /dev/null -X POST -H 'X-Auth-Email: $cfuser' -H 'X-Auth-Key: $cftoken' -H 'Content-Type: application/json' -d '{ \"mode\": \"block\", \"configuration\": { \"target\": \"ip\", \"value\": \"$ip\" } }' https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules";
                        #print $cfaction."\n\n";
                        system($cfaction);
                } else {
                }
        }
        $linesinloglast = $linesinlog;
        #sleep 1;
        select(undef, undef, undef, 0.05);
}

Re: Blocking VPN's / Proxies that are up to no good - IPVanish, etc.

Posted: Wed Feb 12, 2020 2:00 pm
by IP_CAM
What's the cftoken Value? :D
It must be 15 Years, since I was playing around with Perl ?

Re: Blocking VPN's / Proxies that are up to no good - IPVanish, etc.

Posted: Wed Feb 12, 2020 8:09 pm
by head_dunce
IP_CAM wrote:
Wed Feb 12, 2020 2:00 pm
What's the cftoken Value? :D
It must be 15 Years, since I was playing around with Perl ?
The CloudFlare token for their API
I can't see writing this type of thing in PHP :laugh: