Blocking VPN's / Proxies that are up to no good - IPVanish, etc.
Posted: Wed Feb 12, 2020 10:59 am
Had a problem with Proxies/VPN's from someone/something hitting my site acting as regular users. Came up with a simple script to block them using Perl to do a whois lookup and then an API call to CloudFlare to block the IP. Just sharing in case someone else sees this too. You can play around with the sleep or select line below it depending on how fast you want things noticed and blocked. This is a quick and dirty script that could be improved upon, but works well for now.
Code: Select all
#!/usr/bin/perl
my $cftoken = 'YOURTOKEN';
my $cfuser = 'YOUREMAIL';
my $linesinloglast = `wc -l < /var/log/httpd/access_log`; # USE YOUR APACHE LOG LOCATION
while(1){
my $newlines = 0;
$linesinlog = `wc -l < /var/log/httpd/access_log`; # USE YOUR APACHE LOG LOCATION
if($linesinloglast < $linesinlog){
$newlines = $linesinlog - $linesinloglast;
} elsif ($linesinloglast > $linesinlog){
$newlines = $linesinlog;
}
my $logfile = `tail -n $newlines /var/log/httpd/access_log`;
my @ips = $logfile =~ /^(\S+)/gm;
my %dedupehash = map { $_ => 1 } @ips;
@ips = keys %dedupehash;
my $ipcount = scalar(@ips);
my $totalbanned = 0;
foreach my $ip (@ips){
my $whois = `timeout 5 whois $ip`;
$whois = lc($whois);
my $blockflag = 0;
if (index($whois, 'highwinds') != -1) { $blockflag = 1; print "\nHIGHWINDS\n";}
if (index($whois, 'strongvpn') != -1) { $blockflag = 1; print "\nSTRONGVPH\n";}
if (index($whois, 'stackpath') != -1) { $blockflag = 1; print "\nSTACKPATH\n";}
if (index($whois, 'ipvanish') != -1) { $blockflag = 1; print "\nIPVANISH \n"; }
if (index($whois, 'strongtechnology') != -1) { $blockflag = 1; print "\nSTRONGTECHNOLOGY\n"; }
if (index($whois, 'strong technology') != -1) { $blockflag = 1; print "\nSTRONGTECHNOLOGY\n"; }
if (index($whois, 'm247') != -1) { $blockflag = 1; print "\nM247\n"; }
if (index($whois, 'bandcon') != -1) { $blockflag = 1; print "\BANDCON\n"; }
if (index($whois, 'netprotect') != -1) { $blockflag = 1; print "\nNETPROTECT\n"; }
if ( $blockflag == 1) {
print "IP: $ip\n";
my $cfaction = "curl -s -o /dev/null -X POST -H 'X-Auth-Email: $cfuser' -H 'X-Auth-Key: $cftoken' -H 'Content-Type: application/json' -d '{ \"mode\": \"block\", \"configuration\": { \"target\": \"ip\", \"value\": \"$ip\" } }' https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules";
#print $cfaction."\n\n";
system($cfaction);
} else {
}
}
$linesinloglast = $linesinlog;
#sleep 1;
select(undef, undef, undef, 0.05);
}