Isabel has contacted me with the following issue about bots hitting her site:
I have come upon your website in a recent google search on how to ban proxy bots. I am experiencing a problem on my forum which you seem to be all too familiar with.
As of yesterday, a malicious user has setup a BOT to attempt to gain access to administrative and member accounts by inputting passwords. At first, we IP banned everything used. But with over 20 IP bans the BOT is still at it even as of today. It hasn’t stopped since it began. It uses IP addresses from around the world.
I read your article on stopping proxies but it all sounded greek to me. I don’t know how to use or setup any of those programs. Basically, I’d like to ban this user from my site and his BOT but I don’t know the first step into figuring out how.
I have contacted my host, my forum service, and website designers for help.
Is there a way that I can simply backtrack this BOT to the real owner? Is there a way to ban this bot regardless of IP addresses used if I could find the name of it? How could I find out what BOT is causing the issue?
Presumably both your forum service, website designers or maybe even your web-host can help you with this, and of course exactly what you can do will depend on your specific server/site configuration, but here is a general outline of what you can do:
The first step in getting this bot blocked from your site is identifying some sort of a ‘signature’ to reliably identify it. Once you know a uniquely-identifying signature for the bot you can then use various methods to block it from accessing your website or server. To ID the bot and it’s signature you will have to look in your forum logs, Apache access-logs and Apache error logs.
Here are some of the things I look for:
- IP address or IP range
- Geographical location (based on the IP)
- Type of access (proxy, bot-net, etc)
- User-Agent or other header information
- “What” it’s doing – pages/path it’s hitting, repeated page-not-found, etc
Once you have a unique signature for the bot, or way to see this bot and pick it out from all of your other visitors you can then take steps to block it. How you block the bot will depend on the level of server access you have and the tools at your disposal – here are a few tools you can use:
- A firewall such as CSF/IP Tables
- A WAF (Web Application) Firewall such as MOD_SECURITY
- .HTACCESS file rules
- RBLs or DNSBLs
- Tools/Modules/Plugins specific to your Forum or CMS such as BadBehavior or CAPTCHAs
- Temporary measures such as disabling log-ins or changing the login process so as to confuse the bot
As an example, this is what I recently did to block a bot that was repeatedly trying create fake user-accounts at one of my sites:
The bot was coming from random IP’s from all over the world – probably from infected PC’s. None of the IP’s (or very few) were on any block-lists, none were from proxies and the user-agent and headers were indistinguishable from ‘real’ visitors. However, by looking through my Apache error logs I was able to see that every time this bot tried to create an account, it first tried to access a “sign up” page that does not exist at my site (probably does exist for some other type of forum) – So by using MOD_SECURITY and CSF I was able to put together some rules that went something like this:
IF the path="/thatspecificpage.html" THEN BLOCK with error 403 page
AND IF the same IP accesses "/thatspecificpage.html" < 3 times THEN ADD IP to firewall (permanently block)
Another example in the past was when a person was attempting to ‘brute force’ attack random accounts by trying different passwords (much like your issue) – at that time I simply installed a module for my forum-software that would ‘lock out’ accounts for a specified amount of time after a specified number of failed login attempts. By looking in my logs I was eventually able to get the IP of the person, close their account and block the IP address they were using.
Some hypothetical ways to block your bad-bot:
- Just install BadBehavior! BadBehavior will automatically block a very large percentage of bots and may take care of the problem!
- If the IP’s are coming from proxies or a BOTNET, use an RBL or DNSBL to block them – to determine if the IPs are in any DNSBL or RBLs check them at a site like MXToolbox.
- If the IP’s are all in one ‘CIDR’ or a few CIDRs (ranges of IP addresses), or are all coming from the same geographical area that you don’t care about (Turkey, China, etc), block them using your firewall or .HTACCESS
- If the bot has a particular user-agent, block it with MOD_SECURITY or your .HTACCESS file
As far as identifying the real owner or master of the bot – forget it. Unless the bot-owner is an idiot you would probably never be able to track him or her down. And, even if you could identify him, then what? Are you going to go over to his house and kick his ass? (yah, sounds satisfying, but he might be big!). Sure, you could report the bot-owner to the authorities, but in all reality, they probably have bigger fish to fry. Just figure out how to get it blocked – and, just so you know, there will be more! Welcome to the interwebs!
Again – what you do, and specifically how you do it, will depend on many things, but hopefully this outline can give you some guidance.