[support] Subject: Re: Rules redirect

Franz Iberl f.iberl at amazonas-box.de
Thu Jun 6 20:27:01 UTC 2013 

Am 06.06.13 14:45, schrieb Roger:
>
> Thanks for replying.
> <snip> You could use the ip blocking tool in Drupal itself instead of
> .htaccess. </snip>
>
> Yes I have tried this on another site however the protagonist only has
> to switch is modem of then on and he has a new ip address, or have a
> couple of hundred pests using the same attempts. We have a couple of
> hundred attempts using the same [type] but sifferent IP addresses each
> time.

ok, in many cases one has to block "groups" of IP-Nrs.
e.g. instead of only
  deny from 117.21.226.205
even
  deny from 117.26
(I do this only if I really learnt that a lot bad links come from this ip-range)

I am not shure wheather this works with blocking thru Drupal, I do it only in .htaccess

> [type] in Reports shows a list including wp-login.php, signup.php or
> .asp, modules.php, profile.php, register.aspx, reg.php  YaBB.cgi,
> register, blogs, join.php /.pl / .asp and the list goes on and on with
> entirely different ip addresses for each.

I did not mean the urls. In the admin menu there is an report entry called "top visitors" (at first I had it only in german so I did not tell it explicit), this list can be sorted according to the *accumulated server-time* the respective ip-nr consumes, or the nr. of hits. In my case (and as far as I heard, with a lot of other peoples too) the google-bot which I do not block ;-) normally consumes by far the most server time at my sites.

That is what I meant with:
> All entries with time sum near (or even higher than) the google-bot normally are spammers. The ip-nr looked up in the searche engine mostly gives enough information to justify ip-blocking.</snip>

In this list patterns of related ip-regions can also be identified.

...

> I blocked dozens of legitimate users with the Drupal IP blocking because
> they eventually got the blocked ip addresses.

from china and so on? Then it can get more difficult.

> I also set it so that after an number of attempts it blocked the IP but
> some people are really dumb and cannot enter their user or password
> consistently and so they too got blocked after 5 attempts. I had to
> remove it.

ok, but the honeypot module (mentioned in other post) does not have this problem, the speed of retries is significant and this filter criterium can be adjusted.

> Whois indicates that all emminate from an ISP in Putian city, Fujian province, China,36.248.169.127

but not the legitimate users you mentioned above?

Servus
  Franz

More information about the support mailing list