I have a customer that has their website under a brute force attack. I detect many fradulent ip access to the site using:
echo $_SERVER['HTTP_REFERER'] . " - " . getIp() . date("Y-m-d H:i:s");
I can see that ips is accessing the website many times like 10 times per seconds.
I need to block all ips with that behavior, what do you recommend to do?
(is a simple Wordpress blog)
This rule probably works: More than 10 (consider yourself) request per second is a signal of fraudulent IP, this maybe controlled.
MySQL:
DROP TABLE IF EXISTS `tbl_request`;
CREATE TABLE `tbl_request` (
`codigo_request` bigint(11) NOT NULL AUTO_INCREMENT,
`ipnumber` varchar(255) COLLATE utf8_unicode_ci DEFAULT NULL,
`date` datetime DEFAULT NULL,
`is_hacking` varchar(40) COLLATE utf8_unicode_ci DEFAULT NULL,
`milliseconds` varchar(40) COLLATE utf8_unicode_ci DEFAULT NULL,
`blacklisted` int(11) NOT NULL DEFAULT '0',
PRIMARY KEY (`codigo_request`)
) ENGINE=InnoDB AUTO_INCREMENT=541192 DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
Fraudulent Ips:
select *, SUM(count) AS totalCount from (
select *, count( ipnumber ) as count from tbl_request group by ipnumber, date HAVING count >= 10 order by count DESC
) AS T GROUP by T.ipnumber order by totalCount DESC
PHP:
$request = new Request();
$request->setIpnumber( get_client_ip() );
$request->setDate(getDateForDatabase());
$request->insert();
$fips = $request->getFraudulentIps();
foreach ($fips as $k => $v) {
$v->blacklist();
}