IP Blacklist

Contents 1 IP Blacklist 1.1 Synopsis 1.2 Directives 1.2.1 ip_blacklist 1.2.2 ip_blacklist_size 1.2.3 ip_blacklist_timeout 1.2.4 ip_blacklist_log 1.2.5 ip_blacklist_show 1.2.6 ip_blacklist_flush 1.2.7 ip_blacklist_mode 1.2.8 ip_blacklist_syscmd 1.3 Example: 1.3.1 Examples used with robot mitigation module

IP Blacklist

Synopsis

This feature provides the functionality of dynamic IP blacklist. This feature can be used with other security modules to block an IP address for a while if the IP address performs specified-times attacks in 1 second.
This feature is availiable since version 1.5.5

Directives

ip_blacklist

Syntax	ip_blacklist on/off
Default	off
Context	http

Enable or disable IP blacklist.

Example:

ip_blacklist on;

ip_blacklist_size

Syntax	ip_blacklist_size size
Default	1024
Context	http

Specify IP blacklist size, size is how many IP addresses could be stored in the blacklist.

Example:

ip_blacklist_size 10240;

ip_blacklist_timeout

Syntax	ip_blacklist_timeout timeout
Default	60
Context	http

Specify IP blacklist entries timeout in seconds. Entries in the 'timeout' period is blocked.

Example:

ip_blacklist_timeout 120;

ip_blacklist_log

Syntax	ip_blacklist_log on/off
Default	off
Context	http/server/location

Enable error log or not.

Example:

ip_blacklist_log on;

ip_blacklist_show

Syntax	ip_blacklist_show
Default
Context	location

Show IP blacklist items.

Example:

location /show_blacklist {
       ip_blacklist_show;
}

ip_blacklist_flush

Syntax	ip_blacklist_flush
Default
Context	location

Flush all IP blacklist items.

Example:

location /flush_blacklist {
    ip_blacklist_flush;
}

Then use another browser or http client, such as wget, curl, etc., visit /flush_blacklist, you can clear the blacklist.

curl http://1.1.1.1/flush_blacklist

This request will return a status code 444 response, this response does not make any sense, it just closes the connection.

ip_blacklist_mode

Syntax	ip_blacklist_mode sys/local
Default	local
Context	http

Specify blacklist's mode, which can be two types:

• System command mode (sys): The IP addresses are added kept outside of SEnginx, for example, if you use iptables, the requests will be blocked at the kernel level.
• Local mode (local): The IP addresses which are blacklisted are kept in SEnginx, subsequent requests will be blocked at the SEnginx.
  

Example:

System command mode (sys):
ip_blacklist_mode sys;
Local mode (local):
ip_blacklist_mode local;

ip_blacklist_syscmd

Syntax	ip_blacklist_syscmd [system command]
Default
Context	http

Specify what external system command will be called when SEnginx wants to blacklist an IP address. IP address in the command is given by %V.

Example:

Specify a script to handle the IP addresses which is added to the blacklist:
ip_blacklist_syscmd "sudo /path/to/a/scritp %V";

Use iptables to add an IP address and block:
ip_blacklist_syscmd "sudo /sbin/iptables -A INPUT -s %V -j DROP";

Example:

Examples used with robot mitigation module

http {
    ... ...
    ip_blacklist on;
    ip_blacklist_size 10240;
    ip_blacklist_timeout 60;
    ip_blacklist_log on;
    server {
        listen       80;
        server_name  localhost;       
        location /blacklist_flush {
            ip_blacklist_flush;
        }
        location /blacklist_show {
            ip_blacklist_show;
        }       
        location / {
            ... ...
            robot_mitigation on;
            robot_mitigation_mode js;
            robot_mitigation_blacklist 10;
            ... ...
        }
　　}
}