Blocking IPs that visit a particular URL
Is there a way to automatically block clients that visit a particular URL? e.g. we aren’t a Wordpress site so anyone visiting
/wp-admin is most likely a bot scanning for vulnerabilities. So I’d like to block that IP immediately. Say for 24 hours.
There could be many such “honeypot” URLs that trigger a ban. There could even be patterns e.g. if there’s "UNION " in a particular part of the URL path, it’s likely a SQL injection scanner and should be blocked.
What’s the easiest way to configure such automatic blocking?
So there are multiple ways to go about blocking Ips but as you've used the word 'automatic' then I recommend speaking to email@example.com about our WAF (this would deal with SQL injection based attacks) and bot detection services offered (bot detection is via a partner). As these are the easiest ways to go about achieving that goal in an automated fashion. This also is not necessarily blocked based on the IP of the attacker.
If this is an occasional problem and you specifically want to do this on the IP as well as being something you'd want to handle then you could have a condition in VCL for the defined URL's and reference an ACL to deem if the IP is valid or not for access. Here are some VCL examples that handle blocking IP's with a response: https://www.fastly.com/demos?q=acl . The dictionary based example includes duration. You could also opt to develop automation by using our streaming logs and combining them with "versionless" edge dictionaries as some customers have done to build their own tooling based on what they see from their edge side logs.
Please sign in to leave a comment.