Use Antihacking protection to ban an IP range - how?

ionicle

I would like to ban a certain number of IP ranges from accessing the server at all. I don't want to use an external firewall to do that though.
I know that can be done via the Ban function of the Antihacking Protection, however, there is no interface to input the IP ranges directly. What is the correct syntax to input them manually in the "persist.data" file instead?
What I want is for those IP ranges to not be served anything at all - the server should simply drop those connections as soon as they're established.

Axis

Hello ionicle--
The interface is in the host menu under IP Address Control. No need to mess with persist data directly.
Regards,
Axis

ionicle

No.
I specifically mentioned that I want to deny the incoming connection attempt without any sort of response, not having the connection honored and then sending a 403 error.
What I want is basically covered in this topic:
http://www.aprelium.com/forum/viewtopic.php?t=183573
It's, supposedly, how the Antihacking protection works, after identifying an attacking IP: dropping the connection attempt without any form of response.
Part of the "persist.data" code is presented in this topic:
http://www.aprelium.com/forum/viewtopic.php?t=265137
The only thing I need to know is, where exactly I should insert the modified code in the contents of "persist.data". I could totally do this on my own if I had at least one attacking IP detected and blocked by my Abyss. The fact that I don't have any, effectively means that no entries are present in my "persist.data" file, and thus, I have no idea where to insert them manually.

ionicle

I figured it out by setting up arbitrary rules in my own server and "attacking" it myself.


<antihack>
      <blackip>
	<ip>
             212.xxx.xxx.xxx
	</ip>
   <until>
	       Tue, 20 Aug 2013 21:27:07 GMT
	</until>
      </blackip>
</antihack>

That is the code that's added to the "persist.data" file.
My only question now is: how do I alter that so I can actually block an entire IP range, instead of just one IP address? If I try adding a range manually in the file, the value gets erased for some reason.
I don't get it. Why didn't you guys implement an interface option to manually add individual IPs/IP ranges in the Antihacking section? That would have been perfect, plus people that deal with webservers are more than capable of observing the behavior of malicious bots/scripts attacking the server, and determining whether or not they should be banned, instead of relying solely on the automated protection...

aprelium-support

You could use any IP range format as described in http://www.aprelium.com/data/doc/2/abyssws-win-doc-html/ipformat.html .

ionicle wrote
My only question now is: how do I alter that so I can actually block an entire IP range, instead of just one IP address? If I try adding a range manually in the file, the value gets erased for some reason.

You should do that while Abyss Web Server is not running.

I don't get it. Why didn't you guys implement an interface option to manually add individual IPs/IP ranges in the Antihacking section? That would have been perfect, plus people that deal with webservers are more than capable of observing the behavior of malicious bots/scripts attacking the server, and determining whether or not they should be banned, instead of relying solely on the automated protection...

Software cannot be perfect from day 1. That's why we ask always customers and users to provide us with their feedback. If a feature is felt being missing, we add it in new versions. That's how Abyss Web Server evolved. :)

ionicle

Thank you for the response, but no.
I already tried that with the regular IP range format:
1.0.0.0-1.255.255.255
And no, it doesn't work - when I restart Abyss to validate the change, it gets rewritten to 0.0.0.0. It simply doesn't accept an IP range in that specific value:
<antihack>
<blackip>
<ip>
212.xxx.xxx.xxx
</ip>
<until>
Tue, 20 Aug 2013 21:27:07 GMT
</until>
</blackip>
</antihack>
My guess would be that it shouldn't be enclosed in an <ip> tag, since it isn't an individual IP, but a range. My question, therefore, is:
What is the proper tag to enclose the IP range in, so that it would be recognized by Abyss and used by the Antihacking protection?

aprelium-support

ionicle,
We have checked with our lead development team and it seems that <ip></ip> accepts only IPs and not ranges.
persist.data file format is not documented (even if easy to grasp) because it was never meant to be used by external tools.
Please get in touch with us regarding enhancing Abyss Web Server to add the features you need.

ionicle

Right, thank you, that clarifies it. I suspected that was the case indeed.
The "persist.data" file is totally a cake to grasp, since it's kinda written in the same easily-readable format that "abyss.conf" uses.
I thought about trying <range> or <iprange> tags, but didn't really count on those being actually implemented.
How do I get in touch with you? Emailing at support@aprelium.com?
I'd actually LOVE to see an interface option in the Antihacking Protection section, offering to manually input IPs/ranges for use by the protection module. Main reason is - it handles the blacklisted connections differently than the graceful 403s of the Allowed/Denied section, dropping the connection immediately, and not wasting server resources on actually honoring the request by serving a "Forbidden" page. Also, a lot of attackers can easily be identified manually by a vigilant observer, and might be missed by an automated module - therefore we need the option to manually pinpoint ban targets for the protection.
Once the perpetrator sees the "Forbidden" page, they will actually know that they've been blacklisted. Security through obscurity is something I really like, and I do consider the Antihacking protection method of handling the connections a lot more effective in fending off those pesky attackers.
I mean - if you cannot even connect, what can you do? Plus, when the connection is simply dropped, the attacker will not have a clear idea as to why this is happening, and therefore will be less likely to implement proper counteracting measures to try and circumvent the ban.

aprelium-support

ionicle wrote
How do I get in touch with you? Emailing at support@aprelium.com?

Sure. Please use it to get in touch with us.