This is to filter for malicious traffic, so I can’t rely on proper proxy headers. I also use CloudFlare, so I need to ensure that this doesn’t get triggered by their services.
I’m assuming this would take the form of a service that keeps an up to date list of proxy IP blocks, but open to other solutions.
Working in a LAMP environment.
There are various API services that cater to your needs, you needn’t worry about cloudflare in this case because they forward the visitors IP address to your site in a header and in turn you would check that iIP with an API when your site or application is loading, then block, or allow their access based on the result. I am in this sector and use one of the API’s extensively in another product, but cannot recommend any specifics here due to the rules.
Remote proxy detection web services are among the easiest ways to get started. Signing up for a free plan on ip2location.io enables you to effectively filter open proxies. Additionally, these services offer user-friendly interfaces and comprehensive databases, empowering you to identify and block potentially harmful proxy connections with ease. Moreover, they often provide detailed insights into the geographical location and characteristics of detected proxies, aiding in more precise security measures. By leveraging such services, you can enhance the protection of your network infrastructure against unauthorized access and malicious activities.
I work for IPinfo and I can recommend that you use our privacy detection API service. It is a paid service, but the coverage is massive and accurate. VPN detection requires a lot of engineering investment on our end. It makes sense for businesses to purchase our service.
If you want a free solution, I can recommend using our free IP to ASN database. What you need to do is log the IP address and see from which ASNs they are coming. ASNs represent organizations that own IP address ranges. Your typical user is not likely to use a Google data center IP address. You can go through the database, identify some of the big cloud provider ASNs and their ranges, and build your very own DIY proxy detection database from that.
To detect proxy users in a LAMP setup, try using a service that maintains an updated list of proxy IPs to filter out malicious traffic. Cloudflare may help, but ensure it doesn’t block legitimate users.
Heavy brute force hacking attempts. They rotate IPs pretty much every pageload and have been hitting my server with a half a dozen login attempts every second, combined with SQL injection attempts all over the place. I don’t think they are getting anywhere, but i’d like to be safe because the site deals with non refundable monetary transactions.
Thanks. My thought was to show captcha to users on proxy, rather than deny them outright. I tried messaging about the API you use, but kept getting errors, so I’m not sure if it went through.
Thanks for the detailed reply. It’s definitely not ambient noise. This happens every few months where someone tries targeting the site, and I can watch their attempts in realtime. Even though the IPs rotate, I can see the progression of what they are trying. I also get what you are describing, lots of crawls for common vulnerabilities, but I’m not very worried about those.
I think I’m in pretty good shape for sql and general vulnerabilities (you can never be 100% sure, though, and so I still get a little nervous), but I wouldn’t put it past my clients to use insecure passwords or to have their password leaked.
I actually used CloudFlare’s “I’m under attack” mode last time this happened, and it had a pretty good effect.
Thanks!