Enable Autoban to apply ban rules to limited window of log entries

Created on 7 October 2022, about 2 years ago
Updated 29 January 2023, almost 2 years ago

Problem/Motivation

Although Autoban integrates with Advban, and Advban enables expiry of banned IPs, this may not work as expected. On every cron run, Autoban just bans the IP again. This occurs because the dblog entries that cause the ban may persist for some time - months perhaps depending on how many entries the dblog is configured to store and how often entries are added.

For example, take this scenario:

  • Advban IP bans are set to expire after 24 hours
  • Dblog is configured to store 10,000 entries
  • Typically 100 entries are added to the dblog every 24 hours
  • Autoban bans an IP based on the most recent 100 log entries that occurred in the last 24 hours
  • The banned IP then expires after 24 hours
  • Autoban's cron bans the IP address again because the log entries that lead to the initial ban persist in the dblog
  • Autoban repeatedly bans the IP for up to 99-100 days because that is how long the offending log entries persist in the dblog

So even though we are using Advban to ensure IPs are not permanently banned (as they may be dynamic IPs re-assigned to innocent users), and we set bans to expire after 24 hours, Autoban will continually re-ban the IP potentially for a much longer period depending on how long log entries causing the ban persist in the dblog.

Proposed resolution

A potential solution is to make Autoban rules configurable so that they are only applied to a limited time window of log entries.

Taking the example above where an IP is banned and the ban expires after 24 hours, if Autoban rules are configured to only look at the most recent log entries occurring in the last 24 hours, then the IP will not be re-banned after the ban has expired (assuming the IP has stopped generating log entries that caused the IP ban in the first place).

User interface changes

  1. Add additional select drop-down "Window" to autoban rules that allows users to select a time window for log entries that the rule should run against. This should typically be equal to or less than the expiry period for Advban IP bans.
  2. Enable available windows to be configurable in Autoban settings in same way thresholds are configurable.
  3. Enable setting of a default window for automatically generated Autoban rules (when adding rules in bulk on the Log Analyze page) in Autoban settings

Patch for 8.x-1.7 version to follow ...

Feature request
Status

Fixed

Version

1.7

Component

Code

Created by

🇬🇧United Kingdom glugmeister

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.71.5 2024