How to use wildcard for IPs?

Created on 19 January 2024, 11 months ago
Updated 23 January 2024, 11 months ago

Problem/Motivation

I am using Advban and Autoban (core ban disabled).
I have a whole lot of Page Not Found logs that show an IP address within the link. They are very random.
Examples:

/tags/category/47.128.50.2
/store/albums/47.128.55.225
/user/47.128.17.27
/7.154.16.81
/pdsdf/sdew/68.45.25.168

They are very random broken links, all end with an IP address (but it is not the IP address that tried it).
Example: pagenotfound with message "/store/albums/47.128.55.225" comes from IP 47.128.120.169.
Clearly, it seems like the IPs that try this should be banned.

However, I do not know how the wildcards work enough for me to create a rule that will detect any IP inside of a Message to be the trigger to ban that IP.

In my autoban settings I have "Use wildcards" checked.

So if I create a new rule, Type: page not found, Referrer: empty, Window: none, UserType: any, Provider: Advanced Ban
What would the message be then to trigger any pagenotfound that has an IP address within the message?
I tried this but it does not work: %/%.%.%.%/%

Can anyone clarify exactly how the wildcard works in order to make this trigger and block all these?

Thank you.

πŸ’¬ Support request
Status

Active

Version

1.9

Component

Code

Created by

πŸ‡ΊπŸ‡ΈUnited States jsidigital

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @jsidigital
  • πŸ‡ΊπŸ‡¦Ukraine goodboy Kharkiv, Ukraine

    Hi, Juan Carlos!
    The Autoban uses SQL Like syntax on its queries,
    Using * denotes one of 3 options:

    • begin with (foo%)
    • ends with (%foo)
    • contains inside (%foo%)

    The Autoban query uses message and variables fields, I have changed dev version of Autoban and now you can see the variables field values at the Log analyze page. I think you need to use REGEXP mode for Autoban module instead of LIKE with wildcards for your case. You can try to create SQL query using REGEXP by mysql/phpmyadmin and then to create an Autoban rule.

  • πŸ‡ΊπŸ‡ΈUnited States jsidigital

    Thank you for the reply @goodboy

    Not sure if I follow...

    So basically I set my settings to use REGEXP, then use this?
    foo%/%foo%.%foo%.%foo%.%foo%

    This would cover any link that ends in an IP address?

  • πŸ‡ΊπŸ‡¦Ukraine goodboy Kharkiv, Ukraine

    I don't think this template (foo%/%foo%.%foo%.%foo%.%foo%) will work, need to create new one with regexp syntax.

Production build 0.71.5 2024