BotBlocker, the result of years of frustration.

iworx

iworx

Verified User
Joined
Nov 21, 2006
Messages
117
Location
Belgium
For the past years I've been fed up with these bots hammering almost all of the websites on a single IP at the same time, looking for the regular database dumps, .env files, weaknesses etc etc. These most of the time result in a 10 to 20 minute spike of load for absolutely no good reason at all. Since the prices for all services are rapidly rising due to the RAM shortages, I wanted to be as energy efficient as possible. Every time I got the 'high CPU use' alert from my machines, I logged in, looked at htop for the reason of the peak usage, determined all sites were active, tailed a log to see the IP of the culprit and banned it. CPU load down, back to my restful self.

Since I've been using Claude Code for a few PHP projects, I assumed I could ask it to find a solution for this too. We iterated over a few possible implementations and the result is BotBlocker. I've pushed it to a GitHub for the world to try.

Have a look, try it if you like (no warranties), give feedback, provide suggestions..
It's running on a few of my servers now and I'm anxiously awaiting those spikes.
This is probably far from perfect in this iteration, but I got to start somewhere.

https://github.com/cloudz/botblocker
 
This all sounds familiar to me. In my case, it goes so far that Apache crashes because thousands of requests come in from AWS or MS. Since your product is AI code, I'm hesitant to run it on production machines, but I'll probably test it on a dev node. Thanks for sharing.
 
If you using nginx, just use the ratelimit feature. It's short time blocked.


if you want to blocked permanently when ratelimit trigger, just parse those logs from the ratelimit feature and block it.

so.... it simple and easy than using your script.
 
Rolf B said:
This all sounds familiar to me. In my case, it goes so far that Apache crashes because thousands of requests come in from AWS or MS. Since your product is AI code, I'm hesitant to run it on production machines, but I'll probably test it on a dev node. Thanks for sharing.
Click to expand...
Totally understandable. That's the reason why I had it create the full write-up too so if you would like to go at it yourself, you could borrow from that logic. It's all new to me too :)
 
Ohm J said:
If you using nginx, just use the ratelimit feature. It's short time blocked.


if you want to blocked permanently when ratelimit trigger, just parse those logs from the ratelimit feature and block it.

so.... it simple and easy than using your script.
Click to expand...
Doing it manually was always an option. The rate-limit doesn't help much if for instance a Wordpress needs to be fully loaded for a 404. Then 5/s requests can do as much damage as 50 people visiting a well cached, CDN accelerated version. But I get your idea .. might look at expanding that too.

And finding those culprits with multiple IPs is always a drama. Let's see what the tool does and if it is usable.
 
[1.2.0] Released, now has an update script, added whitelists, better checking of logs.
And it seems to work :)

Screenshot 2026-03-02 at 08.49.46.png
 
Unfortunately, I don't have a DA test server at hand that is under attack.


Three suggestions:
1. Why not automatically add the IP of the active shell to the whitelist during installation?
2. A whitelist based on ASN would be very nice.
3. It would be wonderful if this feature also ran on CP servers.

Regarding point 3: 80% of our servers still run on this, and we experience thousands of these attacks per hour.
 
I'm just wondering, I see honey pot hit lines of for example /wp-content/uploads but aren't for example certain things provided via the /includes and /uploads directory when normally visiting wordperfect sites?
Or is that another technique which is scanned?

Unfortunately I don't have a test server, but it looks very nice!
 
Rolf B said:
Unfortunately, I don't have a DA test server at hand that is under attack.


Three suggestions:
1. Why not automatically add the IP of the active shell to the whitelist during installation?
2. A whitelist based on ASN would be very nice.
3. It would be wonderful if this feature also ran on CP servers.

Regarding point 3: 80% of our servers still run on this, and we experience thousands of these attacks per hour.
Click to expand...
I only have DA servers so I wouldn't be able to test this.
1) I agree. Will take this into account for future development.
2) That is notoriously difficult I think. Is that possible in CSF?
3) See above :(

I must say, it's remarkably quiet on mine now ... :D
 
Richard G said:
I'm just wondering, I see honey pot hit lines of for example /wp-content/uploads but aren't for example certain things provided via the /includes and /uploads directory when normally visiting wordperfect sites?
Or is that another technique which is scanned?

Unfortunately I don't have a test server, but it looks very nice!
Click to expand...
it checks for 403 + 404 on the uploads + frequency of hits. Have a look at the doc, it's pretty well explained on how the weighing and thresholds. Again, by far not finished or polished enough but for my use case, underway to achieve -greatness- :D
 
You must log in or register to reply here.
Back
Top