Collectiveaccess provides a tool, available in Pawtucket, called the 'Ban Hammer' to automatically block IPs based on provided settings.
Note that while only Pawtucket implements automatic blocking, caUtils
in Providence can be used to clear bans as they share the database.
In built commands
./support/bin/caUtils help |grep -C2 ban
Bans
clear-bans Clear all bans.
clear-whitelist Clear all whitelist entries.
These lists can be cleared via CLI but NOT queried. Inspecting ban/whitelist requires direct database querying.
In future it might also be possible to query bans from caUtils but that functionality is not currently available.
Querying the database
Select an appropriate database
mysql
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 239654
Server version: 10.6.18-MariaDB-0ubuntu0.22.04.1 Ubuntu 22.04
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
MariaDB [(none)]> use collectiveaccess;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
Counting banned addresses
MariaDB [collectiveaccess]> select count(*) from ca_ip_bans;
+----------+
| count(*) |
+----------+
| 1072 |
+----------+
1 row in set (0.001 sec)
Checking an IP address
MariaDB [collectiveaccess]> select * from ca_ip_bans where ip_addr = "10.10.20.20";
+--------+-----------+------------+------------+---------------+
| ban_id | reason | created_on | expires_on | ip_addr |
+--------+-----------+------------+------------+---------------+
| 7208 | UserAgent | 1719640380 | 1719726780 | 10.10.20.20 |
+--------+-----------+------------+------------+---------------+
1 row in set (0.001 sec)
Finding why things are banned
MariaDB [collectiveaccess]> select unique(reason) from ca_ip_bans ;
+-----------+
| reason |
+-----------+
| UserAgent |
+-----------+
1 row in set (0.001 sec)
MariaDB [collectiveaccess]> select reason from ca_ip_whitelist;
Empty set (0.000 sec)
Configuring ban hammer
Add ban_hammer.conf
to an appropriate location so its included in the configuration search path (eg local config or a theme configuration).
Here we open the standard configuration (left) and custom (right) to compare settings
vi ./pawtucket/app/conf/ban_hammer.conf ./pawtucket/themes/custom/conf/ban_hammer.conf -O
CA supports IPs as strings or with globbing, user agents are matched with PHP preg_match so can be regexes.
ip_whitelist = [
10.10.20.20,
]
plugins.UserAgent = {
banned_useragents = [
"xMozilla/5.0",
"Amazonbot",
"Bytespider",
"facebookexternalhit.*facebook.com"
]
}
Its best to whitelist static IPs rather than dynamic, and be aware that user agents might not be as clean cut as you imagine - see this stack exchange discussion. Basically assume (and you already knew this) that all user agent strings are lies.
Removing a single ban
This has to be done within the database, there is no CLI option yet.
MariaDB [collectiveaccess]> DELETE FROM ca_ip_bans WHERE ip_addr='192.168.100.4';
Query OK, 1 row affected (0.001 sec)
Removing all bans
This can be done from the CLI.
providence# ./support/bin/caUtils clear-bans
CollectiveAccess 2.0 (197/GIT) Utilities
(c) 2013-2023 Whirl-i-Gig
Removed 7 bans