Automatic IP ban (Autoban)

Automates IP address banning by analyzing watchdog log entries against configurable rules and integrating with IP ban providers.

autoban

10,232 sites

drupal.org

gui api utility

security ip-ban automation spam-prevention bot-protection access-control watchdog logging cron

Drupal 8 Drupal 9 Drupal 10 Drupal 11

インストール

Drupal 11, 10, 9 v8.x-1.12

composer require 'drupal/autoban:8.x-1.12'

Drupal 8 v8.x-1.9

composer require 'drupal/autoban:8.x-1.9'

概要

Autobanモジュールは、Drupalのデータベースログ（watchdog）テーブルで検出されたパターンに基づいて、自動的にIPアドレスをBANする機能を提供します。サイト管理者は、ログエントリのタイプやメッセージパターンをマッチングして不審なアクティビティを識別するルールを作成し、指定した違反回数のしきい値を超えたIPアドレスを自動的にBANできます。

このモジュールは、cron実行時またはオンデマンドでwatchdogテーブルをクエリし、「page not found」エラーの繰り返しやアクセス拒否イベントなど、定義されたパターンにマッチするIPアドレスを識別します。IPアドレスが指定された時間枠内で設定されたしきい値を超えると、設定されたbanプロバイダーを使用して自動的にBANリストに追加されます。

Autobanはサブモジュールアーキテクチャを通じて複数のbanプロバイダーをサポートしており、Drupal CoreのBanモジュールやAdvanced Banなどのサードパーティソリューションとの統合が可能です。このモジュールには、ログエントリの分析、一括ルール作成、IPホワイトリスト（CIDR表記やドメインベースの除外を含む）、手動および自動のルール管理機能が含まれています。

Features

watchdogログエントリのタイプとメッセージパターンに基づくIP BANルールの作成と管理
設定可能なしきい値と時間枠によるcron実行時の自動IP BAN
不審なパターンを識別し一括ルール作成を可能にするログ分析ツール
柔軟なパターンマッチングのためのLIKEおよびREGEXPクエリモードのサポート
CIDR表記、単一IPアドレス、ドメインベースの除外をサポートするIPホワイトリスト
プラグイン可能なアーキテクチャによる複数のbanプロバイダーサポート（Core Ban、Advanced Ban）
匿名ユーザー、認証済みユーザー、または両方をターゲットにするユーザータイプフィルタリング（strictモードオプション付き）
追加のフィルタリング精度のためのURLリファラーパターンマッチング
ルールの時間枠設定（1時間、1日、1週間など）
404/403エラー時の即時IP BANを行うForceモード
ルールクエリのトラブルシューティング用デバッグモード
コマンドラインからのIP BAN操作のためのDrushコマンドサポート
IPアドレスごとの直接BANリンクを含む強化されたdblog概要ページ
すべてのルールにわたるIP BANのバッチ処理
既存ルールを複製するクローン機能

Use Cases

Blocking brute force login attempts

Create a rule with type 'user' and message pattern matching failed login messages. Set a low threshold (e.g., 5) and a short window (e.g., '1 hour ago') to quickly identify and ban IPs attempting brute force attacks on user accounts.

Blocking vulnerability scanners

Create a rule with type 'page not found' to identify IPs repeatedly requesting non-existent paths often targeted by vulnerability scanners (e.g., wp-admin, phpmyadmin). A threshold of 10-20 within an hour can effectively block automated scanners.

Protecting against spam bots

Use the analyze page to identify patterns of spam-related log entries (e.g., repeated form submissions, specific referrer patterns). Create rules targeting these patterns to automatically ban spam bot IPs.

Emergency IP blocking

Enable force mode in settings for immediate blocking of IPs triggering 404 or 403 errors. Useful during active attacks but should be used cautiously as it may affect legitimate users.

Whitelisting search engine bots

Add trusted bot domains to the whitelist (e.g., 'googlebot.com', 'bingbot.com') or IP ranges in CIDR notation to prevent accidentally banning legitimate crawlers that may trigger 404s.

Automated rule creation from log analysis

Use the analyze page to review log patterns, select suspicious entries, and bulk create rules. The module automatically generates unique rule IDs and applies default settings.

IP range blocking for persistent attackers

When using the Advanced Ban provider with range support, ban entire IP ranges for attackers using multiple IPs from the same subnet. The module converts single IPs to /24 ranges automatically.

Tips

Always test rules using the Test operation before relying on automatic cron banning to avoid blocking legitimate traffic
Use the analyze page regularly to identify new attack patterns and create appropriate rules
Keep the whitelist updated with legitimate bot domains and trusted IP ranges
Consider using shorter time windows with Advanced Ban's expiry feature so bans automatically lift after a period
Use the REGEXP query mode for complex pattern matching, but ensure your database supports it
Clone existing rules when creating similar rules to save time
Periodically review and clean up automatic rules using the Delete All page with the 'Automatic' rule type filter

依存関係

Database Logging コア必須

Related Projects

Ban (core)

Through the autoban_ban submodule, integrates with Drupal core's Ban module to store banned IP addresses in the ban_ip table.

Advanced Ban

Through the autoban_advban submodule, integrates with the Advanced Ban contributed module for enhanced banning features including IP range banning, ban expiry, and metadata support.

Database Logging (core)

Queries the watchdog table to identify IP addresses matching configured patterns. Requires dblog to be enabled for the module to function.

Technical Details

Autoban rules list /admin/config/people/autoban

Main administration page displaying all configured autoban rules in a table format. Each rule shows its ID, type, message pattern, referrer pattern, threshold, time window, user type, and ban provider. Operations available for each rule include Edit, Delete, Test (preview matching IPs), Ban (execute banning for this rule), and Clone (create a copy of the rule).

Add autoban rule /admin/config/people/autoban/add/{rule}

Form for creating a new autoban rule. All fields define the criteria for identifying IP addresses to ban based on watchdog log entries.

Edit autoban rule /admin/config/people/autoban/manage/{autoban}

Form for modifying an existing autoban rule. Same fields as the add form but pre-populated with the current rule values.

Delete autoban rule /admin/config/people/autoban/manage/{autoban}/delete

Confirmation form for deleting an autoban rule. Displays a warning message asking for confirmation before permanently removing the rule.

Retrieve IP addresses for autoban rule /admin/config/people/autoban/manage/{rule}/test

Test page that displays IP addresses that would be banned by a specific rule without actually banning them. Shows a table with the count of matching log entries per IP address and the current ban status. Useful for validating rules before enabling them.

IP address bans /admin/config/people/autoban/ban/{rule}

Confirmation and execution page for banning IP addresses. When accessed without a rule parameter, bans IPs for all rules using batch processing. When accessed with a specific rule, bans IPs matching only that rule.

Log analyze /admin/config/people/autoban/analyze

Analysis page that queries the watchdog table to find patterns of repeated log entries that may indicate malicious activity. Displays entries grouped by type and message with their occurrence count. Entries exceeding the analysis threshold are shown with options to create rules or test them.

Delete All /admin/config/people/autoban/delete_all

Bulk deletion form for removing multiple autoban rules based on filter criteria. Allows filtering by rule type, log type, message pattern, referrer pattern, threshold, window, user type, and provider.

Autoban settings /admin/config/people/autoban/settings

Global configuration page for the Autoban module. Controls threshold options, time windows, query behavior, whitelist, excluded log types, and operational modes.

Recent log messages (Enhanced) /admin/reports/dblog

When the Autoban Dblog submodule is enabled, this page is enhanced to show direct ban links for each IP address in the log. The Operations column includes links to ban the IP using each available ban provider.

Administer autoban

Create, edit, delete, and test autoban rules. Required for all administrative operations on the module.

hook_cron

Processes all autoban rules during cron execution. Iterates through all rules, retrieves matching IP addresses, and bans them using the configured provider.

hook_help

Provides help text for the module and its submodules on the help pages.

drush autoban:ban

Execute IP banning for autoban rules. Can process a single rule or all rules.

Rules not matching expected log entries

Enable debug mode in settings to see the generated SQL queries. Check that the log type matches exactly (case-sensitive) and that message patterns account for the query mode (LIKE vs REGEXP). Remember that non-English log messages need patterns in the original language stored in the database.

No IP addresses being banned during cron

Verify that 'Enable cron' is checked in settings. Ensure at least one ban provider submodule is enabled. Check that rules have appropriate thresholds and windows that match current log entries.

Legitimate users being banned

Add legitimate IP addresses or domains to the whitelist. Consider increasing thresholds or narrowing time windows. Use strict user type options to avoid banning authenticated users.

Ban providers list is empty

Enable at least one Autoban provider submodule (Autoban Core Ban Provider or Autoban Advanced Ban Provider). Ensure the corresponding ban module (Ban or Advanced Ban) is installed and enabled.

Force mode banning too aggressively

Force mode bans IPs on every 404/403 error immediately. This is intended for emergency situations only. Disable it for normal operation and rely on rule-based banning with appropriate thresholds.

Never whitelist IP addresses without verification - attackers can spoof referrer information
Force mode should only be used during active attacks as it may affect legitimate users experiencing 404 errors
Regularly review banned IP lists to identify false positives
Keep the dblog table from growing too large as it affects query performance for rule processing
Consider the privacy implications of logging and storing IP addresses in compliance with regulations like GDPR