Automatic IP ban (Autoban)

Automates IP address banning by analyzing watchdog log entries against configurable rules and integrating with IP ban providers.

autoban
10,232 sites
69
drupal.org
gui api utility
security ip-ban automation spam-prevention bot-protection access-control watchdog logging cron
Drupal 8 Drupal 9 Drupal 10 Drupal 11

Install

Drupal 11, 10, 9 v8.x-1.12
composer require 'drupal/autoban:8.x-1.12'
Drupal 8 v8.x-1.9
composer require 'drupal/autoban:8.x-1.9'

Overview

Autoban module provides automated IP address banning based on patterns found in the Drupal database log (watchdog) table. Site administrators can create rules that identify suspicious activity by matching log entry types and message patterns, then automatically ban IP addresses that exceed a specified threshold of violations.

The module works by querying the watchdog table during cron runs or on-demand, identifying IP addresses that match defined patterns such as repeated "page not found" errors or access denied events. When an IP address exceeds the configured threshold within a specified time window, it is automatically added to the ban list using the configured ban provider.

Autoban supports multiple ban providers through its submodule architecture, allowing integration with Drupal core's Ban module or third-party solutions like Advanced Ban. The module includes features for analyzing log entries, bulk rule creation, IP whitelisting (including CIDR notation and domain-based exemptions), and both manual and automatic rule management.

Features

  • Create and manage IP banning rules based on watchdog log entry types and message patterns
  • Automatic IP banning during cron execution with configurable thresholds and time windows
  • Log analysis tool that identifies suspicious patterns and enables bulk rule creation
  • Support for LIKE and REGEXP query modes for flexible pattern matching
  • IP whitelist support with CIDR notation, single IP addresses, and domain-based exemptions
  • Multiple ban provider support through pluggable architecture (Core Ban, Advanced Ban)
  • User type filtering to target anonymous users, authenticated users, or both (with strict mode options)
  • URL referrer pattern matching for additional filtering precision
  • Time window configuration for rules (1 hour, 1 day, 1 week, etc.)
  • Force mode for immediate IP banning on 404/403 errors
  • Debug mode for troubleshooting rule queries
  • Drush command support for command-line IP banning operations
  • Enhanced dblog overview page with direct ban links per IP address
  • Batch processing for banning IPs across all rules
  • Clone functionality for duplicating existing rules

Use Cases

Blocking brute force login attempts

Create a rule with type 'user' and message pattern matching failed login messages. Set a low threshold (e.g., 5) and a short window (e.g., '1 hour ago') to quickly identify and ban IPs attempting brute force attacks on user accounts.

Blocking vulnerability scanners

Create a rule with type 'page not found' to identify IPs repeatedly requesting non-existent paths often targeted by vulnerability scanners (e.g., wp-admin, phpmyadmin). A threshold of 10-20 within an hour can effectively block automated scanners.

Protecting against spam bots

Use the analyze page to identify patterns of spam-related log entries (e.g., repeated form submissions, specific referrer patterns). Create rules targeting these patterns to automatically ban spam bot IPs.

Emergency IP blocking

Enable force mode in settings for immediate blocking of IPs triggering 404 or 403 errors. Useful during active attacks but should be used cautiously as it may affect legitimate users.

Whitelisting search engine bots

Add trusted bot domains to the whitelist (e.g., 'googlebot.com', 'bingbot.com') or IP ranges in CIDR notation to prevent accidentally banning legitimate crawlers that may trigger 404s.

Automated rule creation from log analysis

Use the analyze page to review log patterns, select suspicious entries, and bulk create rules. The module automatically generates unique rule IDs and applies default settings.

IP range blocking for persistent attackers

When using the Advanced Ban provider with range support, ban entire IP ranges for attackers using multiple IPs from the same subnet. The module converts single IPs to /24 ranges automatically.

Tips

  • Always test rules using the Test operation before relying on automatic cron banning to avoid blocking legitimate traffic
  • Use the analyze page regularly to identify new attack patterns and create appropriate rules
  • Keep the whitelist updated with legitimate bot domains and trusted IP ranges
  • Consider using shorter time windows with Advanced Ban's expiry feature so bans automatically lift after a period
  • Use the REGEXP query mode for complex pattern matching, but ensure your database supports it
  • Clone existing rules when creating similar rules to save time
  • Periodically review and clean up automatic rules using the Delete All page with the 'Automatic' rule type filter

Technical Details

Admin Pages 10
Autoban rules list /admin/config/people/autoban

Main administration page displaying all configured autoban rules in a table format. Each rule shows its ID, type, message pattern, referrer pattern, threshold, time window, user type, and ban provider. Operations available for each rule include Edit, Delete, Test (preview matching IPs), Ban (execute banning for this rule), and Clone (create a copy of the rule).

Add autoban rule /admin/config/people/autoban/add/{rule}

Form for creating a new autoban rule. All fields define the criteria for identifying IP addresses to ban based on watchdog log entries.

Edit autoban rule /admin/config/people/autoban/manage/{autoban}

Form for modifying an existing autoban rule. Same fields as the add form but pre-populated with the current rule values.

Delete autoban rule /admin/config/people/autoban/manage/{autoban}/delete

Confirmation form for deleting an autoban rule. Displays a warning message asking for confirmation before permanently removing the rule.

Retrieve IP addresses for autoban rule /admin/config/people/autoban/manage/{rule}/test

Test page that displays IP addresses that would be banned by a specific rule without actually banning them. Shows a table with the count of matching log entries per IP address and the current ban status. Useful for validating rules before enabling them.

IP address bans /admin/config/people/autoban/ban/{rule}

Confirmation and execution page for banning IP addresses. When accessed without a rule parameter, bans IPs for all rules using batch processing. When accessed with a specific rule, bans IPs matching only that rule.

Log analyze /admin/config/people/autoban/analyze

Analysis page that queries the watchdog table to find patterns of repeated log entries that may indicate malicious activity. Displays entries grouped by type and message with their occurrence count. Entries exceeding the analysis threshold are shown with options to create rules or test them.

Delete All /admin/config/people/autoban/delete_all

Bulk deletion form for removing multiple autoban rules based on filter criteria. Allows filtering by rule type, log type, message pattern, referrer pattern, threshold, window, user type, and provider.

Autoban settings /admin/config/people/autoban/settings

Global configuration page for the Autoban module. Controls threshold options, time windows, query behavior, whitelist, excluded log types, and operational modes.

Recent log messages (Enhanced) /admin/reports/dblog

When the Autoban Dblog submodule is enabled, this page is enhanced to show direct ban links for each IP address in the log. The Operations column includes links to ban the IP using each available ban provider.

Permissions 1
Administer autoban

Create, edit, delete, and test autoban rules. Required for all administrative operations on the module.

Hooks 2
hook_cron

Processes all autoban rules during cron execution. Iterates through all rules, retrieves matching IP addresses, and bans them using the configured provider.

hook_help

Provides help text for the module and its submodules on the help pages.

Drush Commands 1
drush autoban:ban

Execute IP banning for autoban rules. Can process a single rule or all rules.

Troubleshooting 5
Rules not matching expected log entries

Enable debug mode in settings to see the generated SQL queries. Check that the log type matches exactly (case-sensitive) and that message patterns account for the query mode (LIKE vs REGEXP). Remember that non-English log messages need patterns in the original language stored in the database.

No IP addresses being banned during cron

Verify that 'Enable cron' is checked in settings. Ensure at least one ban provider submodule is enabled. Check that rules have appropriate thresholds and windows that match current log entries.

Legitimate users being banned

Add legitimate IP addresses or domains to the whitelist. Consider increasing thresholds or narrowing time windows. Use strict user type options to avoid banning authenticated users.

Ban providers list is empty

Enable at least one Autoban provider submodule (Autoban Core Ban Provider or Autoban Advanced Ban Provider). Ensure the corresponding ban module (Ban or Advanced Ban) is installed and enabled.

Force mode banning too aggressively

Force mode bans IPs on every 404/403 error immediately. This is intended for emergency situations only. Disable it for normal operation and rely on rule-based banning with appropriate thresholds.

Security Notes 5
  • Never whitelist IP addresses without verification - attackers can spoof referrer information
  • Force mode should only be used during active attacks as it may affect legitimate users experiencing 404 errors
  • Regularly review banned IP lists to identify false positives
  • Keep the dblog table from growing too large as it affects query performance for rule processing
  • Consider the privacy implications of logging and storing IP addresses in compliance with regulations like GDPR