Managing a ban list for IP addresses manually can be anywhere from a chore to completely infeasible, depending on scale. A saner approach is to let a program automatically ban and unban IP addresses based on a set of criteria.

Gatekeeper provides a mechanism to automatically add the visitor IP addresses to a visitor group when a policy is triggered. This means that we can effectively use policies as our criteria for banning IP addresses. In addition, we can specify an expiration time after which the IP address will automatically be removed from the visitor group, which can be helpful given that ISPs will periodically rotate their customers' IP addresses.

In this guide, we see how to use these tools to create a set of policies that automatically ban visitors based on the following poor behavior patterns:

  • visiting too many times in a short time period
  • ignoring too many CAPTCHAs in a row

Setup

If you don't already have one, go ahead and create a blacklist policy and blacklisted IP addresses visitor group. We will use the blacklisted IP addresses visitor group to hold our list of IP addresses, and its corresponding policy to deny access.

Excessive visitors

This policy will automatically ban visitors who spam your site with requests. An excessive number of requests is indicative of a bot, and a poorly behaved one at that.

In the Response section, make sure to check the box to add visitor IP address to an existing visitor group, and select blacklisted IP addresses as the visitor group.

We'll set our limit at 100 visits in 2 minutes. Any robot that sends that many requests in that short a time is probably not a welcome visitor.

policy named "too many visits!" that reads "When visitors in any visit any page(s) 100 times in 2 minutes then deny visit and add IP to blacklisted IP addresses permanently."

a bot visits 100 times in less than 2 minutes, and on the 100th visit they are denied and their IP address is added to the blacklisted IP addresses visitor group

CAPTCHA ignorers

We'll set up this next policy to automatically ban visitors who ignore too many CAPTCHAs in a row. Ignoring lots of CAPTCHAs is also indicative bot behavior, as many bots simply will not understand a CAPTCHA challenge, let alone know how to respond to it.

First, in the Action section, select "attempting a CAPTCHA" for what the visitor is doing. This configures our policy to count CAPTCHA-based actions instead of page visits. For the CAPTCHA status, select "ignored" CAPTCHAs.

As before, we'll add the visitor IP address to the blacklist when this policy triggers.

We'll cast a somewhat wider net this time, and ban any visitor who ignores 10 CAPTCHAs in 14 days.

policy named "too many ignored CAPTCHAs!" that reads "When visitors in any attempts CAPTCHA without submitting a solution 10 times in 14 days then deny visit and add IP to blacklisted IP addresses permanently."

a bot ignores 10 CAPTCHAs in a row, and on the 10th ignored CAPTCHA they are denied and their IP address is added to the blacklisted IP addresses visitor group

Setting an expiration

ISPs will sometimes rotate their clients' IP addresses. If you have banned an IP address, and a rotation happens, whoever ends up with the banned IP address will be unable to access your site. You can make bans temporary by adding an expiration time when automatically add IP addresses to a visitor group.

In the Response section of your policy, toggle "Add expiration" on and choose your expiration time.

Using multiple policies, you could introduce sophisticated configurations. For example, if an offending IP address is from an ISP, perhaps you would want to ban it for a shorter window of time. If, however, the offending IP address is from a data center, you might want to ban it for longer. To see a more sophisticated example, see this tutorial on how to craft a policy to protect against password cracking.