Suspicious IP blocking implementation for website

Implementing suspicious IP blocking on a website

Automatic IP address blocking based on behavioral patterns and reputation databases — an additional layer of protection against bots, scanners, brute-force attacks, and spam.

Data sources for blocking

Behavioral triggers:

• Exceeding rate limit on critical endpoints
• Series of 4xx responses (scanning non-existent paths)
• Too-quick form filling (unrealistic for humans)
• Requests to honeypot URLs

Reputation databases:

• AbuseIPDB — database of reported malicious IPs
• MaxMind GeoIP — geolocation, IP type (datacenter vs residential)
• Project Honey Pot — HTTP BL
• Spamhaus — DNSBL for mail threats

Automatic blocking via Fail2ban

# /etc/fail2ban/filter.d/nginx-scan.conf
[Definition]
failregex = ^<HOST> .* "(GET|POST|HEAD) /\.env.*" .*$
            ^<HOST> .* "(GET|POST) /wp-admin.*" .*$
            ^<HOST> .* ".*\.php\?" .*$

# /etc/fail2ban/jail.d/nginx-custom.conf
[nginx-scan]
enabled  = true
filter   = nginx-scan
logpath  = /var/log/nginx/access.log
maxretry = 5
findtime = 60
bantime  = 86400
action   = iptables-multiport[name=nginx-scan, port="http,https"]
           %(action_mwl)s

Redis-based blocking in application

class BlockSuspiciousIp
{
    public function handle(Request $request, Closure $next)
    {
        $ip = $request->ip();

        if (Cache::has("blocked_ip:{$ip}")) {
            abort(403, 'Access denied');
        }

        $suspicionKey = "suspicion:{$ip}";
        $score = (int) Cache::get($suspicionKey, 0);

        if ($score >= 100) {
            Cache::put("blocked_ip:{$ip}", true, now()->addHours(24));
            Log::warning("IP blocked: {$ip}", ['score' => $score]);
            abort(403);
        }

        return $next($request);
    }
}

class SuspicionScorer
{
    public function increment(string $ip, int $points, string $reason): void
    {
        $key = "suspicion:{$ip}";
        Cache::increment($key, $points);
        Cache::put($key, Cache::get($key), now()->addHour());

        Log::info("Suspicion score", ['ip' => $ip, 'points' => $points, 'reason' => $reason]);
    }
}

Integration with AbuseIPDB

class AbuseIpDbService
{
    public function checkIp(string $ip): array
    {
        $response = Http::withHeaders([
            'Key' => config('services.abuseipdb.key'),
            'Accept' => 'application/json',
        ])->get('https://api.abuseipdb.com/api/v2/check', [
            'ipAddress'    => $ip,
            'maxAgeInDays' => 90,
        ]);

        return $response->json('data');
    }

    public function isSuspicious(string $ip): bool
    {
        $data = Cache::remember("abuseipdb:{$ip}", 3600, fn() => $this->checkIp($ip));
        return $data['abuseConfidenceScore'] > 50;
    }
}

Honeypot to attract bots

Route::any('/wp-admin', function(Request $request) {
    app(SuspicionScorer::class)->increment($request->ip(), 80, 'honeypot_wp_admin');
    abort(404);
});

Route::any('/.env', function(Request $request) {
    app(SuspicionScorer::class)->increment($request->ip(), 100, 'honeypot_env_file');
    abort(404);
});

Automatic unblocking and whitelist

class CleanExpiredBlocksCommand extends Command
{
    protected $signature = 'security:clean-blocks';

    public function handle(): void
    {
        BlockedIp::where('expires_at', '<', now())->delete();
    }
}

Monitoring and dashboard

Useful metrics to track:

• Top-10 blocked IPs in 24 hours
• Geographic distribution of blocks
• Block triggers (what most often causes a block)
• False-positive blocks (unblocks due to complaints)

Implementation Timeline

• Fail2ban + basic patterns: 1 day
• Redis-based scoring system: 2–3 days
• AbuseIPDB integration + dashboard: +2 days