Best approach to handle attempting to hack a website

Question

A little background. I run the website for a non-profit organization. I ran a link checker on the site after I noticed a dead link, and found a couple more. So, I implemented a custom 404 page to log any failed links. This allows me to fix my broken links and alert others that link to us their links are broken.

It lead to an interesting finding quite fast: they are astonishingly lots of attempts to circumvent security and exploit vulnerabilities in standard software packages that are commonly found on sites, like phpmyadmin, forums, etc.

I log the IP addresses of the offenders, and almost entirely find they are not from the US, and our organization strictly focuses on a small region in the US, thus I thought about just banning them, via PHP in a manner such as: loading a list of offenders in the header file, which is used by all pages, and simply die with a message if they belong to the list.

Is this a good approach? Is there something better? What I am concerned with, is that they will find a vulnerability and gain access.

Answer 1

Your method of blacklisting IPs outside the US will be a little effective for a short time, but is really going to be a losing battle in the long run. If you can exclude IPs outside the US without affecting your user base, you can utilize a service like Maxmind GeoIP to identify the country in PHP code and refuse access for those outside.

Loading these in a list or array in the header file is likely to get unwieldy after a while and possibly affect performance. You would be better off to store the ban list in a database and check IPs when establishing a session in your site.

However, the most important course of action is to always make sure that your 3rd party software packages like forums, blogs, wikis, etc, are kept up to date with security patches. The exploits for common web applications are very well known and widely publicized so it's crucial to keep them patched.

Addendum Make a habit of perusing http://www.exploit-db.com/ occasionally to keep abreast of new exploits.

Answer 2

To nail IPs from the US, MaxMind GeoLite Country should do.
It's free and GPL and pretty well hidden into their site.

Most IP locators out there use this free DB,
and in my experience it always get the country right.

(the one that's worth buying from them is the GeoIP City database, that kind of data is more mutable and GeoLite City gets it right less than 70% of the time — with some pretty spectacular errors)

GeoLite comes in database and binary flavor.
The binary one has a php library that does indexed lookups.

I wouldn't ban them outright, anyway.

Why? Many reasons.
One is: people sometime travel abroad, and may want to check their site during the holydays.

If I was you, I'd put a recaptcha on the page, and if they pass it, set them a secret daily cookie.
Something like:

hash('md5',$salt.date('Ymd'));

(md5 shouldn't be used for that, anyway — calc the hash using a SHA-1 and cache it for the day)

You could set the secret daily cookie to the IPs that pass the GeoLite test, too.
So you don't have to look it up at every single visit.