Blocked XSS attemp not blacklisted

  • Resolved Syncly.it

    (@elnath78)


    4 years, 9 months ago

    Hi,

    I noticed that when Wordfence block XSS or Directory Travelsal attacks, it doesnt put the source IP in black list right after the first attack. So I have reports like the following, as you see all attacks came from the same IP, so why it was not blacklisted and allowed it to score 135 attacks?

    Increased Attack Rate: The Wordfence Web Application Firewall has blocked <strong>135 attacks over the last 10 minutes</strong>. Below is a sample of these recent attacks: 11 Febbraio, 2020 1:19pm - 194.60.254.243 (Ukraine) - Blocked for Directory Traversal - wp-config.php in query string: arquivo=../../../../wp-config.php 11 Febbraio, 2020 1:19pm - 194.60.254.243 (Ukraine) - Blocked for Directory Traversal - wp-config.php in query string: file=../../../../wp-config.php 11 Febbraio, 2020 1:19pm - 194.60.254.243 (Ukraine) - Blocked for Directory Traversal - wp-config.php in query string: files=../../../../wp-config.php 11 Febbraio, 2020 1:19pm - 194.60.254.243 (Ukraine) - Blocked for Directory Traversal - wp-config.php in query string: file=../../../wp-config.php 11 Febbraio, 2020 1:19pm - 194.60.254.243 (Ukraine) - Blocked for Directory Traversal - wp-config.php in query string: f=../../../wp-config.php 11 Febbraio, 2020 1:19pm - 194.60.254.243 (Ukraine) - Blocked for Directory Traversal - wp-config.php in query string: url=../wp-config.php 11 Febbraio, 2020 1:19pm - 194.60.254.243 (Ukraine) - Blocked for Directory Traversal - wp-config.php in query string: target=../../../wp-config.php 11 Febbraio, 2020 1:19pm - 194.60.254.243 (Ukraine) - Blocked for Directory Traversal - wp-config.php in query string: filename=../../../wp-config.php 11 Febbraio, 2020 1:19pm - 194.60.254.243 (Ukraine) - Blocked for Directory Traversal - wp-config.php in query string: file=../../../wp-config.php 11 Febbraio, 2020 1:19pm - 194.60.254.243 (Ukraine) - Blocked for Directory Traversal - wp-config.php in query string: page=../../../../wp-config.php

Viewing 3 replies - 1 through 3 (of 3 total)

  • Hey @elnath78,

    This is the expected behavior. The Firewall is blocking the IP’s attempted attacks, but it won’t ban every IP used in an attack. If it did, this list would likely be enormous and quite possibly block legitimate IPs being used in the attacks. You can manually ban them if you’d like, but I’d suggest reviewing the article below before doing this.

    https://www.wordfence.com/blog/2017/11/should-permantly-block-ips/

    The IPs will be banned based on your manual block configurations of features like Brute Force Protection.

    Thanks,

    Gerroald

    Hey @elnath78,

    We haven’t heard back from you in a while, so I’ve gone ahead and marked this thread as resolved.

    Please feel free to open another thread if you’re still having issues with Wordfence.

    Thanks,

    Gerroald

    Thread Starter Syncly.it

    (@elnath78)

    Hi @wfgerald

    I didnt receive the notification or possibly deleted it without answering, thinking that I already did, I dont remember.

    However I see that many attacks are performed in a short period of time, why the firewall doesnt put the IP on a temp ban and prevents further attacks? A 1 hour ban would probably be enough. The point is that if an IP is used for XSS it should be blocked as first response, and block further attacks.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Blocked XSS attemp not blacklisted’ is closed to new replies.