{"id":596,"date":"2007-05-03T15:07:07","date_gmt":"2007-05-03T13:07:07","guid":{"rendered":"http:\/\/planetozh.com\/blog\/honey-pot-httpbl-simple-php-script\/"},"modified":"2007-05-03T15:11:17","modified_gmt":"2007-05-03T13:11:17","slug":"honey-pot-httpbl-simple-php-script","status":"publish","type":"page","link":"https:\/\/planetozh.com\/blog\/my-projects\/honey-pot-httpbl-simple-php-script\/","title":{"rendered":"Honey Pot &#038; http:BL Simple PHP Script"},"content":{"rendered":"<p><strong>http:BL<\/strong> is a blacklist of all the suspicious IPs that were trapped in one of the honey pots run for <a href=\"http:\/\/www.projecthoneypot.org?rf=33327\">Project Honey Pot<\/a>. This service has a simple API, allowing anyone to check an IP against their blacklist. Here is a detailed and simple example script showing how to use this API.<\/p>\n<h2>Honey pot ?<\/h2>\n<p>Simply put, a honey pot is a webpage that will trick malicious users (as in &quot;robots&quot;) into doing something that will allow collecting data about them, while real users (as in &quot;human&quot;) won&#39;t notice or do anything particular.<\/p>\n<p>For example, <a href=\"http:\/\/planetozh.com\/smelly.php\">this<\/a> is a honey pot. Open this page in your browser, and you&#39;ll see nothing but uninteresting legalish text. Now have a look at the source of the page, and you will spot a hidden &lt;div> containing a form and emails. So, typically, if anything inputs text in that form, or sends anything to those emails, it&#39;s not human. It&#39;s a program spidering the web in search for spam food.<\/p>\n<h2>Using http:BL<\/h2>\n<p>First, you&#39;ll need to create an account on <a href=\"http:\/\/www.projecthoneypot.org?rf=33327\">PHPot<\/a> in order to be given a access key. Don&#39;t worry, it&#39;s free, and I even suspect it&#39;s a spam-free service :P Your access key will be a random string, like <em>ab234fghijkl<\/em><\/p>\n<p>Testing an IP with http:BL is a simple DNS query. For example, to check IP <strong>12.13.14.15<\/strong> you will need to query the following domain :<br \/>\n<strong><span style=\"color: rgb(153, 0, 0);\">ab234fghijkl<\/span>.<span style=\"color: rgb(0, 153, 0);\">15.14.13.12<\/span>.dnsbl.httpbl.org<\/strong>.<br \/>\nThe red part is your accesskey, the green part is the IP in the reversed octet format.<\/p>\n<p>The DNS query response will be something like <strong><span style=\"color: rgb(255, 0, 255);\">127<\/span>.<span style=\"color: rgb(153, 0, 0);\">3<\/span>.<span style=\"color: rgb(0, 153, 0);\">5<\/span>.<span style=\"color: rgb(0, 0, 153);\">1<\/span><\/strong> with the following meaning :<\/p>\n<ul>\n<li><span style=\"color: rgb(255, 0, 255);\">127<\/span>: the first octet is always 127. if it&#39;s not 127, then the query has failed, for some reason.<\/li>\n<li><span style=\"color: rgb(153, 0, 0);\">3<\/span>: the second octet is the number of days since last activity of the checked IP<\/li>\n<li><span style=\"color: rgb(0, 153, 0);\">5<\/span>: the third octet represents a threat score for IP. The greater this number, the more dangerous it is.<\/li>\n<li><span style=\"color: rgb(0, 0, 153);\">1<\/span>: the last octet defines the type of visitor<\/li>\n<\/ul>\n<p>For more detailed information refer to the <a href=\"http:\/\/www.projecthoneypot.org\/httpbl_api.php\">API documentation<\/a>. For now, we&#39;ll just make a simple example script to check wether an IP is threatening or not.<\/p>\n<div id=\"ig-sh-1\" class=\"syntax_hilite\">\n\n\t\t<div class=\"toolbar\">\n\n\t\t<div class=\"view-different-container\">\n\t\t\t\t\t\t<a href=\"#\" class=\"view-different\">&lt; View <span>plain text<\/span> &gt;<\/a>\n\t\t\t\t\t<\/div>\n\n\t\t<div class=\"language-name\">php<\/div>\n\n\t\t\n\t\t<br clear=\"both\">\n\n\t<\/div>\n\t\n\t<div class=\"code\">\n\t\t<ol class=\"php\" style=\"font-family:monospace\"><li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\"><span style=\"color: #666666;font-style: italic\">\/\/ your http:BL key<\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\"><span style=\"color: #000088\">$apikey<\/span> <span style=\"color: #339933\">=<\/span> <span style=\"color: #0000ff\">'abcdefghijkl'<\/span><span style=\"color: #339933\">;<\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\">&nbsp;<\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\"><span style=\"color: #666666;font-style: italic\">\/\/ IP to test : your visitor's<\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\"><span style=\"color: #000088\">$ip<\/span> <span style=\"color: #339933\">=<\/span> <span style=\"color: #000088\">$_SERVER<\/span><span style=\"color: #009900\">&#091;<\/span><span style=\"color: #0000ff\">'REMOTE_ADDR'<\/span><span style=\"color: #009900\">&#093;<\/span><span style=\"color: #339933\">;<\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\">&nbsp;<\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\"><span style=\"color: #666666;font-style: italic\">\/\/ build the lookup DNS query<\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\"><span style=\"color: #666666;font-style: italic\">\/\/ Example : for '127.9.1.2' you should query 'abcdefghijkl.2.1.9.127.dnsbl.httpbl.org'<\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\"><span style=\"color: #000088\">$lookup<\/span> <span style=\"color: #339933\">=<\/span> <span style=\"color: #000088\">$apikey<\/span> <span style=\"color: #339933\">.<\/span> <span style=\"color: #0000ff\">'.'<\/span> <span style=\"color: #339933\">.<\/span> <span style=\"color: #990000\">implode<\/span><span style=\"color: #009900\">&#040;<\/span><span style=\"color: #0000ff\">'.'<\/span><span style=\"color: #339933\">,<\/span> <span style=\"color: #990000\">array_reverse<\/span><span style=\"color: #009900\">&#040;<\/span><span style=\"color: #990000\">explode<\/span> <span style=\"color: #009900\">&#040;<\/span><span style=\"color: #0000ff\">'.'<\/span><span style=\"color: #339933\">,<\/span> <span style=\"color: #000088\">$ip<\/span> <span style=\"color: #009900\">&#041;<\/span><span style=\"color: #009900\">&#041;<\/span><span style=\"color: #009900\">&#041;<\/span> <span style=\"color: #339933\">.<\/span> <span style=\"color: #0000ff\">'.dnsbl.httpbl.org'<\/span><span style=\"color: #339933\">;<\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\">&nbsp;<\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\"><span style=\"color: #666666;font-style: italic\">\/\/ check query response<\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\"><span style=\"color: #000088\">$result<\/span> <span style=\"color: #339933\">=<\/span> <span style=\"color: #990000\">explode<\/span><span style=\"color: #009900\">&#040;<\/span> <span style=\"color: #0000ff\">'.'<\/span><span style=\"color: #339933\">,<\/span> <span style=\"color: #990000\">gethostbyname<\/span><span style=\"color: #009900\">&#040;<\/span><span style=\"color: #000088\">$lookup<\/span><span style=\"color: #009900\">&#041;<\/span><span style=\"color: #009900\">&#041;<\/span><span style=\"color: #339933\">;<\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\">&nbsp;<\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\"><span style=\"color: #b1b100\">if<\/span> <span style=\"color: #009900\">&#040;<\/span><span style=\"color: #000088\">$result<\/span><span style=\"color: #009900\">&#091;<\/span><span style=\"color: #cc66cc\">0<\/span><span style=\"color: #009900\">&#093;<\/span> <span style=\"color: #339933\">==<\/span> <span style=\"color: #cc66cc\">127<\/span><span style=\"color: #009900\">&#041;<\/span> <span style=\"color: #009900\">&#123;<\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\">&nbsp; &nbsp; <span style=\"color: #666666;font-style: italic\">\/\/ query successful !<\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\">&nbsp; &nbsp; <span style=\"color: #000088\">$activity<\/span> <span style=\"color: #339933\">=<\/span> <span style=\"color: #000088\">$result<\/span><span style=\"color: #009900\">&#091;<\/span><span style=\"color: #cc66cc\">1<\/span><span style=\"color: #009900\">&#093;<\/span><span style=\"color: #339933\">;<\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\">&nbsp; &nbsp; <span style=\"color: #000088\">$threat<\/span> <span style=\"color: #339933\">=<\/span> <span style=\"color: #000088\">$result<\/span><span style=\"color: #009900\">&#091;<\/span><span style=\"color: #cc66cc\">2<\/span><span style=\"color: #009900\">&#093;<\/span><span style=\"color: #339933\">;<\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\">&nbsp; &nbsp; <span style=\"color: #000088\">$type<\/span> <span style=\"color: #339933\">=<\/span> <span style=\"color: #000088\">$result<\/span><span style=\"color: #009900\">&#091;<\/span><span style=\"color: #cc66cc\">3<\/span><span style=\"color: #009900\">&#093;<\/span><span style=\"color: #339933\">;<\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\">&nbsp; &nbsp; <\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\">&nbsp; &nbsp; <span style=\"color: #b1b100\">if<\/span> <span style=\"color: #009900\">&#040;<\/span><span style=\"color: #000088\">$type<\/span> <span style=\"color: #339933\">&amp;<\/span> <span style=\"color: #cc66cc\">0<\/span><span style=\"color: #009900\">&#041;<\/span> <span style=\"color: #000088\">$typemeaning<\/span> <span style=\"color: #339933\">.=<\/span> <span style=\"color: #0000ff\">'Search Engine, '<\/span><span style=\"color: #339933\">;<\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\">&nbsp; &nbsp; <span style=\"color: #b1b100\">if<\/span> <span style=\"color: #009900\">&#040;<\/span><span style=\"color: #000088\">$type<\/span> <span style=\"color: #339933\">&amp;<\/span> <span style=\"color: #cc66cc\">1<\/span><span style=\"color: #009900\">&#041;<\/span> <span style=\"color: #000088\">$typemeaning<\/span> <span style=\"color: #339933\">.=<\/span> <span style=\"color: #0000ff\">'Suspicious, '<\/span><span style=\"color: #339933\">;<\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\">&nbsp; &nbsp; <span style=\"color: #b1b100\">if<\/span> <span style=\"color: #009900\">&#040;<\/span><span style=\"color: #000088\">$type<\/span> <span style=\"color: #339933\">&amp;<\/span> <span style=\"color: #cc66cc\">2<\/span><span style=\"color: #009900\">&#041;<\/span> <span style=\"color: #000088\">$typemeaning<\/span> <span style=\"color: #339933\">.=<\/span> <span style=\"color: #0000ff\">'Harvester, '<\/span><span style=\"color: #339933\">;<\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\">&nbsp; &nbsp; <span style=\"color: #b1b100\">if<\/span> <span style=\"color: #009900\">&#040;<\/span><span style=\"color: #000088\">$type<\/span> <span style=\"color: #339933\">&amp;<\/span> <span style=\"color: #cc66cc\">4<\/span><span style=\"color: #009900\">&#041;<\/span> <span style=\"color: #000088\">$typemeaning<\/span> <span style=\"color: #339933\">.=<\/span> <span style=\"color: #0000ff\">'Comment Spammer, '<\/span><span style=\"color: #339933\">;<\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\">&nbsp; &nbsp; <span style=\"color: #000088\">$typemeaning<\/span> <span style=\"color: #339933\">=<\/span> <span style=\"color: #990000\">trim<\/span><span style=\"color: #009900\">&#040;<\/span><span style=\"color: #000088\">$typemeaning<\/span><span style=\"color: #339933\">,<\/span><span style=\"color: #0000ff\">', '<\/span><span style=\"color: #009900\">&#041;<\/span><span style=\"color: #339933\">;<\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\">&nbsp;<\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\">&nbsp; &nbsp; <span style=\"color: #b1b100\">echo<\/span> <span style=\"color: #0000ff\">&quot;IP seems to belong to a <span style=\"color: #006699;font-weight: bold\">$typemeaning<\/span> (<span style=\"color: #006699;font-weight: bold\">$type<\/span>) with threat level <span style=\"color: #006699;font-weight: bold\">$threat<\/span>&quot;<\/span><span style=\"color: #339933\">;<\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\"><span style=\"color: #009900\">&#125;<\/span><\/div><\/li>\n<\/ol>\t<\/div>\n\n<\/div>\n\n<p>This simple snippet checks an IP against PHPot&#39;s blacklist, an if anything suspicious is detected, it outputs its verdict. How simple was that ?<\/p>\n<p>Now, what to do with this ? You can for example prevent your email address from appearing on a contact form if a email harvester is detected, or disable comment posting for all comment spammers. We will log and block malicious users :<\/p>\n<div id=\"ig-sh-2\" class=\"syntax_hilite\">\n\n\t\t<div class=\"toolbar\">\n\n\t\t<div class=\"view-different-container\">\n\t\t\t\t\t\t<a href=\"#\" class=\"view-different\">&lt; View <span>plain text<\/span> &gt;<\/a>\n\t\t\t\t\t<\/div>\n\n\t\t<div class=\"language-name\">php<\/div>\n\n\t\t\n\t\t<br clear=\"both\">\n\n\t<\/div>\n\t\n\t<div class=\"code\">\n\t\t<ol class=\"php\" style=\"font-family:monospace\"><li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\"><span style=\"color: #666666;font-style: italic\">\/\/ Our blocking policy<\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\"><span style=\"color: #b1b100\">if<\/span> <span style=\"color: #009900\">&#040;<\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\"><span style=\"color: #009900\">&#040;<\/span><span style=\"color: #000088\">$type<\/span> <span style=\"color: #339933\">&gt;=<\/span> <span style=\"color: #cc66cc\">4<\/span> <span style=\"color: #339933\">&amp;&amp;<\/span> <span style=\"color: #000088\">$threat<\/span> <span style=\"color: #339933\">&gt;<\/span> <span style=\"color: #cc66cc\">1<\/span><span style=\"color: #009900\">&#041;<\/span> <span style=\"color: #666666;font-style: italic\">\/\/ Comment spammer with very low threat level<\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\">&nbsp; &nbsp; <span style=\"color: #339933\">||<\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\"><span style=\"color: #009900\">&#040;<\/span><span style=\"color: #000088\">$type<\/span> <span style=\"color: #339933\">&lt;<\/span> <span style=\"color: #cc66cc\">4<\/span> <span style=\"color: #339933\">&amp;&amp;<\/span> <span style=\"color: #000088\">$threat<\/span> <span style=\"color: #339933\">&gt;<\/span> <span style=\"color: #cc66cc\">40<\/span><span style=\"color: #009900\">&#041;<\/span> <span style=\"color: #666666;font-style: italic\">\/\/ Other types, with threat level greater than 40<\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\"><span style=\"color: #009900\">&#041;<\/span> <span style=\"color: #009900\">&#123;<\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\">&nbsp; &nbsp; <span style=\"color: #000088\">$block<\/span> <span style=\"color: #339933\">=<\/span> <span style=\"color: #009900;font-weight: bold\">true<\/span><span style=\"color: #339933\">;<\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\"><span style=\"color: #009900\">&#125;<\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\">&nbsp;<\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\"><span style=\"color: #b1b100\">if<\/span> <span style=\"color: #009900\">&#040;<\/span><span style=\"color: #000088\">$block<\/span><span style=\"color: #009900\">&#041;<\/span> <span style=\"color: #009900\">&#123;<\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\">&nbsp; &nbsp; logme<span style=\"color: #009900\">&#040;<\/span><span style=\"color: #000088\">$block<\/span><span style=\"color: #339933\">,<\/span><span style=\"color: #000088\">$ip<\/span><span style=\"color: #339933\">,<\/span><span style=\"color: #000088\">$type<\/span><span style=\"color: #339933\">,<\/span><span style=\"color: #000088\">$threat<\/span><span style=\"color: #339933\">,<\/span><span style=\"color: #000088\">$activity<\/span><span style=\"color: #009900\">&#041;<\/span><span style=\"color: #339933\">;<\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\">&nbsp; &nbsp; blockme<span style=\"color: #009900\">&#040;<\/span><span style=\"color: #009900\">&#041;<\/span><span style=\"color: #339933\">;<\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\">&nbsp; &nbsp; <span style=\"color: #990000\">die<\/span><span style=\"color: #009900\">&#040;<\/span><span style=\"color: #009900\">&#041;<\/span><span style=\"color: #339933\">;<\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\"><span style=\"color: #009900\">&#125;<\/span><\/div><\/li>\n<\/ol>\t<\/div>\n\n<\/div>\n\n<p>The <strong>logme()<\/strong> function would be just a logfile writing, collection a few data for further analysis : ip, requested page, user agent, etc&#8230;<\/p>\n<p>The <strong>blockme()<\/strong> function would be a nice &quot;403 Fordidden&quot; screen, explaining that unfortunately the IP was flagged as malicious and therefore the access to the page is not granted.<\/p>\n<h2>What about false positives and legitimate users ?<\/h2>\n<p>That&#39;s a good one. I believe every blocking measures should give a second chance to real users. It could be some harmless and innocent reader using a popular open proxy to read your site behind their corporate firewall, after all.<\/p>\n<p>A simple yet effective way to give real humans a chance to see your page is giving them a javascript redirection link. 99.9% of the infrequent false positive should have a real browser with javascript enabled. We will also set a cookie that will tell the checking script not to annoy this user and let him access pages.<\/p>\n<div id=\"ig-sh-3\" class=\"syntax_hilite\">\n\n\t\t<div class=\"toolbar\">\n\n\t\t<div class=\"view-different-container\">\n\t\t\t\t\t\t<a href=\"#\" class=\"view-different\">&lt; View <span>plain text<\/span> &gt;<\/a>\n\t\t\t\t\t<\/div>\n\n\t\t<div class=\"language-name\">php<\/div>\n\n\t\t\n\t\t<br clear=\"both\">\n\n\t<\/div>\n\t\n\t<div class=\"code\">\n\t\t<ol class=\"php\" style=\"font-family:monospace\"><li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\"><span style=\"color: #000000;font-weight: bold\">function<\/span> blockme<span style=\"color: #009900\">&#040;<\/span><span style=\"color: #009900\">&#041;<\/span> <span style=\"color: #009900\">&#123;<\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\">&nbsp; &nbsp; <span style=\"color: #990000\">header<\/span><span style=\"color: #009900\">&#040;<\/span><span style=\"color: #0000ff\">'HTTP\/1.0 403 Forbidden'<\/span><span style=\"color: #009900\">&#041;<\/span><span style=\"color: #339933\">;<\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\">&nbsp; &nbsp; <span style=\"color: #b1b100\">echo<\/span> <span style=\"color: #0000cc;font-style: italic\">&lt;&lt;&lt;HTML<\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\"><span style=\"color: #0000cc;font-style: italic\">&nbsp; &nbsp; &lt;script type=&quot;text\/javascript&quot;&gt;<\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\"><span style=\"color: #0000cc;font-style: italic\">&nbsp; &nbsp; function setcookie( name, value, expires, path, domain, secure ) {<\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\"><span style=\"color: #0000cc;font-style: italic\">&nbsp; &nbsp; &nbsp; &nbsp; \/\/ set time, it's in milliseconds<\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\"><span style=\"color: #0000cc;font-style: italic\">&nbsp; &nbsp; &nbsp; &nbsp; var today = new Date();<\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\"><span style=\"color: #0000cc;font-style: italic\">&nbsp; &nbsp; &nbsp; &nbsp; today.setTime( today.getTime() );<\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\"><span style=\"color: #0000cc;font-style: italic\">&nbsp; &nbsp; <\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\"><span style=\"color: #0000cc;font-style: italic\">&nbsp; &nbsp; &nbsp; &nbsp; if ( expires ) {<\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\"><span style=\"color: #0000cc;font-style: italic\">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; expires = expires * 1000 * 60 * 60 * 24;<\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\"><span style=\"color: #0000cc;font-style: italic\">&nbsp; &nbsp; &nbsp; &nbsp; }<\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\"><span style=\"color: #0000cc;font-style: italic\">&nbsp; &nbsp; &nbsp; &nbsp; var expires_date = new Date( today.getTime() + (expires) );<\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\"><span style=\"color: #0000cc;font-style: italic\">&nbsp; &nbsp; <\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\"><span style=\"color: #0000cc;font-style: italic\">&nbsp; &nbsp; &nbsp; &nbsp; document.cookie = name + &quot;=&quot; +escape( value ) +<\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\"><span style=\"color: #0000cc;font-style: italic\">&nbsp; &nbsp; &nbsp; &nbsp; ( ( expires ) ? &quot;;expires=&quot; + expires_date.toGMTString() : &quot;&quot; ) + <\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\"><span style=\"color: #0000cc;font-style: italic\">&nbsp; &nbsp; &nbsp; &nbsp; ( ( path ) ? &quot;;path=&quot; + path : &quot;&quot; ) + <\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\"><span style=\"color: #0000cc;font-style: italic\">&nbsp; &nbsp; &nbsp; &nbsp; ( ( domain ) ? &quot;;domain=&quot; + domain : &quot;&quot; ) +<\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\"><span style=\"color: #0000cc;font-style: italic\">&nbsp; &nbsp; &nbsp; &nbsp; ( ( secure ) ? &quot;;secure&quot; : &quot;&quot; );<\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\"><span style=\"color: #0000cc;font-style: italic\">&nbsp; &nbsp; } &nbsp; <\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\"><span style=\"color: #0000cc;font-style: italic\">&nbsp; &nbsp; function letmein() {<\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\"><span style=\"color: #0000cc;font-style: italic\">&nbsp; &nbsp; &nbsp; &nbsp; setcookie('notabot','true',1,'\/', '', '');<\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\"><span style=\"color: #0000cc;font-style: italic\">&nbsp; &nbsp; &nbsp; &nbsp; location.reload(true);<\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\"><span style=\"color: #0000cc;font-style: italic\">&nbsp; &nbsp; }<\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\"><span style=\"color: #0000cc;font-style: italic\">&nbsp; &nbsp; &lt;\/script&gt;<\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\"><span style=\"color: #0000cc;font-style: italic\">&nbsp; &nbsp; &lt;h1&gt;Forbidden&lt;\/h1&gt;<\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\"><span style=\"color: #0000cc;font-style: italic\">&nbsp; &nbsp; &lt;p&gt;Sorry. You are using a suspicious IP.&lt;\/p&gt;<\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\"><span style=\"color: #0000cc;font-style: italic\">&nbsp; &nbsp; &lt;p&gt;If you &lt;strong&gt;ARE NOT&lt;\/strong&gt; a bot of any kind, please &lt;a href=&quot;javascript:letmein()&quot;&gt;click here&lt;\/a&gt; to access the page. Sorry for this !&lt;\/p&gt;<\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\"><span style=\"color: #0000cc;font-style: italic\">&nbsp; &nbsp; &lt;p&gt;Otherwise, please have fun with &lt;a href=&quot;http:\/\/planetozh.com\/smelly.php&quot;&gt;this page&lt;\/a&gt;&lt;\/p&gt;<\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\"><span style=\"color: #0000cc;font-style: italic\">HTML<\/span><span style=\"color: #339933\">;<\/span><\/div><\/li>\n<li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\"><span style=\"color: #009900\">&#125;<\/span><\/div><\/li>\n<\/ol>\t<\/div>\n\n<\/div>\n\n<p>Now, before checking an IP, we&#39;ll first check for any cookie named &#39;notabot&#39; with value &#39;true&#39;. If there is one, don&#39;t bother making any check against the blacklist, and let the user access the page.<\/p>\n<h2>Wrapping it up<\/h2>\n<p>Here is the final script that checks for a whitelisting cookie, otherwise checks the IP and decide whether to block or not the user, logging malicious attempts accordingly. It also logs people clicking on the &quot;I&#39;m a human, not a bot&quot; link so that you can measure how tight or lose your blocking policy is.<\/p>\n<ul>\n<li><a href=\"http:\/\/planetozh.com\/download\/httpbl.php\">httpbl.php<\/a> (highlighted code, cut and paste)<\/li>\n<li><a href=\"http:\/\/planetozh.com\/download\/httpbl.txt\">httpbl.txt<\/a> (raw text, save as .php)<\/li>\n<\/ul>\n<p>To use the script, you would include it on the very top of your pages, i.e. :<\/p>\n<div id=\"ig-sh-4\" class=\"syntax_hilite\">\n\n\t\t<div class=\"toolbar\">\n\n\t\t<div class=\"view-different-container\">\n\t\t\t\t\t\t<a href=\"#\" class=\"view-different\">&lt; View <span>plain text<\/span> &gt;<\/a>\n\t\t\t\t\t<\/div>\n\n\t\t<div class=\"language-name\">php<\/div>\n\n\t\t\n\t\t<br clear=\"both\">\n\n\t<\/div>\n\t\n\t<div class=\"code\">\n\t\t<ol class=\"php\" style=\"font-family:monospace\"><li style=\"font-weight: normal;vertical-align:top\"><div style=\"font: normal normal 1em\/1.2em monospace;margin:0;padding:0;background:none;vertical-align:top\"><span style=\"color: #000000;font-weight: bold\">&lt;?php<\/span> <span style=\"color: #b1b100\">require<\/span><span style=\"color: #009900\">&#040;<\/span><span style=\"color: #0000ff\">'\/home\/you\/blog\/httpbl.php'<\/span><span style=\"color: #009900\">&#041;<\/span><span style=\"color: #339933\">;<\/span> <span style=\"color: #000000;font-weight: bold\">?&gt;<\/span><\/div><\/li>\n<\/ol>\t<\/div>\n\n<\/div>\n\n<h2>Disclaimer and stuff<\/h2>\n<p>This script is a rather simple example serving as a basic http:BL tutorial for PHP. There has to be room for some improvements, such as better logging, or giving alternate javascript-free access to legitimate users.<\/p>\n<p><a href=\"http:\/\/www.projecthoneypot.org?rf=33327\">Project Honey Pot<\/a> is an awesome initiative in which you can contribute by setting up your own honey pots. Not only it&#39;s as easy as 1-2-3, but it&#39;s kind of rewarding : the day I had my first honey pot installed, it identified a new before-unseen harvester :) Installing a honey pot is an easy way of making the web a cleaner place. Or at least contributing to do so.<\/p>\n<p>Links to <a href=\"http:\/\/www.projecthoneypot.org?rf=33327\">Project Honey Pot<\/a> include my referral number. I&#39;m not earning anything but, maybe, satisfaction. What are you waiting for ? Install your honey pots.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>http:BL is a blacklist of all the suspicious IPs that were trapped in one of the honey pots run for Project Honey Pot. This service has a simple API, allowing anyone to check an IP against their blacklist. Here is a detailed and simple example script showing how to use this API. Honey pot ? [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":241,"menu_order":0,"comment_status":"open","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-596","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/planetozh.com\/blog\/wp-json\/wp\/v2\/pages\/596","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/planetozh.com\/blog\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/planetozh.com\/blog\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/planetozh.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/planetozh.com\/blog\/wp-json\/wp\/v2\/comments?post=596"}],"version-history":[{"count":0,"href":"https:\/\/planetozh.com\/blog\/wp-json\/wp\/v2\/pages\/596\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/planetozh.com\/blog\/wp-json\/wp\/v2\/pages\/241"}],"wp:attachment":[{"href":"https:\/\/planetozh.com\/blog\/wp-json\/wp\/v2\/media?parent=596"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}