Enhanced Management for Blocked IPs

📋 Current Blocked IPs

✓ IP Blocking is Active - Your blocked-ips.conf is working correctly

172.213.211.235 Initial troll IP
4.213.160.187 Azure scanning bot
20.205.118.141 Azure probe
4.197.176.207 Scanner bot
74.176.59.137 Crawler abuse

Current Configuration File

Apache Config

# Blocked IPs - Updated regularly
<RequireAll>
    Require all granted
    Require not ip 172.213.211.235
    Require not ip 4.213.160.187
    Require not ip 20.205.118.141 
    Require not ip 4.197.176.207 
    Require not ip 74.176.59.137
    # Add new blocks here
</RequireAll>

Location: C:\_amp\run\apache\conf\blocked-ips.conf

💬 1. Add Comments for Tracking

Enhanced version with tracking information for audit compliance:

Apache Config

# Blocked IPs - Updated regularly
<RequireAll>
    Require all granted
    Require not ip 172.213.211.235  # 2025-01-03 - wp-login attempts
    Require not ip 4.213.160.187    # 2025-01-03 - xmlrpc scanner
    Require not ip 20.205.118.141   # 2025-01-03 - .env probe
    Require not ip 4.197.176.207    # 2025-01-03 - admin scanner
    Require not ip 74.176.59.137    # 2025-01-03 - bot/crawler abuse
    # Add new blocks here
</RequireAll>

Tip: Adding dates and reasons helps with audit trails and future reviews per Thunk Audit Control Standard.

🔍 2. Check if Blocked IPs Are Still Trying

PowerShell script to verify if blocked IPs are still attempting access:

PowerShell

# Check-BlockedIPs.ps1
$blockedIPs = @(
    "172.213.211.235",
    "4.213.160.187",
    "20.205.118.141",
    "4.197.176.207",
    "74.176.59.137"
)

$logPath = "C:\_amp\logs\apache\access.log"

Write-Host "`nChecking blocked IPs activity:" -ForegroundColor Yellow
Write-Host "="*50

foreach ($ip in $blockedIPs) {
    $hits = Select-String $ip $logPath | Select-Object -Last 5
    if ($hits) {
        $count = (Select-String $ip $logPath).Count
        $lastHit = $hits[-1].Line -split ' '
        Write-Host "$ip" -ForegroundColor Red
        Write-Host "  Total hits: $count"
        Write-Host "  Last seen: $($lastHit[3..4])"
        Write-Host "  Last request: $($lastHit[6])"
    } else {
        Write-Host "$ip - No recent activity" -ForegroundColor Green
    }
}

Save as: C:\_amp\scripts\Check-BlockedIPs.ps1

Run: .\Check-BlockedIPs.ps1

🚫 3. Monitor 403 Responses

Confirm blocks are working by checking for 403 responses:

PowerShell

# Today's blocked attempts
Get-Content C:\_amp\logs\apache\access.log | 
    Where-Object {$_ -match "403"} | 
    Select-Object -Last 20 |
    ForEach-Object {
        $parts = $_ -split ' '
        "$($parts[0]) - $($parts[6]) - BLOCKED"
    }

Expected Result: You should see 403 responses for blocked IPs attempting to access restricted resources.

🔥 4. Escalate to Windows Firewall

For persistent offenders, add Windows Firewall rules for kernel-level blocking:

PowerShell

# Escalate-ToFirewall.ps1
$blockedIPs = @(
    "172.213.211.235",
    "4.213.160.187", 
    "20.205.118.141",
    "4.197.176.207",
    "74.176.59.137"
)

foreach ($ip in $blockedIPs) {
    $ruleName = "Apache-Block-$ip"
    
    # Check if rule exists
    if (!(Get-NetFirewallRule -DisplayName $ruleName -ErrorAction SilentlyContinue)) {
        New-NetFirewallRule -DisplayName $ruleName `
            -Direction Inbound `
            -RemoteAddress $ip `
            -Action Block `
            -Description "Escalated from Apache blocks"
        
        Write-Host "Added firewall block for $ip" -ForegroundColor Green
    }
}

Save as: C:\_amp\scripts\Escalate-ToFirewall.ps1

Run as Administrator: .\Escalate-ToFirewall.ps1

Note: Once blocked at firewall level, these IPs won't appear in Apache logs anymore.

🔍 5. IP Intelligence Report

Gather intelligence on blocked IPs to understand threat sources:

PowerShell

# Get-IPIntelligence.ps1
$ips = @(
    "172.213.211.235",
    "4.213.160.187",
    "20.205.118.141", 
    "4.197.176.207",
    "74.176.59.137"
)

Write-Host "`nIP Intelligence Report" -ForegroundColor Cyan
Write-Host "="*50

foreach ($ip in $ips) {
    Write-Host "`nChecking $ip..." -ForegroundColor Yellow
    
    # Use nslookup for reverse DNS
    $rdns = nslookup $ip 2>$null | Select-String "Name:" | ForEach-Object {$_ -replace "Name:\s+", ""}
    
    if ($rdns) {
        Write-Host "  Hostname: $rdns"
    } else {
        Write-Host "  Hostname: No PTR record"
    }
    
    # Check if it's a known cloud provider
    if ($ip -match "^20\.|^4\.") {
        Write-Host "  Note: Likely Microsoft Azure IP" -ForegroundColor Magenta
    }
    if ($ip -match "^172\.213\.") {
        Write-Host "  Note: Possibly Cloudflare range" -ForegroundColor Magenta
    }
}

Known IP Range Patterns

Microsoft Azure

20.x.x.x, 4.x.x.x

Cloudflare

172.213.x.x

Residential ISP

74.176.x.x

📊 6. Automated Daily Report

Generate comprehensive security reports for audit compliance:

PowerShell

# Daily-Security-Report.ps1
$date = Get-Date -Format "yyyy-MM-dd"
$reportPath = "C:\_amp\logs\apache\security-report-$date.txt"

# Get statistics
$totalRequests = (Get-Content C:\_amp\logs\apache\access.log | Measure-Object).Count
$blockedRequests = (Select-String " 403 " C:\_amp\logs\apache\access.log | Measure-Object).Count
$uniqueIPs = Get-Content C:\_amp\logs\apache\access.log | 
    ForEach-Object {($_ -split ' ')[0]} | 
    Sort-Object -Unique | 
    Measure-Object

# Generate report
@"
MediaFirm Security Report - $date
======================================
Total Requests: $totalRequests
Blocked Requests (403): $blockedRequests
Unique IPs: $($uniqueIPs.Count)
Block Rate: $([math]::Round(($blockedRequests/$totalRequests)*100, 2))%

Top 10 Blocked IPs Today:
$((Select-String " 403 " C:\_amp\logs\apache\access.log | 
    ForEach-Object {($_.Line -split ' ')[0]} | 
    Group-Object | 
    Sort-Object Count -Descending | 
    Select-Object -First 10 | 
    ForEach-Object {"  $($_.Name): $($_.Count) attempts"}) -join "`n")

Currently Blocked IPs in Apache:
$((Get-Content C:\_amp\run\apache\conf\blocked-ips.conf | 
    Where-Object {$_ -match "Require not ip"} | 
    ForEach-Object {"  $_"}) -join "`n")
"@ | Out-File $reportPath

Write-Host "Report saved to: $reportPath" -ForegroundColor Green

Schedule Daily Execution

PowerShell

# Create scheduled task (run as administrator)
$action = New-ScheduledTaskAction -Execute "PowerShell.exe" `
    -Argument "-NoProfile -ExecutionPolicy Bypass -File C:\_amp\scripts\Daily-Security-Report.ps1"
$trigger = New-ScheduledTaskTrigger -Daily -At 11:59PM
Register-ScheduledTask -Action $action -Trigger $trigger `
    -TaskName "Apache Security Report" `
    -Description "Daily Apache security report generation"

🎯 7. Pattern Detection for New Threats

Automatically identify new IPs showing suspicious behavior:

PowerShell

# Find IPs with suspicious patterns not yet blocked
$blocked = Get-Content C:\_amp\run\apache\conf\blocked-ips.conf | 
    Where-Object {$_ -match 'Require not ip (\d+\.\d+\.\d+\.\d+)'} |
    ForEach-Object {$matches[1]}

$suspicious = Get-Content C:\_amp\logs\apache\access.log -Last 1000 |
    Where-Object {$_ -match "(wp-login|xmlrpc|\.env|phpmyadmin|/admin/|\.git|\.aws)"} |
    ForEach-Object {($_ -split ' ')[0]} |
    Group-Object |
    Where-Object {$_.Count -gt 10} |
    Select-Object -ExpandProperty Name |
    Where-Object {$_ -notin $blocked}

if ($suspicious) {
    Write-Host "`nNew IPs to consider blocking:" -ForegroundColor Yellow
    $suspicious | ForEach-Object {
        Write-Host "  Require not ip $_"
    }
}

Common Attack Patterns

Watch for these patterns:

wp-login.php - WordPress login attempts
xmlrpc.php - XML-RPC exploitation
.env - Environment file probing
phpmyadmin - Database admin access
/admin/ - Admin panel scanning
.git/ - Repository exposure
.aws/ - AWS credentials hunting

⚡ Quick Reference Commands

Essential File Locations

File	Location
`httpd.conf`	`C:\_amp\run\apache\conf\httpd.conf`
`blocked-ips.conf`	`C:\_amp\run\apache\conf\blocked-ips.conf`
`access.log`	`C:\_amp\logs\apache\access.log`
`error.log`	`C:\_amp\logs\apache\error.log`

📈 Monitoring Dashboard Script

All-in-one monitoring dashboard:

PowerShell

# Apache-Monitor-Dashboard.ps1
Clear-Host
Write-Host "╔═══════════════════════════════════════════════╗" -ForegroundColor Cyan
Write-Host "║     Apache Security Monitoring Dashboard      ║" -ForegroundColor Cyan  
Write-Host "╚═══════════════════════════════════════════════╝" -ForegroundColor Cyan
Write-Host ""

# Current Status
$apacheRunning = Get-Service -Name "Apache*" -ErrorAction SilentlyContinue
if ($apacheRunning.Status -eq "Running") {
    Write-Host "[✓] Apache Status: RUNNING" -ForegroundColor Green
} else {
    Write-Host "[✗] Apache Status: STOPPED" -ForegroundColor Red
}

# Today's Stats
$today = Get-Date -Format "dd/MMM/yyyy"
$todayLogs = Get-Content C:\_amp\logs\apache\access.log | Where-Object {$_ -match $today}
$total = $todayLogs.Count
$blocked = ($todayLogs | Where-Object {$_ -match " 403 "}).Count

Write-Host ""
Write-Host "Today's Statistics ($today):" -ForegroundColor Yellow
Write-Host "  Total Requests: $total"
Write-Host "  Blocked (403): $blocked"
if ($total -gt 0) {
    Write-Host "  Block Rate: $([math]::Round(($blocked/$total)*100, 2))%"
}

# Recent Threats
Write-Host ""
Write-Host "Recent Suspicious Activity:" -ForegroundColor Yellow
$recent = Get-Content C:\_amp\logs\apache\access.log -Last 100 |
    Where-Object {$_ -match "(wp-login|xmlrpc|\.env|phpmyadmin)"} |
    Select-Object -Last 5

if ($recent) {
    $recent | ForEach-Object {
        $parts = $_ -split ' '
        Write-Host "  $($parts[0]) → $($parts[6])" -ForegroundColor Red
    }
} else {
    Write-Host "  No recent suspicious activity" -ForegroundColor Green
}

Write-Host ""
Write-Host "Press any key to refresh..." -ForegroundColor Gray