Differentiating between blocked bad requests and blocked for previous bad requests

[JasonBarnabe]

Using the examples from the README:

# Block requests containing '/etc/password' in the params.
# After 3 blocked requests in 10 minutes, block all requests from that IP for 5 minutes.
Rack::Attack.blacklist('fail2ban pentesters') do |req|
  # `filter` returns truthy value if request fails, or if it's from a previously banned IP
  # so the request is blocked
  Rack::Attack::Fail2Ban.filter(req.ip, :maxretry => 3, :findtime => 10.minutes, :bantime => 5.minutes) do
    # The count for the IP is incremented if the return value is truthy.
    CGI.unescape(req.query_string) =~ %r{/etc/passwd}
  end
end

ActiveSupport::Notifications.subscribe('rack.attack') do |name, start, finish, request_id, req|
  puts req.inspect
end

In the notification handler, is it possible to differentiate between "the user did something bad that was blocked" and "the user previously did something bad, so this non-bad request was blocked"? This would make logging more informative and make it easier to see the actual requests that are flagged as bad.

[zmillman]

I believe that's the intention behind the .track feature. If you add a tracker like this, you should be able to subscribe to see how many of incoming requests are matching the Fail2ban filter:

Rack::Attack.track('track fail2ban pentesters') do |req|
  CGI.unescape(req.query_string) =~ %r{/etc/passwd}
end

[zmillman]

Scratch that....track isn't called unless the request passes all blacklists 😐

[gregblass]

Has anyone ever figured this out? I'm simply trying to log bans in our database, but I don't want to write to the database thousands of times if we're getting spammed.