Kay van Aarssen

Kay van Aarssen

Introduce a centralized IP blocking feature within Ploi that allows users to block malicious IP addresses across all servers and services (UFW, Fail2Ban, NGINX) from a single interface.

TLDR; - Example Script: https://github.com/kayvanaarssen/ploi-tools-and-scripts/tree/main/ip-blocker

Problem / Context

We are seeing increasing abuse from single IPs targeting multiple services and sites.

Example: 1.2.3.4

  • WordPress brute-force attacks
  • Password reset attempts
  • Multi-site probing

In modern setups: Sites are often behind Cloudflare This means:

  • Firewall (UFW) and Fail2Ban often do not see the real client IP
  • Only NGINX (if properly configured) can block based on real visitor IP

Result:

  • Blocking is fragmented
  • Requires manual workarounds (custom scripts, NGINX includes, etc.)
  • No central visibility or audit trail

Proposed Solution

Add a Security / IP Blocking tab in Ploi with:

  1. Central IP Block List
  • Add/remove IPs
  • Tagging (e.g. “brute force”, “bot”, “manual block”)
  • Notes / reason field

Sync across:

  • All servers
  • Or per-server scope

  1. Multi-Layer Blocking (Automatic Deployment) When an IP is blocked, Ploi should automatically:

Firewall Layer

  • Add rule via UFW (or iptables/nftables)
  • Full server access denial

Fail2Ban Layer

  • Ban IP across all active jails
  • Optional persistent ban support

NGINX Layer (critical)

  • Maintain a global deny file (e.g. /etc/nginx/ploi/blocked_ips.conf)
  • Automatically included in all vhosts or globally in http {} Example:
deny 1.2.3.4;

This ensures:

  • Works even behind Cloudflare
  • Blocks at application level (real visitor IP)

  1. Global vs Server Scope Allow users to choose:
  • Global (all servers)
  • Per server
  • Per site (optional advanced mode)

  1. Real IP Awareness (Cloudflare / Proxy Support) Enhancement:
  • Detect if server uses Cloudflare or reverse proxy

Ensure:

  • real_ip_header
  • set_real_ip_from

So NGINX + Fail2Ban can act on real client IP

  1. Audit & Logging
  • Who blocked/unblocked IP
  • Timestamp
  • Affected servers
  • Sync status

  1. API / Automation API endpoint:
  • Add/remove IPs
  • Sync across infrastructure

Useful for:

  • SIEM integrations
  • External abuse detection
  • Automation pipelines

Why This Matters

  • Modern hosting stacks (Cloudflare + NGINX + Fail2Ban) require multi-layer blocking
  • Current approach is:
  • Manual
  • Error-prone
  • Not scalable across servers

This feature would:

  • Significantly improve security posture
  • Reduce operational overhead
  • Provide a clear UX for a common real-world problem

Expected Impact

  • Faster response to abuse incidents
  • Consistent blocking across infrastructure
  • Reduced reliance on custom scripts
  • Better visibility and control

MVP Suggestion

Start simple:

  • Global IP list
  • Deploy to:
  • UFW
  • NGINX (global include)
  • Basic UI + sync button

Then expand with:

  • Fail2Ban integration
  • API
  • tagging/logging
  • Cloudflare-aware enhancements

Closing

This is a very common real-world issue when running multiple sites behind Cloudflare. Having this built into Ploi would remove the need for custom scripting and provide a clean, reliable, and scalable solution.

Log in to comment

Global IP Blocking (Security Layer Across Servers)

2 total votes
Eye4ICT Kay van Aarssen
Quick Actions
Activity
View recent activity and updates
Use arrow keys to navigate