IP Blacklisting

Wallarm can block most of the harmful traffic request-by-request if a malicious payload is detected. However for behavioral-based attacks when every single request by itself is legitimate (e.g. login attempts with username/password pairs), blocking by origin is necessary.

Wallarm can block bots and behavioral-based attacks such as application abuse, brute-force and forced browsing by automatically adding IPs to the blacklist. Administrators can also manually add IP addresses and subnets for blocking.

Blacklist is available at Settings -> Blacklist tab where one can:

  • Review the list of the blocked IP addresses and the reason they were blocked;
  • Instantly unblock any IP address, or set the time to unblock;
  • Add an IP address or a whole subnet to the blacklist.

Enable on Wallarm Node

For the blacklisting to take effect, you must enable it on Wallarm Node. More...

Review the active blacklist

By default, Wallarm will show the list of all IPs that are currently blacklisted. The same view is available by clicking the Now filter.

For every element of a blacklist entry, Wallarm shows:

  • IP – The blocked IP address.
  • Reason – Automatically generated or manually inserted reason for blacklisting.
  • Application – The application that is protected by the blacklist.
  • Blocked – The date and time of the blocking.
  • Unblock – A time period after which the blocking will expire.

One can click a row that will expand the history data for the selected IP address.

It is possible to instantly unblock an IP address or change the duration of the ban with the contextual buttons.

Review the blocking history

Select one of the filters above the table of the blocked entries.

Filter by the blocking date

The filter Day displays the blocking history for the last 24 hours.

One can also select a custom timing filter to specify the time range of the events to be displayed.

Both blocking and unblocking events that occurred during the time range will be displayed.

Filter by application

Select an application to see the application's blocking entries. Alternatively, blocking entries for all applications can be viewed by selecting the All applications checkbox.

Filter by IP address

In the search field, enter the IP address to filter the list.

Block manually

To start blocking:

  1. Select Now –> Add IP or subnet.
  2. Enter a value in the field IP, range, or subnet.
  3. Pick a date or use the slider.
  4. Choose whether to block IPs for all applications or a selected application.
  5. If available, provide a comment on the blocking reason.
  6. Click Add to blacklist.

The minimum blocking time period is 60 minutes.

Entering an IP address with a subnet mask will list every blocked IP address in the expanded table. For example, entering a.b.c.0/24 will expand the table to list 256 IP addresses.

Extending the blocking time

One can extend the blocking time for the IP address by locating it in the list of currently blocked IPs and changing the ban time.

Filters can be useful when there is a large number of entries in the list.

Unblocking IPs

Click Unblock now on the entry with a blocked entry.

Batch operations are also supported. One can select all or several entries and unblock them simultaneously.

Exporting blacklist's entries

To export the blocking data, click Now –> Export list.

Wallarm will export a CSV file based on the date range currently selected in the UI with the following fields:

  • ID – The blocking record number.
  • Application – The Application ID.
  • Blocked – The date and time of when the IP was blocked.
  • Unblocked – The date and time of when the IP was unblocked.
  • Country – The blocked IP address' country.
  • Reason – Automatically generated or manually inserted reason for blacklisting.

results matching ""

    No results matching ""