When I look at Defender logs, I can see that someone is probing for vulnerabilites. Defender can help.
I’ve created a long list of block keywords. I’ve reduced the 404 ban trigger to 3 failures within 300 seconds.
I make those changes when looking at the 404 requests, the IP addresses being used in consecutive requests, and the time period in which those requests are made. Defender should be able to do this too.
I can see the same IP coming back day after day, trying different keywords twice at different times, obviously trying to avoid triggering software just like Defender. Defender should be able to see this too.
In addition to 404’s I can see when an IP address is probing other ports on my systems. No valid user would ever be pinging a website AND probing TCP/IP ports. Defender should see this activity and block it.
If a “guest” changes their user agent or hostname outside of reasonable user activity, I want to block them. Defender has the data and should recognize that this isn’t a legitimate visitor.
If a single IP comes back several times over a period of days, with similar but different user agents for the same hostname. That’s another obvious sign of malicious intent.
For some of this, maybe Defender shouldn’t permanently ban the user (my setting) but should at least temporarily ban them and add their info to a report so that the admin can audit and maybe tune the triggers.
All of this can be done with a user plugin that gets called by a filter hook, and/or a user plugin that can execute an action hook to tell Defender to take action on the current connection.
Dude, earn that superhero outfit, or let someone else wear it, but don’t wear the outfit and just sit there eating shwarma.
