Performance Zen

Enterprise Shield: The flow and general process

Written by

spierzchala

in

,

So, for those who are interested here is the current processing flow and update cycles for my Enterprise Shield and Bot Filtering setup.

Currently this setup comfortably supports blocking 425,000 CIDR Blocks and 10K AbuseIPDB IPs, with additional processing for cloud providers that depends on the rate they send traffic through.

Attackers, do what you will.

Enterprise Shield — Request Processing Flow A three-layer flowchart showing how incoming requests are processed through the kernel SHIELD-LOGIC chain, Apache mod_rewrite UA filter, and WordPress/Wordfence application layer. Inbound request Kernel — SHIELD-LOGIC chain Trusted source? Loopback · ESTAB/RELATED · LAN · CDN IPs AbuseIPDB penalty box? SHIELD_PENALTY ipset — updated 5 times daily (AbuseIPDB Free API) Blocked ASN or country? blocked_asns ipset — rebuilt nightly at 02:00 UTC Known AI crawler UA? GPTBot · ClaudeBot · Google-Extended · others Apache — mod_rewrite UA filter UA block rules? Bot strings · outdated browsers · attack patterns Application — WordPress / Wordfence / PHP Legitimate request served Wordfence WAF evaluates · WordPress delivers content Accept Silent drop AbuseIPDB match Silent drop ASN / country match rDNS verify Accept or drop 403 GO AWAY!

Enterprise Shield — Component Update Cycles

Scheduled refresh intervals and out-of-band injection methods for each protection layer.

🕐 All scheduled times are UTC
Component What it controls Update cycle (UTC) Out-of-band injection
blocked_asns ipset Kernel IP ranges for all ASNs in blocklist_asns.txt, resolved via RADB WHOIS using 8 parallel threads Nightly — 02:00
  • Penalty box (temporary): sudo block_asn.sh AS9009 Live inject. Cleared at next 02:00 UTC run.
  • Permanent block: sudo block_asn.sh --permanent AS9009 Writes to blocklist and injects live. Persists forever.
Country IP blocks Kernel IPv4 CIDRs for blocked countries from the ipverse GitHub feed, merged into the same blocked_asns ipset Nightly — 02:00
  • CIDR penalty box: sudo block_asn.sh --cidr 1.2.3.0/24 Live inject only. Cleared at next 02:00 UTC run.
  • Add country permanently: Edit BLOCK_COUNTRIES in enterprise_shield.sh and re-run. Takes effect immediately; persists.
SHIELD_PENALTY ipset Kernel Top abusive IPs from AbuseIPDB API (≥ 90% confidence). Evaluated before the ASN chain in iptables INPUT 5x Daily — :00
  • No manual add. The set is atomically replaced each run. To block an IP immediately, use block_asn.sh --cidr <IP>/32 against the main ipset instead.
  • Force early refresh: sudo /usr/local/bin/abuseipdb_penaltybox.sh
AI bot verifier Kernel Python daemon on NFQUEUE 10. Intercepts known AI crawler UAs (GPTBot, ClaudeBot, Google-Extended) and verifies via rDNS before allowing or dropping On service restart
  • Add a new AI bot UA: Edit the NFQUEUE rules in enterprise_shield.sh, then: sudo systemctl restart shield-ai-bot.service
  • Rebuild the full chain: sudo /usr/local/bin/enterprise_shield.sh
mod_rewrite UA rules Apache Apache-level .htaccess and VirtualHost rewrite rules blocking by UA string, version ranges, empty UAs, and attack patterns. Returns 403 GO AWAY! inline — no PHP, no WordPress bootstrap Manual
  • Add bot string: Append a RewriteCond to .htaccess, then: sudo apachectl graceful Takes effect immediately with no dropped connections.
  • Update browser version range: Edit the version regex, then run apachectl graceful. Must cover the ESR floor and current version ceiling.
  • IP block at Apache layer: Add Require not ip <addr> to the VirtualHost config.
Wordfence WAF WordPress PHP-layer WAF bootstrapped before WordPress via waf/bootstrap.php. Independently evaluates every request surviving Apache, checks Wordfence’s threat database, and serves its own 403 pages from wp-content/wflogs/ Automatic Free: 30-day rule delay.
Premium: real-time feed.
  • Block an IP immediately: WP-Admin → Wordfence → Blocking → Create a Block → Block by IP No server restart required.
  • Add a custom firewall rule: WP-Admin → Wordfence → Firewall → Custom Patterns Can match on IP, UA, referrer, URL, or request parameter.
  • Force rule sync: WP-Admin → Wordfence → Firewall → Sync Firewall Rules
Boot persistence: shield-ipset-restoreufw.serviceshield-iptables-restoreshield-ai-bot.service. All ipsets and chains restored on reboot. All times UTC.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts