Replace Forbidden (403) Error with Captcha challenge on suspicious IPs

[GeoDosch]

I use NordVPN for my Internet access (to prevent my ISP from collecting marketing information from my browsing.)  But many of the NordVPN nodes are blocked by Hawk Host, which prevents me from accessing my own domain.  I can understand that bad actors are using VPNs to hide their activity, and I'm glad that Hawk Host is blocking them.  But instead of just throwing a 403 Forbidden error, I would like it to perform a Captcha challenge to prove they are not a BOT.  With the current set-up I must randomly try different VPN nodes until I find one that isn't blacklisted.  I often have to switch to a node in Canada to not be blocked.

Many sites do exactly this: instead of completely blocking the user completely, they can complete a Captcha challenge, then continue to the site (aetna.com is a good example of that.)  The current set-up is frustrating for me, and I have no idea how many users are blocked from access to my site and don't realize why.

I would also ask in advance that, if this is implemented, to please not use the cheesy captcha that is used for signing-up to this forum.  It's not only overly tedious, but I had to try from several different browser before I could get past that screen.  Google provides some excellent options, some of which base the challenge difficulty on the source IP reputation, and they don't charge for commercial use (I use one on my site.)

[Tony]

On all our shared/reseller/semi dedicated servers it should be giving a captcha in the event an IP is on our blacklist. I'd recommend opening a ticket and linking to this forum post so that our team can investigate why it's not working for your site.

[GeoDosch]

Tony,

A couple of years ago I opened ticket VAE-864-18071 for this exact issue, and this was the response I received:

"It seems the IP of your VPN is either blacklisted or blocked on our servers firewall. If there are any particular IPs for your VPN, kindly let us know so that we can have a detailed look into it. If the IP is temporarily blocked on our server's firewall, it will show a captcha so you could still visit the site. It seems the VPN's IP is permanently blocked on our server's firewall."

Based on that response it seems there are two classes of IPs being blocked: temporary and blacklisted.  Apparently many of the NordVPN nodes fall into the latter category.  So is there a reason the 'blacklisted' IPs couldn't also be given a Captcha challenge?  Since the IP of the VPN is very fluid, trying to get each one opened individually as the 403 errors occur doesn't seem like a good solution.

Thank you,

-George

[Tony]

The software has evolved a lot in two years and since then a lot of the scenarios where it was a 403 instead of a captcha have been resolved. If this is still happening now I'd encourage you to open a new ticket and ask it to be escalated as that sounds like a bug.

[GeoDosch]

I reproduced the problem just now, so I've opened a new ticket: VFP-933-15524

Thanks,

-George

[GeoDosch]

Tony,

I saw your update to the ticket, and that it was my fault because at some point I had blocked that subnet from my site.

Thanks for finding that so quickly (now I feel like an idiot LOL.) I'll need to review my deny list, and probably create a custom 403 page so I don't fool myself again.

I appreciate the fast response, and as always the outstanding service!