.Htaccess IP Banning - Block Bad Visitors

by Scott Allen

Increase your web site’s security by blocking bad visitors with .htaccess. If you have nuisance visitors, site scrapers, or spammers, you may want to add some lines of code to your .htaccess file that will block bad visitors by IP address or by blocks of IP addresses. You want to be careful though that you don’t ban blocks of IP’s carelessly as you may end up banning potential customers or other valid site visitors. Also, nothing is completely foolproof as the user can always use another IP address, but I’ve found that this does reduce the number of troublesome incidents.

Secure Directories by IP Address and/or Domain

# allow all except those indicated here
<Files *>
order allow,deny
allow from all
deny from 12.34.56.123
deny from .*domain\.com.*
</Files>

In the following example, all IP addresses are denied access except for 12.34.56.123 and domain.com:

# deny all except those indicated here
<Files *>
order deny,allow
deny from all
allow from 12.34.56.123
allow from .*domain\.com.*
</Files>

This is how to block unwanted visitors based on the referring domain. Simply replace “offendingdomain1″ and “offendingdomain2″ with the offending domains of your choice:

# block visitors referred from indicated domains
RewriteEngine on
RewriteCond %{HTTP_REFERER} offendingdomain1\.com [NC,OR]
RewriteCond %{HTTP_REFERER} offendingdomain2\.com [NC]
RewriteRule .* - [F]

Deny or Allow Domain Access for a Specified IP Address Range

There are several effective ways to block a range of IP addresses via htaccess. This first method blocks an IP range specified by their CIDR (Classless Inter-Domain Routing) number. This method is useful for blocking mega-spammers such as RIPE, Optinet, and many others. If, for example, you find yourself adding line after line of Apache deny directives for addresses beginning with the same first few numbers, choose one of them and try a whois lookup. Listed within the whois results will be the CIDR value representing every IP address associated with that particular network. Thus, blocking via CIDR is an effective way to eloquently prevent all IP instances of the offender from accessing your site. Here is a generalized example for blocking by CIDR (edit values to suit your needs):

# block IP range by CIDR number
<Files *>
order allow,deny
allow from all
deny from 10.1.0.0/16
deny from 80.0.0/8
</Files>

Conversely, to allow an IP range by CIDR number:

# allow IP range by CIDR number
<Files *>
order deny,allow
deny from all
allow from 10.1.0.0/16
allow from 80.0.0/8
</Files>

Note: It is recommended that you use <Files *> instead of <Limit GET POST PUT>. According to an expert on this matter:

I would suggest a <Files *> container, rather than a <Limit> container, unless it is your intent to allow these unwelcome user-agents to make PUT, DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, and UNLOCK requests to your site.

If it is your intent to allow these other methods, then <Limit GET POST> is sufficient.

Well, that’s all for now. If you have questions, or you need more advanced security measures on your site, feel free to contact me.

Tags:
ip ban | .htaccess | htaccess | webgeek

If you enjoyed this post, make sure you subscribe to the RSS feed!

 Email This to a Friend

 Print This Post

Related Posts:

Ban SMBot - Specific Media is Data-Mining Your Site

OpenISearch is Even Worse Than SMBot

Cyber-Surveillance and Internet Data-Mining

Detect User-Agents: Cloak and Dagger for Web Sites - Part 2

.Htaccess Reference