.Htaccess IP Banning – Block Bad Visitors

by Scott Allen - December 21, 2006 
Filed Under .htaccess, Bad Bots, Website Security

Increase your web site’s security by blocking bad visitors with .htaccess. If you have nuisance visitors, site scrapers, or spammers, you may want to add some lines of code to your .htaccess file that will block bad visitors by IP address or by blocks of IP addresses. You want to be careful though that you don’t ban blocks of IP’s carelessly as you may end up banning potential customers or other valid site visitors. Also, nothing is completely foolproof as the user can always use another IP address, but I’ve found that this does reduce the number of troublesome incidents.

Secure Directories by IP Address and/or Domain

# allow all except those indicated here
<Files *>
order allow,deny
allow from all
deny from 12.345.67.890
deny from .*domain\.com.*
</Files>

In the following example, all IP addresses are denied access except for 12.345.67.890 and domain.com:

# deny all except those indicated here
<Files *>
order deny,allow
deny from all
allow from 12.345.67.890
allow from .*domain\.com.*
</Files>

This is how to block unwanted visitors based on the referring domain. Simply replace “offendingdomain1″ and “offendingdomain2″ with the offending domains of your choice:

# block visitors referred from indicated domains
RewriteEngine on
RewriteCond %{HTTP_REFERER} offendingdomain1\.com [NC,OR]
RewriteCond %{HTTP_REFERER} offendingdomain2\.com [NC]
RewriteRule .* - [F]

Deny or Allow Domain Access for a Specified IP Address Range

There are several effective ways to block a range of IP addresses via htaccess. This first method blocks an IP range specified by their CIDR (Classless Inter-Domain Routing) number. This method is useful for blocking mega-spammers such as RIPE, Optinet, and many others. If, for example, you find yourself adding line after line of Apache deny directives for addresses beginning with the same first few numbers, choose one of them and try a whois lookup. Listed within the whois results will be the CIDR value representing every IP address associated with that particular network. Thus, blocking via CIDR is an effective way to eloquently prevent all IP instances of the offender from accessing your site. Here is a generalized example for blocking by CIDR (edit values to suit your needs):

# block IP range by CIDR number
<Files *>
order allow,deny
allow from all
deny from 10.1.0.0/16
deny from 80.0.0/8
</Files>

Conversely, to allow an IP range by CIDR number:

# allow IP range by CIDR number
<Files *>
order deny,allow
deny from all
allow from 10.1.0.0/16
allow from 80.0.0/8
</Files>

Note: It is recommended that you use <Files *> instead of <Limit GET POST PUT>. According to an expert on this matter:

I would suggest a <Files *> container, rather than a <Limit> container, unless it is your intent to allow these unwelcome user-agents to make PUT, DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, and UNLOCK requests to your site.

If it is your intent to allow these other methods, then <Limit GET POST> is sufficient.

Well, that’s all for now. If you have questions, or you need more advanced security measures on your site, feel free to contact me.

Hostgator Web Hosting Affordable Fast Reliable Servers: .Htaccess IP Banning Block Bad Visitors Htaccess

Sb 468x60: .Htaccess IP Banning Block Bad Visitors Htaccess

Submit Your Site to Best of the Web!

Bookmark, Share and Enjoy:
  • Twitter
  • Sphinn
  • StumbleUpon
  • Facebook
  • del.icio.us
  • LinkedIn
  • Google Bookmarks
  • E-mail this story to a friend!
  • Print this article!


If you enjoyed this post, make sure you subscribe to the RSS feed!

Related Posts:

  1. .Htaccess Reference
  2. OpenISearch is Even Worse Than SMBot
  3. Ban SMBot – Specific Media is Data-Mining Your Site
  4. Duplicate Content Prevention: WWW vs. Non-WWW and .Htaccess
  5. Detect User-Agents: Cloak and Dagger for Web Sites – Part 2

Comments

8 Responses to “.Htaccess IP Banning – Block Bad Visitors”

  1. Ban SMBot. Specific Media is Data-Mining Your Site! | WebGeek on January 5th, 2007 5:00 pm

    [...] .htaccess technique will also work to to block other bad visitors to your web site. Feel free to [...]

  2. Cyber-Surveillance and Internet Data-Mining | WebGeek on January 8th, 2007 6:30 pm

    [...] .Htaccess IP Banning – Block Bad Visitors [...]

  3. .Htaccess Reference | WebGeek on February 7th, 2007 8:15 am

    [...] Guide to Blocking Bad Visitors with .htaccess [...]

  4. OpenISearch is Even Worse Than SMBot | WebGeek on February 12th, 2007 2:30 pm

    [...] This .htaccess technique will also work to to block other bad visitors to your web site. [...]

  5. How to block a range of IPs from spamming your church website » Heal Your Church WebSite on February 14th, 2008 10:55 am

    [...] WebGeek: .Htaccess IP Banning – Block Bad Visitors [...]

  6. jeaphi on April 3rd, 2008 2:19 pm

    The last line do not have OR:
    offendingdomain2\.com [NC]

    Or you can send them somewhere else, maybe forever:
    RewriteRule .* send/them/to/hell.php [L] # Who knows?

    jeaphi

  7. Scott Allen on April 3rd, 2008 2:30 pm

    Jeaphi, good catch! Thanks. I just updated the post to reflect that. True, that’s another option you could use if you’re feeling creative. :)

  8. Shpilke on September 11th, 2008 12:51 pm

    Hi, besides changing IP address how could some one overcome a ban from a website ending with ORG?

Leave a Reply
If you have any questions about commenting, please see our Comment Policy.