Using a blog to manage a websiteâ€™s content is a flexible and affordable solution more and more churches are employing to effectively present their message online. There is however one drawback â€“ in that some of the open source blogging solutions used as content management on the cheap also tend to attract attention from nere-do-wells who attack the comment and content functions of application such as WordPress and MovableType with robotic floods of advertisements offering anything from enlarging various appendages to curing male baldness all while losing your lifeâ€™s saving playing poker online.
Whatâ€™s worse is that many of these attacks these days come from servers in countries where you have absolutely no legal, let alone social, recourse to stop said attacks. Take for example a recent slam of attacks on a new dedicated server Iâ€™ve been working on â€“ all which failed due to recent preventative security endeavors â€“ but all incoming from a block of related IP addresses from a server in China all of whose addresses had 218.25.161â€¦ in common.
And while these unwanted advances were successfully thwarted by various server hardening practices implementations â€“ the best way to avoid trouble from said attacker is to just deny access to anything on the server by denying the range of IP addresses indicated in my security logs.
With that in mind, I thought Iâ€™d share two approaches to blocking a range of IP addresses. One solution at the firewall level â€“ the path I prefer on dedicated servers, the other solution is blocking IP blocks via the .htaccess file, which are employed on sites hosted on a shared server.
Using APF firewall, I simply create an entry that defines the block â€“ in this case:
In the .htaccess file:
<Limit GET HEAD POST>
deny from 218.25.161
allow from all
Both implementations block IP addresses from 22.214.171.124 through 126.96.36.199. But what happens if I only want to block addresses from a smaller set of addresses? Like those coming from someone abusing their DSL services whose range of dynamically assigned IPs may only be a range of 188.8.131.52 through 184.108.40.206.
That becomes trickier as is requires both a knowledge of the â€˜CIDR notationâ€™ and the bit mapping that goes along with it. Which is why I recommend instead using this nifty little online tool from Mikero.com. An easy-to-use service which performs all the bit-blasting, while also â€œaligningâ€ the range so it can be expressed in correct CIDR notation.
Or in laymenâ€™s terms, I add the following generated range to my firewall:
Or where no such firewall access is available, the following line in my .htaccess file:
deny from 220.127.116.11/25
Below are some tools and links on the topic of how to block a range of IP addresses if you want to dig into it a bit further.
Online tools to calculate an IP address range (CIDR):
Online tools to check/verify your CIDR notation:
Tutorials on blocking IP addresses and CIDR subnet masks:
Pre-fabricated blacklists to block IP addresses of entire countries:
- WizCraft – Server .htaccess Blocklists for exploited servers (e.g. Russia and China)
- Block a country.com – block by ip address, deny access by country
A bit more on .htaccess and mod_access:
- Apache Project: Module mod_access (v. 1.3) – allow
- ClockWatchers.com – .htaccess Tutorial how to block an IP address
Just remember to keep good backups of whatever files youâ€™re working on â€“ and try not to lock yourself out while experimenting with changes!