Heal Your Church WebSite


Teaching, rebuking, correcting & training in righteous web design.

How to block a range of IPs from spamming your church website

Using a blog to manage a website’s content is a flexible and affordable solution more and more churches are employing to effectively present their message online. There is however one drawback – in that some of the open source blogging solutions used as content management on the cheap also tend to attract attention from nere-do-wells who attack the comment and content functions of application such as WordPress and MovableType with robotic floods of advertisements offering anything from enlarging various appendages to curing male baldness all while losing your life’s saving playing poker online.

What’s worse is that many of these attacks these days come from servers in countries where you have absolutely no legal, let alone social, recourse to stop said attacks. Take for example a recent slam of attacks on a new dedicated server I’ve been working on – all which failed due to recent preventative security endeavors – but all incoming from a block of related IP addresses from a server in China all of whose addresses had 218.25.161… in common.

And while these unwanted advances were successfully thwarted by various server hardening practices implementations – the best way to avoid trouble from said attacker is to just deny access to anything on the server by denying the range of IP addresses indicated in my security logs.

With that in mind, I thought I’d share two approaches to blocking a range of IP addresses. One solution at the firewall level – the path I prefer on dedicated servers, the other solution is blocking IP blocks via the .htaccess file, which are employed on sites hosted on a shared server.

Using APF firewall, I simply create an entry that defines the block – in this case:

218.25.161.0/24

In the .htaccess file:

<Limit GET HEAD POST>
order allow,deny
deny from 218.25.161
allow from all
</LIMIT>

Both implementations block IP addresses from 218.25.161.0 through 218.25.161.255. But what happens if I only want to block addresses from a smaller set of addresses? Like those coming from someone abusing their DSL services whose range of dynamically assigned IPs may only be a range of 216.12.201.150 through 216.12.201.200.

That becomes trickier as is requires both a knowledge of the ‘CIDR notation’ and the bit mapping that goes along with it. Which is why I recommend instead using this nifty little online tool from Mikero.com. An easy-to-use service which performs all the bit-blasting, while also “aligning” the range so it can be expressed in correct CIDR notation.

Or in laymen’s terms, I add the following generated range to my firewall:

216.12.201.128/25

Or where no such firewall access is available, the following line in my .htaccess file:

deny from 216.12.201.128/25

Below are some tools and links on the topic of how to block a range of IP addresses if you want to dig into it a bit further.

Online tools to calculate an IP address range (CIDR):

Online tools to check/verify your CIDR notation:

Tutorials on blocking IP addresses and CIDR subnet masks:

Pre-fabricated blacklists to block IP addresses of entire countries:

A bit more on .htaccess and mod_access:

Just remember to keep good backups of whatever files you’re working on – and try not to lock yourself out while experimenting with changes!

One Comment

  1. Howdie,

    This is something we have had to do a substainal amount over at http://www.ChristianBlog.Com [i](I am the founder/owner)[/i] over the last few years in order to help protect our members, our service, and our equipment.

    I thought I would share how we have our .htaccess file setup, as some of what is shared in this blog we already do, as well as some things we’ve had to learn along the way. :)

    This first bit of code is for when somebody is linking to your website and you do NOT want anybody from that website being able to access your website — yes, there ARE times when you want this! We had to do this at ChristianBlog.Com when a anti-christian website decided to target us. Rather then simply allowing them to click-through to our website, we simply redirected them back to the website they came from :-p

    #
    # Send Some People In Another Direction
    # first line is from, second line to where too...
    #
    RewriteCond %{HTTP_REFERER} ^http://.*some-bad-website.*$ [NC]
    RewriteRule .* http://www.redirect-to-website.com/ [R]
    #
    #
    

    This second bit of code does the same thing, only via IP-address, rather then referral_url — we had to do this when we had somebody attempt to attack our website, server logs easily showed their ip-address, and simply adding this froze them in their tracks.

    #
    #
    RewriteCond %{REMOTE_ADDR} 65.254.254.*
    RewriteRule .* http://www.yahoo.com
    #
    #
    

    This third block of code can help people from abusing your RSS feeds. We needed to do this when we had another website importing our RSS Feed into their own website, and they refused to heed our requests to not hit our servers with new requests every one minute. So, after emailing them, and them refusing, we simply denied them access to our RSS Feeds via this method.

    [i](note: it does not always work if the person is using a third-party service for their rss reading)[/i]

    #
    #
    # Block bad domains from accessing feed...
    # This code will block anything at xxx.xxx.xxx from your accessing feeds
    # Simply add a new section and access will be denied.
    #
    # acquire ip-address from: http://www.hcidata.co.uk/host2ip.htm
    #
    # permanently redirect specific IP request for single page
    #
    RewriteCond %{REMOTE_HOST} 65\.254\.240.106
    RewriteCond %{REQUEST_URI} /rss\.php$
    RewriteRule .* - [F]
    RewriteCond %{REMOTE_HOST} 65\.254\.240.106
    RewriteCond %{REQUEST_URI} /rss\.xml$
    RewriteRule .* - [F]
    #
    #
    

    This next bit of code does exactly the same thing above, only it is based off of a referral_url rather then an ip-address.

    #
    #
    RewriteCond %{HTTP_REFERER} ^http://(www\.)?bad-website\.come/.*$ [NC]
    RewriteCond %{REQUEST_URI} /rss\.xml$
    RewriteRule .* - [F]
    RewriteCond %{HTTP_REFERER} ^http://(www\.)?bad-website\.come/.*$ [NC]
    RewriteCond %{REQUEST_URI} /rss\.php$
    RewriteRule .* - [F]
    #
    #
    #
    

    And lastly, we have our standard IP-address ban — which was explained within this Blog.

    #
    # USER IP BANNING
    #
    
    order allow,deny
    deny from 71.115.98.22
    deny from 84.65.102.161
    deny from 60.0.131.186
    deny from 117.102.57.207
    deny from 74.65.177.2
    deny from 204.111.32.1
    deny from 204.111.35.7
    deny from 61.2.213.110
    deny from 66.15.242.172
    deny from 76.172.240.91
    deny from 75.69.229.13
    allow from all
    #
    #
    
    

    Now, we also run a couple of other systems at ChristianBlog.Com to prevent abuse… including SQL based ip-address restrictions, and other standard server protection methods. But, the majority of the time, a well written .htaccess file can stop most people from abusing your website.

    Hope this helps somebody out there!

    John B. Abela