Blocking IP addresses


#1

Is there a way to block a certain IP address from accessing your domain?


#2

Yes. You can do it using an .htaccess file:

http://wiki.dreamhost.com/KB_/Unix/_.htaccess_files#Deny.2FAllow_Certain_IP_Addresses

–rlparker


#3

Indeed their is. If you don’t already have one, create an .htaccess in your domain folder. You can block access to specific IP addresses by adding the following line:deny from xxx.xxx.xxx.xxxYou can have as many of these as you like, but bear in mind that IP addresses often change and they can sometimes be shared by thousands of users; therefore, you may wish to review the blocks after a certain period of time has passed.

si-blog
Max discount on any plan with promocode SCJESSEYTOTAL


#4

Thank you for the reply.

Pardon all the questions, but the only .htaccess files I have created is just password-protecting a subfolder. I’m not sure where to put the ‘deny from [IP address]’ line. I looked at the wiki, but the how-to looked really complicated for creating a .htaccess file on a Mac. Is there a simple way to create one?


#5

Thank you for the reply.

Does creating a .htaccess file on Windows work the same as on a Mac? The Wiki article said to just open a text editing program and copy that line of text in there and upload it to the domain. Am I understanding that correctly?


#6

Yep. That’s about all there is to it! :wink:

–rlparker


#7

You can use any text editor to create the file (on any operating system). You must save the file as .htaccess (a period followed by “htaccess”). Some text editors automatically append .txt to the end of the filename, which would stop the file from working. You can always upload the file in that state and then rename it to the correct filename. Bear in mind that your FTP client may “hide” this type of file from a directory listing.

si-blog
Max discount on any plan with promocode SCJESSEYTOTAL


#8

Thanks for all the help! :slight_smile:


#9

Thanks! I just uploaded it and renamed the file to .htaccess. It doesn’t matter if there was already another .htaccess file there to begin with, does it? I have one there from when I password-protected the domain.


#10

Yikes! Yes, it does matter, very much, that there is already an .htaccess file already there!

As you can only have one .htaccess file in any directory, if you do that, the “new” one will “overwrite” the other one. In this case, that will “disable” your .htaccess based password protection.

Not to worry, there are (at least) two ways you can deal with this problem:

  1. You can combine the contents of the two .htaccess files into a single .htaccess file

  2. Since your first .htaccess file was designed to provide password protection for a directory, you can leave it in the directory you want protected (assuming that it is a subdirectory of your main site - as in yourdomain.tld/private) and place the .htaccess file that denies access to given IP addresses in the directory above that one (as in yourdomain.tld). That way, the .htaccess file in the subdirectory will provide password protection for the directory it is in, while the .htaccess file in the parent directory will prevent access to the whole site from those IP addresses.

–rlparker


#11

Thank you! I got it sorted out. :slight_smile:


#12

You’re welcome, and congratulations! I’m really glad you have it working! :slight_smile:

–rlparker


#13

Me too! It’s a huge weight off of my shoulders. Thanks again. :slight_smile:


#14

When I try adding “deny xx.xxx.xxx.xxx” to my .htaccess file then my wordpress blog gets messed up (photos don’t appear - dashboard graphics are different). I’ve tried placing the “deny” code before and after the WP code to no avail. Here is the WP code:

BEGIN WordPress

RewriteEngine On RewriteBase / RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L]

END WordPress

This file is in my root directory (the folder that has my website name on it). I’ve tried placing an htaccess file with just the “deny” code in the directory above also to no avail.


#15

put it above or below, but you can’t just add deny xxx.xxx.xxx.xxx

You need at least:

order allow,deny
deny from x.x.x.x
allow from all

#16

Thanks Bobocat. I should have mentioned that I had already tried that. I contacted support at DH and was told:

You will want to add the following to the very top of the .htaccess file:

order deny,allow
deny from 1.1.1.1

But I was also told that I don’t need to block any addresses so all’s well for now.


#17

May I suggest:
A) Rename all subdirs and files with “admin” in the name. wp-admin, login, password, user, etc to: nancy, jane, fido, spot… idehgsi33

In .htaccess

RewriteCond %{REQUEST_URI} wp-admin [NC]
RewriteRule ^(.*)$ hacker.php?url=%{HTTP_HOST}%{REQUEST_URI} [R,L]
(wp-admin and password and user and several other keywords

Then write a hacker.php script that adds ‘deny from $IP’ to your htaccess file. That way the hacker gets 1 shot then they’re “deny’ed”. You’ll be happy to see the way you’re htaccess file grows.


#18

And makes your site slower, and slower, and slower.

There’s no real increase in security through obscurity here. In fact, it’s probably worse. Instead of knowing which files need to be protected, you need to remember a whole kennel-full of random names when implementing your security features. The likelihood of forgetting one is probably higher in the renaming case.