Latest TweetsPlanning some big things for #2020 :)
Perishable Press

How to Block IPs with 6G Firewall

This quick post is aimed at users of the 6G Firewall. The latest 6G update removes the IP-address blocking section to improve firewall compatibility and implementation. So now with the IP section removed, you may be asking “how to block an IP address with 6G?” Well good news, this tutorial explains how to do it.

Required: For this tutorial, you will need to know which version of Apache you are using. If in doubt, ask your web host.

How to deny access based on IP address

First make sure you are running the latest version of the 6G Firewall. Also make sure that you understand the pros and cons of blocking IPs.

Next, locate the 6G:[USER AGENTS] section in the 6G Firewall. There, you will find two sections of code, one for older versions of Apache, and another for newer versions of Apache:

Older Apache

# Apache < 2.3
<IfModule !mod_authz_core.c>
	Order Allow,Deny
	Allow from all
	Deny from env=bad_bot
</IfModule>

Newer Apache

# Apache >= 2.3
<IfModule mod_authz_core.c>
	<RequireAll>
		Require all Granted
		Require not env bad_bot
	</RequireAll>
</IfModule>

To block an IP address, you want to make sure that you are editing the correct section. You don’t need to edit both sections, only the one that matches your Apache version. Once you’ve determined which section to edit, skip ahead to one of the following:

Again, you don’t need to edit/modify both sets of rules. Only the one that matches your Apache version.

Apache < 2.3

Continue here if you are running Apache version < 2.3. To block/deny an IP address, add the following line:

Deny from 123.456.789

..to this code block:

# Apache < 2.3
<IfModule !mod_authz_core.c>
	Order Allow,Deny
	Allow from all
	Deny from env=bad_bot
</IfModule>

Here is how it will look when added:

# Apache < 2.3
<IfModule !mod_authz_core.c>
	Order Allow,Deny
	Allow from all
	Deny from env=bad_bot
	Deny from 123.456.789
</IfModule>

Notice the line added after the bad_bot rule. That is all that needs to be done. Here is an example showing how to block five imaginary IPs:

# Apache < 2.3
<IfModule !mod_authz_core.c>
	Order Allow,Deny
	Allow from all
	Deny from env=bad_bot
	Deny from 123.456.789
	Deny from 456.789.123
	Deny from 789.123.456
	Deny from 000.111.222
	Deny from 333.444.555
</IfModule>

And so forth, you can block as many IP addresses as you want, but remember to keep an eye on performance if the number gets too crazy.

Note: The IP addresses used in this example are not real and should not be added to Apache config or .htaccess (you’ll get an error if you do). Remember to change them to actual/real IPs that you want to block.

Apache >= 2.3

Continue here if you are running Apache version >= 2.3. To block/deny an IP address, add the following line:

Require not ip 123.456.789

..to this code block:

# Apache >= 2.3
<IfModule mod_authz_core.c>
	<RequireAll>
		Require all Granted
		Require not env bad_bot
	</RequireAll>
</IfModule>

Here is how it will look when added:

# Apache >= 2.3
<IfModule mod_authz_core.c>
	<RequireAll>
		Require all Granted
		Require not env bad_bot
		Require not ip 123.456.789
	</RequireAll>
</IfModule>

Notice the line added after the bad_bot rule. That is all that needs to be done. Here is an example showing how to block five imaginary IPs:

# Apache >= 2.3
<IfModule mod_authz_core.c>
	<RequireAll>
		Require all Granted
		Require not env bad_bot
		Require not ip 123.456.789
		Require not ip 456.789.123
		Require not ip 789.123.456
		Require not ip 000.111.222
		Require not ip 333.444.555
	</RequireAll>
</IfModule>

And so forth, you can block as many IP addresses as you want, but remember to keep an eye on performance if the number gets too insane.

Note: The IP addresses used in this example are not real and should not be added to Apache config or .htaccess (you’ll get an error if you do). Remember to change them to actual/real IPs that you want to block.

About Blocking IP Addresses

Apache-based firewalls and blacklists can block just about any part of an URI request: IP address, user agent, request string, query string, referrer, and everything in between. But IP addresses change constantly, and user agents and referrers are easily spoofed. As discussed, blocking via request string yields the best results: greater protection with fewer false positives.

With that in mind, the 6G Firewall makes it easy to deny access based on IP address. This provides a convenient way for admins to block unwanted visitors and bots. But keep in mind that denying access based on IP is a temporary strategy, best suited for quickly blocking specific threats.

Original code removed from 6G

Just for the record, here are the IP-blocking rules removed from 6G Firewall on July 31st, 2019.

# 6G:[BAD IPS]
<Limit GET HEAD OPTIONS POST PUT>
	Order Allow,Deny
	Allow from All
	# uncomment/edit/repeat next line to block IPs
	# Deny from 123.456.789
</Limit>

Jeff Starr
About the Author Jeff Starr = Designer. Developer. Producer. Writer. Editor. Etc.
Archives
[ Comments are closed for this post ]