Block Multiple IP Addresses with PHP
Let’s face it. There’s just as much scum on the Internet as there is out there in the “real world.” Maybe even more, who knows. From scammers and spammers to scrapers and crackers, the Web is just crawling with all sorts of pathetic scumbags. As predictably random as much of the malicious activity happens to be, it is virtually guaranteed that you will be hounded by at least a few persistent IP addresses that, for whatever reason, have latched on and just won’t let go. Like evil parasites, they plague you night and day, haunting you and making your online life a living hell. Perhaps they leave endless spam comments; perhaps they are just mindless trolls giving you grief; or perhaps they continue to take flying stabs at the security of your website. Whatever the behavior, once you have determined that you need to block a collection of bad IPs, you have many ways to get the job done. Here is a simple way to blacklist multiple IP addresses with a little PHP magic..
Throw Down
Edit the following code with your blacklisted IPs and drop into the page or header file of your choice to enjoy immediate relief from relentless scumbags:
<?php $blacklist = array("123.456.789", "456.789.123", "789.123.456");
if(in_array($_SERVER['REMOTE_ADDR'], $blacklist)) {
header("Location: http://domain.tld/path/custom.php");
exit();
} ?>
Recap: edit the IPs in the first line to suit your needs. You will also want to edit the header path in the third line to reflect the location of your “special message” for the blocked IPs. This may be anything you wish: warm greetings, pictures of your bum, or even a virus unleashing the black death upon them. Whatever you do, have fun and be safe! ;) Alternately, if you don’t feel like taking the time to craft a loving page for your blocked frenz, replace the header URL in the third line with the viciously disturbing site of your choice. There are many great sites out there to choose from — so be creative!
Lastly, after you have carefully edited the PHP blacklist script according to your needs, place it into the top of your header.php
file or web pages of your choice. Any page featuring this code will be inaccessible to the IP addresses blacklisted in the first line. So grab, gulp, and go! This code will keep those nasty chimps far away from your precious pages! ;)
26 responses to “Block Multiple IP Addresses with PHP”
I’m sending all those bastards to http://localhost/ (per .htaccess) saving my resources for real visitors.
Would this be a good method to blacklist several hundered IPs? What method of blacklisting several hundered IPs would result in the least performance hits — PHP like this, .htaccess, or mysql? Currently I use mysql to maintain my huge IP blacklist, but it takes a long time to keep it updated. It would be nice if there was a faster way to keep lists that come separated by carriage returns regularly updated in a blacklist of some form.
While this could be useful for the odd rogue visitor, most of the kids who attempt to be ‘funny’ are using a proxy or a dynamic IP.
If you want serious protection, the 4G blacklist by Jeff (total gold) + http:BL (see projecthoneypot.org) + bot/spidertrap script (see http://www.spider-trap.de) will do the job. I used to have major bandwidth leakage until doing these three simple things…
Any accumulation of banned IP’s need to be periodically cleared due the transient nature of the attack source IPs, so static/storing IPs in my opinion is not the ‘best’ option in serious cases… let a service like project honeypot do the heavy lifting for you…
(oh yeah… by blocking the word “gold” on any form on your site will save many cleanup sessions)
I considered using Project Honeypot before, but while it would be useful in keeping some malicious IPs off my site, I am more interested in specifically blocking proxy IPs so I had to keep lists updated on my own.
The Project Honeypot list may be helpful as a supplemental list though, but I am not sure about using the list on the German site because I cannot read what the site says, and am not sure how updated it is.
Update: I just checked Project Honeypot and it does not appear to be a blocklist at all, just a way to gather information on spammers.
Yieu,
Project Honeypot provides a lookup service called http:BL that can be implemented via a script/plugin on your site. There are ones for WordPress and Joomla and most other major CMS platforms, or you can make your own based on their documentation. http:BL is provided by Project Honeypot to lookup IPs that visit my site against their database of spammer IPs then I can choose to block, redirect or forbid. I block around 10-20 different malicious source IPs a day, a list that would certainly become unmanageable very quickly.
Here’s the English version of the spider-trap: http://www.spider-trap.de/en_index.html. It was last updated in mid 2007, but it is the kind of thing that is pretty stable. I have a hidden link in the html code that if a scraper/spider hits they are added to the htaccess file. Accidental real visits to the page can be removed from htaccess via a captcha form. I block about 3 nasties a day using this method.
I take a pretty simple approach to this. First, I filter out incoming IPs by host name, (yahoo, ask, msn, my own ip, etc) and ignore them. Anything that is left goes into a database and shows up on my admin page as the last 20 visitors.
At the same time, I use a modified scrip from here, http://guildwarsholland.nl/phphulp/testspambot.php to automatically check each IP against the database here http://www.stopforumspam.com/ .and – http://www.fspamlist.com . Anything that comes back a positive automatically goes into a 2nd database.
At the same time, the first script above checks the incomign IP’s against the second database and if a positive occurs there, the culprit doesnt see my website just a nice note concerning his upbringing.
Both scripts run right after the body element so that a spammer doesnt even see my header.
I do not use the other 6-8 spam places, as my own IP shows up as a spammer. Resetting my router and then trying the new IP also shows me as a spammer. I dont trust them.
I use .htaccess with a longish list of really annoying ip adresses, mostly of bot-type script hackers. I’d rather do this that let them get as far as an actual php script. My guess is that this is faster. If you have total control over your apache, I think you could offload the IP database into a rewritemap file…
Here’s my current deny list:
deny from 200.63.42. 84.197.39.202 24.113.54. 71.110.145. 118.232.158. 201.159.4. 84.60.230. 222.166.160. 220.255.7. 222.79.61. 221.192.199.36 202.181.243.113 207.114.250.70 222.165.158.54 200.106.120.231 86.64.70.34 219.85.63.226 58.226.23.55 85.21.163.60 72.232.96.218 74.52.100.226 119.136.52.139 125.251.147.130 84.99.95.132 210.21.126.168 62.44.73.88 76.69.122.143 85.119.154.129 211.110.19.178 194.8.75.44 89.122.57.185 61.109.250.29 218.234.23.43
I also have a whole bunch of specific gotchas, lots of which send people to my oh-so-friendly welcome page:
http://www.scamdex.com/f___you.html
I use a little-used error document for error code 417 like this:
ErrorDocument 417 /f***you.html
RedirectMatch 417 _vpi.xml
RedirectMatch 417 /login.php
RedirectMatch 417 /MSOffice/cltreq.asp
RedirectMatch 417 ..
RedirectMatch 417 ,
RedirectMatch 417 /,
RedirectMatch 417 ...
RedirectMatch 417 _vpi.xml
RedirectMatch 417 _vti_
RedirectMatch 417 zb41
RedirectMatch 417 4nAlbum
RedirectMatch 417 admin_settings
RedirectMatch 417 arcade.php
RedirectMatch 417 phpAdsNew
etc etc….
For my (WordPress) blog, I use Akismet and leave it at that, for my forum I rely on captcha and strict posting/commenting controls.
If anyone wants to see my whole .htaccess file, let me know.
Note: edited to remove profanity
@Mark Webb: I do most of my blocking directly through HTAccess as well. I have done a bit of research on using HTAccess to block villainous scum, and have created some useful resources for blocking and preventing malicious attacks:
Just to name a few. Also, it is interesting to see your (partial) list of
417
RedirectMatch
directives, as it reminds me of my work on the The Perishable Press 4G Blacklist (apart from the unique use of the “Expectation Failed
” response code). Seems like a few of the same directives are specified in your list as well..A couple of notes that may help improve efficiency and maintenance for your list:
_vpi.xml
” in the first line is equivalent to “_vpi.xml
” in the 8th line....
” in the 7th line will also be matched by “..
” in the fourth./,
” in the 6th line will also be matched by “,
” in the fifth./
) to be on the safe side.For more information on regex pattern matching, check out http://www.zytrax.com/tech/web/regex.htm or http://www.ladadadada.net/articles/apache_regex_guide
I guess my thing with the .haccess file is I know little about it and wouldnt know what a rewritemap file was if I set on it. I have a LARGE database of nasty IP’s that I can manipulate by frequency and age and keep trimmed down to only IPs being used. If they get nastier I just block them through my control panel which i would assume is the haccess file as well.
I do use Jeff’s “-How to Block Proxy Servers via htaccess” script. I think the difference in what we are doing is that I check all incoming IP’s to spam lists and block them on the spot.
For wordpress I also use Askismit, allthough I recently installed this plugin http://wordpress.org/extend/plugins/avh-first-defense-against-spam/ and it does a wonderful job. My forum also runs a plugin to “stop forum spam” which works great.
I am sure it would behoove me to bone up on the haccess file per Jeff’s tutorials. I have no idea what your “RedirectMatch 417’s ” do. Its always been like the registry to me, dont touch it :)
So to confirm? your ‘throw down’ at the top of this page blocks ranges of ips. eg a whole town in mexico.
We get more than our fair share of “scum” hunting for sql access by trying different urls that throw 404s. These normally get sent about 2 in the morning every second for 5 mins. Would you recommend a script to detect say 10 continues 404s in a row by the same ip, any more and it blocks them?
Just an idea to save large black lists that need updating.
A red hearing “powered by wordpress” might throw scum off the scent too?
or attract more?
Good work Jeff !
Hi yorkie, yes, pretty much that’s it. If a certain range of IP addresses corresponds to a particular town or region, then any IP within that range will be blocked. This is often the case, however, there are cases where a range of IPs may represent different machines in different parts of the world.
I like the idea of more dynamic blacklisting, such as your recommendation of blocking anything that requests a certain number or type of requests. If I had the time, I would certainly implement something like this, although even that method would not be foolproof.
Anything “Powered by WordPress” is going to attract attention rather than circumvent it, but for non-WordPress-powered sites, I can see how that might slow down the automated attacks.
Thanks for the feedback! :)