0

How can I ban IP addresses from accessing the my website. Also, would it better to store ip addresses in a text file, php file or a database.

I want a black list.

I am using Apache.

Also, I want the blacklist to be application specific.

It is mainly to sort of prevent people from exploiting the site. I dont want a person from same ip reloading my widgets over and over again more than one every 2 seconds.

Vish
  • 176
  • 5

2 Answers2

4

I'd use a separate firewall for that. Where you store your list of IP addresses depends on
- whether you want a blacklist or a whitelist
- whether this list is static or dynamic (static makes only sense for a whitelist, though)
- what kind of webserver you have (Apache, IIS, ...)

Please provide a little bit more information.

Kind regards, Frank

Frank Schmitt
  • 141
  • 3
2

It very much depends on what exactly you want.

For statically banning some particularly abusive /16 subnets, it is easiest to just install a firewall rule. I'd recommend shorewall for this, as it is much more user friendly than the raw stuff. Blacklisting 4-5 subnets magically reduces your noise ratio by 99%, it is amazing.

For dynamically banning script kiddies, simply installing fail2ban is a working solution that requires very little work.

Or, you could do the same dynamic banning yourself, but then you would need to do some bookkeeping (IP addresses change, so unless you unblock every now and then, you will eventually blacklist the entire internet!). A database is better suited than flat text files in such a case.

If you don't like dealing with a firewall because it feels like voodoo to you, you can still DENY in the .htaccess file. This will work "the same" for your php pages, but will be much less efficient, and won't stop someone from trying to exploit e.g. your SSH.

dm.skt
  • 121
  • 3
  • what is the order of efficiency from firewall to flat files. –  Mar 28 '11 at 19:09
  • The firewall can already discard packets before a connection is established by merely iterating over a list of C structures in memory. Blocking from within apache or your php script using flat files requires to read in the file and parsing it. The file will 99% certain be in the buffer cache, so reading is no issue, but you still have to parse it. And then, you can only do that _after_ a connection has been established. So, protocol and bandwidth wise, it is _at least_ 3x more expensive (plus anything in the request body), and computionally I would estimate anywhere from 10 to 100 times. – dm.skt Mar 28 '11 at 19:21
  • Is it possible to somehow connect php with the firewall, so php can be used to add and remove ip blocks from the firewall. –  Mar 28 '11 at 19:23
  • The firewall will inspect packets (including SYN) as they come in, and will just discard them if it doesn't like them. To the other end, it will look like your machine does not even exist. Your script will have to receive some request data first before it can make a decision. That can easily be several dozen kilobytes, and there is nothing you can do about it. – dm.skt Mar 28 '11 at 19:27
  • Yes, you can connect PHP with the firewall, for example by executing iptables or shorewall commands from PHP (I've done that before). But you would have to be really sure about what you're doing. Tampering with the firewall can mean you can possibly lock out the wrong people (including yourself in the worst case). Plus, you must unban hosts after a while. Therefore, using a software that is already tested and works, such as fail2ban is kind somewhat more advisable. – dm.skt Mar 28 '11 at 19:30
  • Note that running a php script from a webserver with root rights is not precisely the most secure thing in the world either (I worked around that by running a cronjob that read a file the script wrote to, which is somewhat better, if not much). Did I mention that there are readily available programs which do the same thing and which are a lot better tested and more secure? :-) – dm.skt Mar 28 '11 at 19:35
  • can fail2ban be integrated with php –  Mar 28 '11 at 19:35
  • No, it runs separately. It will check the log files (not only for the webserver, but also other services that you configure) for suspicious entries and do the banning/unbanning. – dm.skt Mar 28 '11 at 19:42
  • oh great....thanks...I will then accept your answer. –  Mar 28 '11 at 20:26