IP Blocking
 

I just learned how to do this, and I'm so pleased with myself that I thought I would share for all.

A little backstory: I discovered the other day that my fiancee's ex (in the immortal words of Al Pacino, "a large-type asshole") had visited our wedding website. I decided to try to block any future access of his, and stumbled across this elegant solution.

Notice, this needs an Apache server to work:

Create a file in your site root called .htaccess and in it place the following code:

order allow,deny
deny from 192.168.44.201
deny from 224.39.163.12
deny from 172.16.7.92
allow from all

The example above shows how to block 3 different IP addresses. Sometimes you might want to block a whole range of IP addresses:

order allow,deny
deny from 192.168.
deny from 10.0.0.
allow from all

The above code will block any IP address starting with "192.168." or "10.0.0." from accessing your site.

Finally, here's the code to block any specific ISP from getting access:

order allow,deny
deny from some-evil-isp.com
deny from subdomain.another-evil-isp.com
allow from all


so I blocked his home ip address, his company ip address, and just for good measure, I blocked his entire ISP from accessing the site.

If using IIS on Windows you can go to the Directory Security tab under Properties of your domain. And select Deny Access and specify the IPs or domain names that you want to block also.

Good post Lucifer. Its an easy thing to do, but often overlooked.

One note, just make sure you enter the information correctly. I don't know how many times I've had to go digging through access lists and records to find out that one number was off, or a period was in the wrong spot which denied the wrong people from accessing the site.

I still don't see the reason to need to block it :paranoid:

That and IP blocks don't really work in this day and age where internet access is abundant and blocking single IP address is futile when the person your blocking has a dynamic IP address.

.htaccess works on apache WHEN enabled, which is not always the case. On IIS I dunno if it works at all since htaccess is an apache thing.

Yet again I don't see the issue with one person seeing some photos.

Network security is a key issue for many people. This falls under that umbrella.

I'll keep my snide opinions about IIS to myself and just point out that (as the OP noted) this can be used to block IP ranges as well as individual addresses, which counters the whole dynamic IP thing.

i know this sounds stupid, but why not juts put a password on your wedding photos website?

and how did you know he visited the website in the first place?

Seems like every time I do an IP check on myself, it's different and lists me in a different (local) town. (I'm on DSL btw)

Well, it may come to that eventually, but at the moment, the block seems to be working. I know he visited because the counter script I've got on the site picked up his ip address (he lives in another province - he's the only one we know that lives there) once from his home (I'm assuming - which is why I blocked his whole ISP) and a few more times from his company, whose gateway I've also blocked.

You'd think but some isp's have multiple classes that they allot in and a certain block may end up too narrow. It also doesn't address the wide availability of access to the net unless he's living in historical times where he can ONLY access the net at work or home. Personally I can access the net at home, work, any mcdonalds, any coffee shop, at the book store, at other peoples unsecured wi-fi, and other places without even resorting to friends and the IP will be different at all of them, on different blocks as well. IF and this is a BIG IF I was blocked by IP I can always proxy my way through.

A password would be best if you want to keep people out, IP blocks just aren't effective unless your trying to block everyone and only allow a particular range of addresses. The next time he visits you probably won't/didn't even know it. Again I reiterate why the need to block wedding photos from someone your SO knew? Jealousy of some sorta? From my experience, jealous partners don't last.

Actually, nobody has any classes for anything. That's the whole point of CIDR.

Regarding the rest, any security measure can be circumvented by someone who has the necessary knowledge and determination. Doesn't make such measures useless. Security could more properly be deemed to be the practice of making access too difficult to be worth the reward.

Barring a creepy stalker scenario, I can't imagine his wife's ex is so determined to see a bunch of wedding photos that he'd go through the effort of accessing the site via a random wireless AP. Aside from that, there's no practical way to prevent that while keeping the site easy for the intended userbase to access.

Ultimately, the only foolproof security measure on the internet is to not put anything you don't want anyone to have access to online. However, that doesn't negate the usefulness of simple tricks like this one.

Actually there are corporations that have classes alotted to them, CIDR just allows them to divvy things more precisely than a class A, B, or C.

Yes the best security would be a complete lockdown where the permitted user would go though hell just to get access but IP blocking is false security. The disallowed party doesn't even have to attempt to circumvent security if he on a whim decides to check the page while visiting one of hundreds of possible internet access points. Really how secure is your house when you deadbolt and chain the front door but leave your side door wide open?

I'm not here to decide what others have to do for security but I'll just say this, you can lock the page down like fort knox, you can even remove the pictures and burn them but he already (supposedly) went to the site and saw the wedding photos so unless your having more weddings it's all really futile.

Has there been any mention of forging IP addresses and/or concealing them with proxies or other methods here?

Can't you bypass that easily by using a proxy? If he knows his ass from his elbows he shouldn't have much trouble seeing those pics if he wants to. Regardless I do appreciate the tip, may come in handy sometime.