04-19-2009, 08:02 AM | #1 (permalink) |
Husband of Seamaiden
Location: Nova Scotia
|
IP Blocking
I just learned how to do this, and I'm so pleased with myself that I thought I would share for all.
A little backstory: I discovered the other day that my fiancee's ex (in the immortal words of Al Pacino, "a large-type asshole") had visited our wedding website. I decided to try to block any future access of his, and stumbled across this elegant solution. Notice, this needs an Apache server to work: Create a file in your site root called .htaccess and in it place the following code: order allow,deny deny from 192.168.44.201 deny from 224.39.163.12 deny from 172.16.7.92 allow from all The example above shows how to block 3 different IP addresses. Sometimes you might want to block a whole range of IP addresses: order allow,deny deny from 192.168. deny from 10.0.0. allow from all The above code will block any IP address starting with "192.168." or "10.0.0." from accessing your site. Finally, here's the code to block any specific ISP from getting access: order allow,deny deny from some-evil-isp.com deny from subdomain.another-evil-isp.com allow from all so I blocked his home ip address, his company ip address, and just for good measure, I blocked his entire ISP from accessing the site.
__________________
I am a brother to dragons, and a companion to owls. - Job 30:29 1123, 6536, 5321 |
04-19-2009, 01:56 PM | #2 (permalink) |
Sauce Puppet
|
If using IIS on Windows you can go to the Directory Security tab under Properties of your domain. And select Deny Access and specify the IPs or domain names that you want to block also.
Good post Lucifer. Its an easy thing to do, but often overlooked. One note, just make sure you enter the information correctly. I don't know how many times I've had to go digging through access lists and records to find out that one number was off, or a period was in the wrong spot which denied the wrong people from accessing the site.
__________________
In the Absence of Information People Make Things Up. |
04-25-2009, 11:27 AM | #3 (permalink) |
Psycho
Location: North America
|
I still don't see the reason to need to block it
That and IP blocks don't really work in this day and age where internet access is abundant and blocking single IP address is futile when the person your blocking has a dynamic IP address. .htaccess works on apache WHEN enabled, which is not always the case. On IIS I dunno if it works at all since htaccess is an apache thing. Yet again I don't see the issue with one person seeing some photos. |
04-25-2009, 01:13 PM | #4 (permalink) |
Young Crumudgeon
Location: Canada
|
Network security is a key issue for many people. This falls under that umbrella.
I'll keep my snide opinions about IIS to myself and just point out that (as the OP noted) this can be used to block IP ranges as well as individual addresses, which counters the whole dynamic IP thing.
__________________
I wake up in the morning more tired than before I slept I get through cryin' and I'm sadder than before I wept I get through thinkin' now, and the thoughts have left my head I get through speakin' and I can't remember, not a word that I said - Ben Harper, Show Me A Little Shame |
04-25-2009, 06:41 PM | #5 (permalink) |
Currently sour but formerly Dlishs
Super Moderator
Location: Australia/UAE
|
i know this sounds stupid, but why not juts put a password on your wedding photos website?
and how did you know he visited the website in the first place?
__________________
An injustice anywhere, is an injustice everywhere I always sign my facebook comments with ()()===========(}. Does that make me gay? - Filthy |
04-26-2009, 03:27 AM | #7 (permalink) |
Husband of Seamaiden
Location: Nova Scotia
|
Well, it may come to that eventually, but at the moment, the block seems to be working. I know he visited because the counter script I've got on the site picked up his ip address (he lives in another province - he's the only one we know that lives there) once from his home (I'm assuming - which is why I blocked his whole ISP) and a few more times from his company, whose gateway I've also blocked.
__________________
I am a brother to dragons, and a companion to owls. - Job 30:29 1123, 6536, 5321 |
04-27-2009, 02:32 PM | #8 (permalink) | ||
Psycho
Location: North America
|
Quote:
Quote:
|
||
04-27-2009, 04:53 PM | #9 (permalink) | |
Young Crumudgeon
Location: Canada
|
Quote:
Regarding the rest, any security measure can be circumvented by someone who has the necessary knowledge and determination. Doesn't make such measures useless. Security could more properly be deemed to be the practice of making access too difficult to be worth the reward. Barring a creepy stalker scenario, I can't imagine his wife's ex is so determined to see a bunch of wedding photos that he'd go through the effort of accessing the site via a random wireless AP. Aside from that, there's no practical way to prevent that while keeping the site easy for the intended userbase to access. Ultimately, the only foolproof security measure on the internet is to not put anything you don't want anyone to have access to online. However, that doesn't negate the usefulness of simple tricks like this one.
__________________
I wake up in the morning more tired than before I slept I get through cryin' and I'm sadder than before I wept I get through thinkin' now, and the thoughts have left my head I get through speakin' and I can't remember, not a word that I said - Ben Harper, Show Me A Little Shame |
|
05-23-2009, 06:00 PM | #10 (permalink) | |
Psycho
Location: North America
|
Quote:
Yes the best security would be a complete lockdown where the permitted user would go though hell just to get access but IP blocking is false security. The disallowed party doesn't even have to attempt to circumvent security if he on a whim decides to check the page while visiting one of hundreds of possible internet access points. Really how secure is your house when you deadbolt and chain the front door but leave your side door wide open? I'm not here to decide what others have to do for security but I'll just say this, you can lock the page down like fort knox, you can even remove the pictures and burn them but he already (supposedly) went to the site and saw the wedding photos so unless your having more weddings it's all really futile. |
|
05-23-2009, 06:39 PM | #12 (permalink) |
/nɑndəsˈkrɪpt/
Location: LV-426
|
Can't you bypass that easily by using a proxy? If he knows his ass from his elbows he shouldn't have much trouble seeing those pics if he wants to. Regardless I do appreciate the tip, may come in handy sometime.
__________________
Who is John Galt? |
Tags |
blocking |
|
|