[TIP/TRICK] Having Problems With Banned Members?

[JBlaze]

I know that there are alot of you out there who are having trouble with banned members/spambots that still try to visit your site and create LOTS of error logs. It gets annoying, I know.

This simple Tip will help get rid of that...

What this will do is modify your .htaccess file, adding a banned IP address to that. This way, when a banned member/spambot tries to reach your site, instead of getting the login screen, they will get a "403 - Forbidden" Error. (What Is A "403 - Forbidden" Error?)

Well, here it is

.htaccess

Code (ban single IP) Select Expand

order deny,allow
deny from xx.xx.xx.xxx
allow from all

Code (ban multiple IPs) Select Expand

order deny,allow
deny from xx.xx.xx.xxx
deny from xx.xx.xx.xxx
deny from xx.xx.xx.xxx
deny from xx.xx.xx.xxx
allow from all
Change "xx.xx.xx.xxx" to the IP address you want to ban

Any questions, feel free to ask!

EDIT: I will try to make a script/MOD that can modify the .htaccess from the Admin panel. If anyone out there would like to help me, I would be grateful

[JBlaze]

Bump?

[Marcus Forsberg]

Wanting this moved to Tips and Tricks, are we?

[JBlaze]

Yessir

[Marcus Forsberg]

Though you didn't say please...
Moved

[JBlaze]

Pretty please with sugar on top, may you move this to Tip and Tricks?

[JBlaze]

By the way Nas, is there any way I can use php to modify the htaccess file?

I want to turn this into a MOD with admin panel options. I just need to know how to modify htaccess. I can do the rest

[Marcus Forsberg]

Not sure if it works on htaccess, but have a look at this:
http://www.php.net/manual/en/ref.filesystem.php

Open the file, write to it, close.

[JBlaze]

Thanks bro. I'll get to work right now. Hopefully have it submitted by tomorrow

[C4G-TK]

Great info here. 

It makes me wonder if it is possible to make your own "403 - Forbidden Error" page that people will see as well or is it strictly server side? 

I'm figuring that since it denies passageway to your own site, you wouldn't be able to make one yourself though since the person's IP is banned from browsing.  Maybe I just answered my own question there.  LOL  But, thought I'd ask!

[aishaweb]

Is this a mod yet?

Got a beta to test? Please attach it if so.

[JBlaze]

Great info here. 

It makes me wonder if it is possible to make your own "403 - Forbidden Error" page that people will see as well or is it strictly server side? 

I'm figuring that since it denies passageway to your own site, you wouldn't be able to make one yourself though since the person's IP is banned from browsing.  Maybe I just answered my own question there.  LOL  But, thought I'd ask!

Create file 403.shtml (or ask your host if they provide error handling)
Add custom HTML

Still working on it as we speak. A beta will be release soon.
Is this a mod yet?

Got a beta to test? Please attach it if so.

[Dinolin]

ermm..... this help me a lot
nice info and tips ....

[cflforum]

Is this a mod yet?

Got a beta to test? Please attach it if so.

There is no reason why this wouldnt work on an internal system intranet, is there?

While the site is to be intranet based, I'm of no illusions that somebody wouldnt think it funny to have crowing rights over how "insecure" or "setup on the cheap" is!

If this iproject is successfull, we should be able to grab maybe 20k of their budget ( cackles with glee)

[JBlaze]

I see no reason why it shouldn't work on an intranet system.

[Autumn13]

Sorry to sound like such a noob here, but would someone be so kind enough as to tell the lady how to do this step by step? I'd really appreciate it!


ETA: nevermind, got it. Thanks again!!!!! It's a BIG help!

[TLBSupport]

Great tip, however just to add little bit of sugar
For those who's hosts give them CPanel access you can also access the.htaccess file by updating entries in the IP Ban control in the Security control panel area, if you have it.
Advantages for this is that, from my understanding it will alter all the .htaccess files on your site, or sites. Will shut up now in case im wrong im used to that
Respect to all

[JBlaze]

Great tip, however just to add little bit of sugar
For those who's hosts give them CPanel access you can also access the.htaccess file by updating entries in the IP Ban control in the Security control panel area, if you have it.
Advantages for this is that, from my understanding it will alter all the .htaccess files on your site, or sites. Will shut up now in case im wrong im used to that
Respect to all

As long as you enter it in the root .htaccess, it applies for the whole forum as every action is executed through index.php.

[Mayhem30]

The problem with this is that it could put a lot of load on the apache server. If you have a busy forum, everyone who attempts to view your site will be checked against that list in the .htaccess file.

If you have access to ssh, you could do this instead :

Code Select Expand

iptables -A INPUT -s xxx.xxx.xxx.xxx -j DROP

Keep in mind that if your server is rebooted, the ban will no longer be in place. If you want the ban to stick even after a reboot, you must do this :

Code Select Expand

service iptables save
service iptables restart

Use at your own risk 

[H]

It is important to note that Mayhem's suggestion requires not just SSH access but also root access . The second code segment will also only work under Redhat and similar distros. Others (Debian, ubuntu etc) will require a different way of saving firewall rules

[Ninja ZX-10RR]

This is a very old topic and I see it has been approved but it's terribly wrong.
Let me explain you why:

Code Select Expand

order deny,allow
deny from xx.xx.xx.xxx
deny from xx.xx.xx.xxx
deny from xx.xx.xx.xxx
deny from xx.xx.xx.xxx
allow from all

It sets the server:

• in default "allow" mode so that any unrecognized user is automatically allowed.
  
• it processes bans first and allowed entries after that.

What does it mean? It means that if allow command is processed after the deny one if you write allow from all that allow command *will* overwrite all deny entries so it will unban all users.
For reference:
http://www.simplemachines.org/community/index.php?topic=523720.0 (my first topic about it)
http://www.simplemachines.org/community/index.php?topic=523925.0 (second topic very similar to the first one and somehow used as a part 2 for the 1st one)
Thanks to Lou69 I provide also these links: http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#order and http://httpd.apache.org/docs/current/mod/mod_access_compat.html#allow

Sooo after all the overall correct setting would be (using deny,allow)

Code Select Expand

order deny,allow
deny from xx.xx.xx.xxx
deny from xx.xx.xx.xxx
deny from xx.xx.xx.xxx
deny from xx.xx.xx.xxx


Without the allow from all at the end or either use order allow,deny

Code Select Expand

order allow,deny
deny from xx.xx.xx.xxx
deny from xx.xx.xx.xxx
deny from xx.xx.xx.xxx
deny from xx.xx.xx.xxx
allow from all


In this case allow from all is necessary because the server default state is set on deny so any unlisted entries would be denied access.


I made a whole guide about this that is correct: http://www.simplemachines.org/community/index.php?topic=524146.0