Simple Machines Community Forum

Customizing SMF => Tips and Tricks => Topic started by: Ninja ZX-10RR on June 20, 2014, 09:52:04 PM

Title: [TIP/TRICK] How to ban users properly from .htaccess
Post by: Ninja ZX-10RR on June 20, 2014, 09:52:04 PM
As this started to become a very frequently asked question and I was directly concerned about it I decided to make this guide, hopefully someone of the team will approve it :)

SMF comes with a built-in ban feature that allows admins to use an IP ban to ban users but this function has several problems that cannot be fixed:



How should I ban users?

You should ban users using your .htaccess file that is stored on your server host or either create it. If you don't know how to create it just create a .txt file, put the code in there and when you are done just rename its extension to ".htaccess". ;) Like: example.txt --> rename --> example.htaccess
Open it and add the provided code, better at its end ;)




What should I add to my .htaccess file?

Thanks to Lou69 (http://www.simplemachines.org/community/index.php?action=profile;u=248702) I can provide these 2 links as reference:
Title: Re: [TIP/TRICK] How to ban users properly from .htaccess
Post by: LiroyvH on June 20, 2014, 09:58:35 PM
Quote
hopefully someone of the team will approve it

There is no moderation in this section.
Anyone is free to write up whatever tricks they wish, if they make sense.
(Although I am wondering whether or not this is the correct board... This is not coding...)

Quote
You should ban users using your .htaccess file that is in your database.
Open it and you will find a bunch of stuff in there regarding things you are not interested in at the moment. Just leave it the way it is, you need to add some code to it, better at its end

.htaccess is in the files, or can be created there. It's not in the database.
It's usually either empty or non-existent by default, "a bunch of stuff" is usually not the case. (Depending, usually, on whether or not there's other software present on the account. Like Wordpress.)

Quote
I will not be explaining the reasons of that 24 as it's really complicated for new users.

Yet it is crucial. CIDR notation can make the difference between banning only a couple of IP's or a complete range.
Don't choose for the user, make them decide for themselves whether they understand or not:
http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#IPv4_CIDR_blocks
It's not that hard. :)

Be careful of banning very large ranges of IP's. In fact, banning IP's on large forums with visitors from multiple countries can actually have adverse affects.


Other than that, the post looks fine although i haven't really looked at the provided examples. ;)
Title: Re: [TIP/TRICK] How to ban users properly from .htaccess
Post by: Ninja ZX-10RR on June 20, 2014, 10:08:05 PM
Thank you for your reply :D

Fixed all of those. I posted here because of this message: http://www.simplemachines.org/community/index.php?topic=52589.msg1180957#msg1180957
Title: Re: [TIP/TRICK] How to ban users properly from .htaccess
Post by: Ninja ZX-10RR on June 20, 2014, 10:39:58 PM
I know that message is very old but... Well if you approve it please move it to tips and tricks :)
And actually last time I checked I wasn't able to post there... Somebody must have changed the permissions for sure and without knowing it I did this the way it was asked in that old message as tips and tricks was usually meant to be some kind of a FAQ section somehow... Bah I don't know. If you think it's good anyhow please move it there as I can't anymore now having already posted it :P
Title: Re: [TIP/TRICK] How to ban users properly from .htaccess
Post by: Illori on June 21, 2014, 06:08:54 AM
Quote from: Flavio93Zena on June 20, 2014, 09:52:04 PM
Wait I'm not sure of what I did! How can I try it and see if it works?

You can easily try your code by adding this after all the other commands: defy from XX.XX.XX.XX where those XX stand for the IP you want to test. Refresh the page and if you get a 500 error the IP you just tested is banned. Be quick though and be sure to get rid of this string as this test would deny access to everybody!!! So just defy, refresh, test and then come back and delete it as soon as possible.





do you mean deny or is defy not a typo? also i think you should say that the ip should be yours, not just any random ip.
Title: Re: [TIP/TRICK] How to ban users properly from .htaccess
Post by: Ninja ZX-10RR on June 21, 2014, 06:18:39 AM
It is really defy. For testing purposes if you type "defy" it is like "try" in there although the command "try" does not exist :) so I confirm defy command.

And no the IP shouldn't be my own because if the admin wants to check if he has successfully banned a user or not he will have to defy from the (hopefully) banned IP and not his own to test whether that IP is banned or not. If he gets a 500 error then the IP is banned, if he can gain access to the site the IP is not banned. In both cases like I said it's better to do this quick because if the IP address being tested is really banned the whole website will be unavailable for everybody.
Title: Re: [TIP/TRICK] How to ban users properly from .htaccess
Post by: byproduct on August 21, 2014, 06:26:44 AM
it is htaccess coding? :)


Quote from: CoreISP on June 20, 2014, 09:58:35 PM
Quote
hopefully someone of the team will approve it

There is no moderation in this section.
Anyone is free to write up whatever tricks they wish, if they make sense.
(Although I am wondering whether or not this is the correct board... This is not coding...)

Quote
You should ban users using your .htaccess file that is in your database.
Open it and you will find a bunch of stuff in there regarding things you are not interested in at the moment. Just leave it the way it is, you need to add some code to it, better at its end

.htaccess is in the files, or can be created there. It's not in the database.
It's usually either empty or non-existent by default, "a bunch of stuff" is usually not the case. (Depending, usually, on whether or not there's other software present on the account. Like Wordpress.)

Quote
I will not be explaining the reasons of that 24 as it's really complicated for new users.

Yet it is crucial. CIDR notation can make the difference between banning only a couple of IP's or a complete range.
Don't choose for the user, make them decide for themselves whether they understand or not:
http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#IPv4_CIDR_blocks
It's not that hard. :)

Be careful of banning very large ranges of IP's. In fact, banning IP's on large forums with visitors from multiple countries can actually have adverse affects.


Other than that, the post looks fine although i haven't really looked at the provided examples. ;)
Title: Re: [TIP/TRICK] How to ban users properly from .htaccess
Post by: Kindred on August 21, 2014, 06:34:36 AM
Quote from: Ninja ZX-10RR on June 21, 2014, 06:18:39 AM
It is really defy. For testing purposes if you type "defy" it is like "try" in there although the command "try" does not exist :) so I confirm defy command.

reference?

I can find no evidence on any site that DEFY is actually a valid htaccess command...
Title: Re: [TIP/TRICK] How to ban users properly from .htaccess
Post by: Ninja ZX-10RR on August 21, 2014, 07:00:04 AM
That's why I updated it this morning - I had a reference that was indeed removed. And whenever I tried it it was giving a 503 error, for sure, but not because it was working, it was doing it because the server was unable to read the string. Now it's correct.
Title: Re: [TIP/TRICK] How to ban users properly from .htaccess
Post by: Jade Elizabeth on August 21, 2014, 08:55:01 PM
I never ban by IP, you never know when someone's in a library or using a friends computer. Ban a user, if they come back and behave no problem. If they come back and cause ****** then ban them again and have staff that can do it.

Banning by IP is usually something I do temporarily if I do it at all because you can block legitimate users unintentionally. I once blocked an entire school (8 members) by mistake because someone was being nasty from it.
Title: Re: [TIP/TRICK] How to ban users properly from .htaccess
Post by: Ninja ZX-10RR on August 21, 2014, 09:01:35 PM
It is really useful when it comes to banning spambots and malicious crap trying to register continuously ;) I just look at each one of them and ban them straightaway so that they can't come back and waste more resources 8) it's also good in some cases if an annoying user creates nultiple accounts and he doesn't know how to use browsers like Tor or similar services.
Title: Re: [TIP/TRICK] How to ban users properly from .htaccess
Post by: Jade Elizabeth on August 21, 2014, 10:24:07 PM
Waste of time. Install Stop Spammer and HTTPBL. They stop bots and spammers from registering without any additional effort from yourself.

http://custom.simplemachines.org/mods/?mod=1547
http://custom.simplemachines.org/mods/index.php?mod=2155

For more persistent bots add this (http://www.simplemachines.org/community/index.php?topic=489039.msg3446938#msg3446938) to your httaccess:

# BLOCK USER AGENTS
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} AhrefsBot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} spbot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} DigExt [NC,OR]
RewriteCond %{HTTP_USER_AGENT} Sogou [NC,OR]
RewriteCond %{HTTP_USER_AGENT} MJ12 [NC,OR]
RewriteCond %{HTTP_USER_AGENT} majestic12 [NC,OR]
RewriteCond %{HTTP_USER_AGENT} 80legs [NC,OR]
RewriteCond %{HTTP_USER_AGENT} SISTRIX [NC,OR]
RewriteCond %{HTTP_USER_AGENT} HTTrack [NC,OR]
RewriteCond %{HTTP_USER_AGENT} Semrush [NC,OR]
RewriteCond %{HTTP_USER_AGENT} Ezooms [NC,OR]
RewriteCond %{HTTP_USER_AGENT} CCBot [NC,OR]
RewriteCond %{HTTP_USER_AGENT} TalkTalk [NC,OR]
RewriteCond %{HTTP_USER_AGENT} Ahrefs [NC]
RewriteRule !^robots\.txt$ - [F]

# BLOCK BLANK USER AGENTS
RewriteCond %{HTTP_USER_AGENT} ^-?$

Title: Re: [TIP/TRICK] How to ban users properly from .htaccess
Post by: Ninja ZX-10RR on August 22, 2014, 09:58:04 AM
Nope about the mods, I have installed almost any anti-spam existing on the mod site.
Also I want to ban them from the .htaccess, but anyway the code you have provided is useful for that, thanks :) I will try it when I will be home on the 25 or either 26 if I won't be online the 25.
Title: Re: [TIP/TRICK] How to ban users properly from .htaccess
Post by: Ninja ZX-10RR on August 29, 2014, 04:39:36 PM
Updated:

It should be "perfect" now. :D
Title: Re: [TIP/TRICK] How to ban users properly from .htaccess
Post by: DavidGreen on February 10, 2016, 06:04:20 AM
Quote from: Jade Elizabeth on August 21, 2014, 08:55:01 PM
I never ban by IP, you never know when someone's in a library or using a friends computer. Ban a user, if they come back and behave no problem. If they come back and cause ****** then ban them again and have staff that can do it.

Banning by IP is usually something I do temporarily if I do it at all because you can block legitimate users unintentionally. I once blocked an entire school (8 members) by mistake because someone was being nasty from it.

That's a good point. Some people have the same ip so just banning an ip can end up getting rid of legit users. And lots of spammers are getting through on my forum even though I ask tough questions on my registration form so I guess they are real people manually signing up.

Right now I have no choice but manually approve messages before they get posted but I feel this stops the flow of chat as sometimes it can take me hours before I approve a comment so the legit users are suffering.

Thanks for the tutorial Ninja ZX-10RR I'll give this a go.