Block IP Address

Category: Blog • Posted by Jeff Starr • Updated:

Quick post today showing some different ways to block visitors via their IP address. This can be useful for a variety of reasons, including stopping some stupid script kiddie from harassing your site, or preventing some creepy stalker loser from lurking around your forums, or even silencing the endless supply of angry trolls that never seem to get a clue. So many reasons why, and so many ways to block them. Continue reading to learn how to block any IP address using a thin slice of .htaccess.

Block a specific IP address

This is the one that most visitors to this page will want to use:

Deny from 123.123.123.123

Just change the IP address to the one that you want to block, and then add the code to your site's root .htaccess file.

Block a specific domain

To block a specific domain, add the following to your site's root .htaccess file:

Deny from 123.123.123.123/255.255.255.0

Then change the IP address and netmask values to match the domain that you want to block.

Block multiple IP addresses

If you've got more than one IP address that you would like to block, you can deny them all at once:

Deny from 111.111.111.111 222.222.222.222 333.333.333.333

This will block the three specified IPs: 111.111.111.111, 222.222.222.222, and 333.333.333.333. Edit the IPs to match the ones that you want to block, and then add the line to your .htaccess file.

Block entire subnet

It's also possible to block an entire range of IPs. Here is an example where we block every IP that begins with 123.123:

Deny from 123.123

To block multiple ranges, we can do this:

Deny from 111 222.222 333.333.333

Once you get the pattern, the sky's the limit. Just be mindful of what you're doing; blocking an entire range of IPs is serious business.

Block IP based on CIDR

If you know the specific CIDR for the IP that you are trying to block, you can use this syntax:

Deny from 123.123.123.0/24

As with all of these rules, you can edit to match your target and then add to .htaccess.

Block IPv6 addresses

IPv6 addresses are more commonly used every day. If you want to block one via .htaccess, here is the proper syntax:

Deny from 2001:0db8:0000:0042:0000:8a2e:0370

You can also use either of these notations, depending on the target:

Deny from 2001:0db8:0000:0042
Deny from 2001:0db8:0000:0042:0000/10

Block IP based on regular expression

This IP-blocking method tests all addresses against a predefined regular expression via RewriteCond/RewriteRule directives:

<IfModule mod_rewrite.c>
	RewriteCond %{REMOTE_ADDR} ^214.53.25.(6[4-9]|7[0-9]|8[0-9]|9[0-9])$ [OR]
	RewriteCond %{REMOTE_ADDR} ^214.53.25.1([0-1][0-9]|2[0-8])$
	RewriteRule .* - [F]
</IfModule>

There is probably a more efficient way to write the regular expressions in the previous example, but that should definitely get the job done.

Redirect based on IP address

Instead of blocking visitors based on IP address, you can redirect them to another location. Here's how to do it using Apache's mod_rewrite:

<IfModule mod_rewrite.c>
	RewriteCond %{REMOTE_ADDR} ^111\.111\.111\.111$
	RewriteRule .* /index.php [R=301,L]
</IfModule>

You can change the IP of course to match the one you are targeting. And then edit the /index.php to match the URI to which any matching requests should be sent. Here is another example to help illustrate the technique:

<IfModule mod_rewrite.c>
	RewriteCond %{REMOTE_HOST} 123\.123\.123\.123
	RewriteCond %{REQUEST_URI} /requested-page\.html
	RewriteRule .* /just-for-you.html [R=301,L]
</IfModule>

Here we are checking the IP and the requested URI. If there's a match, then the request will be sent to /just-for-you.html. To use this redirect, simply edit the IP address, requested page, and redirect page. Copy and paste the code into your .htaccess file and upload to your server.

Block specific request types

Let's say that you only want to block some visitor from, say, posting content via a form on your site. That can be done by using Apache's <Limit> container:

<Limit POST>
	Order Allow,Deny
	Allow from all
	Deny from 123.123.123.123
</Limit>

Notice the POST specified in the <Limit> container? That's the key, and you can change that to target any request type.

Here is an example of the inverse case, where we want to allow posting from only our own IP address, while denying POST requests for everyone else:

<Limit POST>
	Order Deny,Allow
	Deny from all
	Allow from 111.111.111.111
</Limit>

Notice the reversal of the Order directive: here we are denying first, then allowing, which provides the logic required for this technique.

Complete notation

While it's fine to simply add a single line, like Deny from 123.123 in your .htaccess file, there is a more complete syntax that can be used. Here are a couple of examples:

Order Allow,Deny
Allow from all
Deny from 123.123.123.123/26

Notice the extra logic involved with this more "correct" syntax: here we are specifying the Oder directive, which enables us to change Apache's default order, which is Allow,Deny. So when we include only a single Deny from line (as in our previous examples), it works because we are using the default order of Allow,Deny. That's why it's fine to exclude the extra lines. Or, if desired, we could change the order explicitly:

Order Deny,Allow
Deny from all
Allow from 111.111.111.111

Here we first deny access to everyone, and then allow only the specified address. Combining this syntax with the <Limit> container, we can do cool things like enable POST and PUT requests only from our own IP address. For example:

<Limit POST PUT>
	Order Deny,Allow
	Deny from all
	Allow from 111.111.111.111
</Limit>

Combining these techniques with previous examples, your IP-blocking powers are complete.

Reminder

Remember to always make a backup of anything that you intend to modify, and then test well before going live with any new rules. Play it safe and have some fun.

Resources