|
|
How to block a range of IPs from spamming your web site
The following example would be used by an administrator to deny "CIDR blocks" the ability to access your web site or mail server. This is particularly useful when you are being hammered by the same ip addresses or want to block countries, ISPs and larger networks the ability to access your IT network.
Many of these attacks come from servers in countries where you have ability to stop the attacks. Take for example a recent slam of attacks on a new dedicated server I’ve been working on – all which failed due to recent preventative security endeavors – but all incoming from a block of related IP addresses from a server in another country; all of whose addresses had 217.32.161.x in common. I added their CIDR block to my list of denied IPs and it was no longer a problem. The best way to avoid trouble from said attacker is to just deny access to anything on the server by denying the range of IP addresses indicated in my security logs.
I'll share two approaches that we use here at Safe Links to block a range of IP addresses. One solution at the firewall level – the path I prefer on dedicated servers, the other solution is blocking IP blocks via the .htaccess file, which are employed on sites hosted on a shared server.
Both implementations block IP addresses from 217.32.161.0 through 218.25.162.255. But what happens if I only want to block addresses from a smaller set of addresses? Like those coming from someone abusing their DSL services whose range of dynamically assigned IPs may only be a range of 217.32.161.150 through 217.32.161.200.
That becomes trickier as is requires both a knowledge of the ‘CIDR notation’ and the bit mapping that goes along with it. An easy-to-use service which performs all the bit-blasting, while also “aligning” the range so it can be expressed in correct CIDR notation.
We use a PIX firewall which is by far one of the hardest firewall's to manage. Most people use Sonic wall, Netgear, Snapgear or similar which is much easier to handle. These examples will assume you do not have a PIX. If you did you already know how to do this.
In this example we will try to block an ip address of 123.456.789.101. For other than the PIX most of it is web page driven. Simply login and add the address to the list of blocked IPs. For example, if you want to add a specific computer or "host" just add the address above. If it asks you for a subnet mask put 255.255.255.255. That mask means "that specific computer".
Let's say however you look at your logs and see that not only is the above address spamming you but also other addresses like 123.456.789.200-225. In this case you might choose to block the entire subnet. You would then block all 254 addresses on the subnet by using 123.456.789.0 mask 255.255.255.0.
It's easier to get more granular than this by using CIDR notation. But you need to read the above links to figure it out. If you are serious and want help email me. Otherwise, Safe Links has thousands of IP addresses it already blocks from spammers and web attacks. We can protect your network with our Internet filter and anti-spam solutions. If you choose to do it yourself email me and I will help you.