I’m writing this because blocking by domain on my hosts pretty much kills my web site and so I have had to learn to block ip addresses. Blocking single ip addresses is simple as you just need something like the following

order allow,deny
deny from 9.120.161.206
allow from all

And that will block the computer at ip address 9.120.161.206 from being able to access your site. But what if you want to block a whole range of ip addresses such as 9.120.161.0 to 9.120.161.255? Well then we just leave off the end number like this

order allow,deny
deny from 9.120.161.
allow from all

Ok so now we get to the clever and damn fiddly bit. As of Apache 1.3 we can use CIDR codes to specify ranges of ip addresses. So another way of writing the above code would be

order allow,deny
deny from 9.120.161.0/24
allow from all

and that would do exactly the same as 9.120.161. but we can do so much more. After the break (ie click the read more link) I will show a list of the CIDR codes and what they do.

Ok first thing we need to do is explain that CIDR goes from 0 to 32. 0 covers every possible ip address, all 4,294,967,296 of them so doesn’t really get used much. As CIDR is based on bits the number of ip addresses blocked doubles as we go down the list.

32 only block the single ip address so is a bit pointless
31 blocks 2 address so would block 127.0.0.1 and 127.0.0.2. Could just as easily be like 127.0.0.19/31 as you can start from any ip address
30 blocks 4 ip address so 127.0.0.1 to 127.0.0.4
29 blocks 8 ip address so 127.0.0.1/29 would block 127.0.0.1 to 127.0.0.8 (starting to see a pattern?)
28 down to 25 I’m sure you can figure out. It’s from 24 it gets interesting.
24 blocks a whole sub set of ip addresses (thats 256 addresses) so we can use 127.0.0.0/24 to block 127.0.0.0 to 127.0.0.255
23 blocks 512 address so that’s 2 entire subsets. 127.0.0.0/23 would block 127.0.0.0 to 127.0.1.255
22 is 1024 addresses or 4 sub sets
21 is 2048 or 8 sub sets
20 is 4096 address or 16 sub sets (like 127.0.0.0 to 127.0.15.255)
19 would be 8192 address so 32 sub sets. I used this one when blocking keyweb.de servers
18 is 16384 or 64 sub sets
17 equals 32768 addresses and I used it to block some layeredtech
16 is the lowest CIDR code I have used and that covers 65536 addresses or 256 sub sets. This is again used to block LayeredTech.

I’m pretty sure you can work the rest out for yourself from here on. I got my information from this Wikipedia entry. I will now post a couple I have used in my own htaccess and say why.

# These two are for layeredtech. Well known friend to spammers.
deny from 72.232.0.0/16
deny from 72.233.0.0/17
# Keyweb.de servers. Plenty of spam attempts from them
deny from 87.118.96.0/19
# Dragonara.net just started getting spam attempts from them
deny from 194.8.74.0/23

A few days ago I installed the Bad Behavior plugin for Word Press just as an extra way of combatting spam comments etc. In 2 days it’s blocked 49 attempts by malicious scripts to access this blog. I just looked at the log and most of them are attempts to run a remote PHP script to see if I am running a vulnerable script. The remote scripts are all the same and simply contain

<?php /* Fx29ID */ echo("FeeL".CoMz"); die("FeeL"."CoMz"); /* Fx29ID */ ?>

Basically from what I can see there is a bunch of script kiddies who like to call themselves hackers but haven’t got the first clue about real hacking. All they can do is follow step by step instructions they have found on security web sites. A real hacker is a person who actually knows how things work and looks for ways to exploit them so that the makers can make the products more secure.

Had quite a few hits on this one with people searching for information so have decided to add some.

If you are running Word Press then I highly recommend installing the Bad Behavior plugin as this has, to my knowledge, blocked all attempts by these kiddies. I have also added a couple of the banned useragents from Bad Behavior to my sites .htaccess file to prevent them accessing the site all together. It also blocks some known spambots.

SetEnvIfNoCase User-Agent "^libwww-perl*" spammer=yes
SetEnvIfNoCase User-Agent "^Mozilla/5\.0$" spammer=yes
SetEnvIfNoCase User-Agent "^Java/1*" spammer=yes
SetEnvIfNoCase User-Agent "^Java 1*" spammer=yes
SetEnvIfNoCase User-Agent "^<sc" spammer=yes
SetEnvIfNoCase User-Agent "^Jakarta*" spammer=yes
SetEnvIfNoCase User-Agent "^TrackBack*" spammer=yes
SetEnvIfNoCase User-Agent "^USERAGENT$" spammer=yes
SetEnvIfNoCase Via pinappleproxy spammer=yes
SetEnvIfNoCase X-AAAAAAAAAAAA 1 spammer=yes
Deny from env=spammer

Just remember it is also up to you to make sure that any scripts you are running on your site, be they a forum, a blog, a guestbook etc are the latest versions.

BTW if you came here because you found a file containing the FeeL.CoMz text from above then I’m sorry to say your site has already been exploited by this idiots. All you can do is look for other files last updated around the same time to see what else they did. Then make sure your scripts are updated.