With our server we have been getting thumped by denial of service attacks and SQL injections; prats trying to break into B2Evo. So far it has weathered the storm well (thanks Francois Planque!). The logs let us know what URL the attacker attempted to clobber, and with what data. It also lets us know the attacker's IP address.

After modifying the .htaccess file to block these sites and ranges, we decided to redirect the IP addresses blocked to a specified static URL, in order to let them know they can appeal the block- necessary if it is an ISP with dynamically assigned addresses where the offender is no longer on that address.

Following is the guide on how to set this up:

1. Create a static page with details on how to contact you in order to remove the block, why the block occurred, etc. You will need an HTML editor to do this, or a program capable of saving as a webpage, eg OpenOffice.

2. Save the page and any associated files to your webserver.

Test the page by addressing it directly in your web browser.

3. Modify the .htaccess file; typically in the webserver root directory. Be VERY careful, backing it up first. You will typically have FTP access to your site, or CPANEL File manager. If you are using a Microsoft based webserver, then I'm sorry I cannot help.

example entries:

## Begin example

RewriteEngine on

RewriteCond %{REMOTE_ADDR} ^67\.228\.47\.154$ [OR]

RewriteCond %{REMOTE_ADDR} ^216\.187\.94\.160$ [OR]

RewriteCond %{REMOTE_ADDR} ^213\.174\.48\. [OR]

RewriteCond %{REMOTE_ADDR} ^213\.174\.56\. [OR]

RewriteCond %{REMOTE_ADDR} ^213\.174\.60\. [OR]

RewriteCond %{REMOTE_ADDR} ^213\.174\.62\. [OR]

RewriteCond %{REMOTE_ADDR} ^213\.174\.63\. [OR]

RewriteCond %{REMOTE_ADDR} ^211\.61\. [OR]

RewriteCond %{REMOTE_ADDR} ^211\.62\. [OR]

## Add new IPs to block above this point ^

## use the same notation. The shorter line is for a range, not specific address

## the last line here has no OR tag. :

RewriteCond %{REMOTE_ADDR} ^78\.46\.51\.83$

RewriteRule .* http://example.com/ipblock.html [R,L]

## the following lines specifically block an entire address range, without redirect



order allow,deny

allow from all



deny from 65.55.

## END of example

Notes:

------

The address format shows what happens for single IP addresses and IP ranges. Each item needs [OR] after it unless it is the last one.

Replace the "http://example.com/ipblock.html" with your static page's address.

For testing I recommend adding you own external IP, then removing it later! Your current address is here:

Sign by Danasoft -

I tried to find a blacklist of bad IPs. Apparently it numbered >30,000 !! So this is really just a case of reactively doing the ones you have hit you.