.htaccess blocklist addition for prolific access log spammer
Today I reviewed my daily access log for this website, and I discovered a large number of repeated attempts to spam my access log, all coming from the IP address: 64.182.124.212. The spam attempt was referrer field entries for a medial search engine and a social networking and dating website.
The IP address 64.182.124.212 belongs to a web hosting company known as CI Host, and is assigned to hosting customer PacificAir.com, an amateur looking website. The spamvertised websites in the referrer field look just as amateur as the PacificAir website and are hosted on the same server. The IP range assigned to CI Host is 64.182.0.0 through 64.182.255.255, or in CIDR notation: 64.182.0.0/16.
The way I respond to attempts to spam my access logs is that I place the offending IP address, and/or CIDR of their hosting company, on my published IP blocklists. I did just that, placing the CIDR 64.182.0.0/16 on my Exploited Servers Blocklist. If you are getting spammed from the IP address 64.182.124.212 and want to block them in your .htaccess file, on your Apache Hhosted website, just add one of the following rules to a section labeled <Files *>:
<Files *>
order deny,allow
deny from 64.182.124.212
</Files>
If, like me, you decide to block the entire ISP/web hosting company, use this rule:
<Files *>
order deny,allow
deny from 64.182.0.0/16
</Files>
NOTE:
If you have your website hosted by CI Host please read the warning in my extended comments!
WARNING
If you have your website hosted by CI Host, on a server withing the IP range of 64.182.0.0 through 64.182.255.255 and you use this blocklist entry, you may block access to your own website. It's a good idea to discover your website's IP address first, just to be safe. You can do this from a Windows computer by opening a Command Window and typing in the following:
ping your-domain.com
Press Enter
Your website's IP address will be displayed in the results of the Ping test. You can also use Tracert your-domain.com to get the IP address.
If your IP is included in the blocked range you should poke a hole in the blocklist, as follows.
If some or all of your own webpages are 403'd by this blocklist, place your server's IP address(es)s after "allow from" below, just before the closing </Files>.
<Files *>
order deny,allow
deny from 64.182.0.0/16
#deny from - entire exploited servers list or other IP addresses, or CIDRs
allow from your server's IP
</Files>
Another way to avoid blocking access to a website hosted inside a denied IP range is to use all relative links on your web pages. This means that instead of having your internal links begin with http you would just have a forward slash (folder path) and file name. Here is an example of this: Instead of http://www.example.com/index.html you could use /index.html to go to your home page.
If you are interested in blocking unwanted traffic from other sources, I maintain published blocklists for China (and neighbors), Nigeria (and neighbors), and Russia and Turkey. Each of my blocklists is available in two formats; .htaccess and iptables. If your website is hosted on an Apache/Linux server and you have administrator/root access, you may be able to use the iptables format, in your Linux firewall. Otherwise, for shared hosting customers, use the .htaccess format in your public_html directory, or whatever your publicly visible web root folder is named.
If you find these blocklists beneficial to protecting your website, or server, donations are accepted on all of my blocklist pages and are most welcome.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.