Protect your hosted websites from hackers with my .htaccess blocklists
July 2, 2017
If, like me, your website is on a shared hosting account, you can block unwanted traffic via an IP blocklist in your .htaccess file. This could be from hackers, scammers, spammers or automated probes for unpatched exploitable files.
What is .htaccess?
The file named .htaccess is a normally hidden server configuration file used by Apache web servers. Since most of the shared hosting websites run on this open source Apache software, the .htaccess file lets the webmaster control access to all or parts of the website under his or her personal control. The leading dot in the file name tells the Apache server that it is a special control file and to hide it from standard view. If you use a desktop FTP program to upload files to your website, you will have to find the settings option to show hidden files.
Read detailed information about how to use .htaccess here
Before you read any further, note that when editing or creating a .htaccess file, one incorrect or misplaced character or misspelled word, or even a missing required space can cause "Server 500" error that locks everybody out from viewing the website from the Internet, including you! Extreme caution and immediate followup online testing is required when altering a .htaccess file.
One of the important things you need to know when editing a .htaccess file is that personal comments and notes that are not actual commands must be proceeded with a # character at the start of every unwrapped line of text, or after you press Enter to create a new line (or paragraph) of text. You cannot just type in notes without prefixing them with the # character or you will cause a Server 500 lockout error.
Example of a properly formatted .htaccess personal note or comment:
# This is a note to myself. The following directives will block Chinese traffic
You must also learn which spellings and directives (aka commands) are allowed and which are not. A misspelled directive won't just be ignored. It will cause a Server 500 error. Note that some web hosting companies may not allow you to create or alter a .htaccess file without their express permission (then call or email them). Fortunately, those are few and far between. I can tell you with direct knowledge that Bluehost allows individual .htaccess files to be created and edited.
So, assuming you know how to safely edit your .htaccess file, let's delve into how my IP blocklists can help protect your Apache server shared hosting website from online hacks and probes.
I compile and use several IP blocklists to protect my own and some of my friends' websites from unwanted or outright hostile traffic. The very first one I created was the Nigerian Blocklist, which was and still is used to keep Nigerian 419 scammers from signing up for accounts, then attempting to scam members of the world famous Steel Guitar Forum. My ability to display and decipher email headers played a large part in creating that blocklist.
My second and third blocklists were the Russian and the Exploited Servers .htaccess blocklists. They were developed after I began reading my own website access logs and learning that all kinds of badness and log spamming was originating from Russian IP addresses and also from bad web hosts that rented out dedicated servers to shady operators, while turning a blind eye to SpamCop and Spamhaus reports.
The next list I developed is the most visited one yet: the Chinese Blocklist. I'd say you wouldn't believe how many vulnerability probes and hacking attempts come out of Chinese IP space, but if you're reading this you probably already know this. It has gotten to the point that I had to write special .htaccess conditions to detect certain Chinese probes and automatically add them to a list of banned IPs, which I then research for their assigned CIDRs and added to the Chinese Blocklist..
The last blocklist I developed is the LACNIC Blocklist, which deals with South American as well as Mexican and Panamanian IP addresses. This blocklist began after I discovered a huge amount of badness hitting my access logs that came from Panama servers and infected Brazilian ISP customers. All of the IP addresses in this blocklist are registered to the LACNIC, which stands for "Latin America and Caribbean Network Information Centre." As of late, most additions to this blocklist are Brazilian IP addresses.
All of the above .htaccess blocklists are available in two different formats. The original blocklist files are for Apache servers up to version 2.2.3. The others cover the newer versions of Apache, from 2.4 onward. The directives in the original versions are not guaranteed to be compatible with a newer version of Apache, unless the host has included a particular module that bridges the old and new .htaccess directives. Before you attempt to include any of my blocklists into your .htaccess, ask your web host's support department, or log into your cPanel to see what version of Apache your site is running on.
You can see the different directives for older and newer versions of Apache by reading the beginning of each line of IP addresses in the original version of the Chinese Blocklist vs. the newer version, with the file name chinese-blocklist_2_4.html. The older version uses "deny from" whereas the newer version uses "Require not ip."
What happens when someone from an IP on a blocklist visits your website?
When a request for a web asset comes in from any IP that is within a blocklisted CIDR (an often large range of hundreds, thousands, or even millions of IPs), they will receive a Server 403 Forbidden response. If you have setup a custom 403 page, it will be shown to that visitor. The way my published blocklists are configured, all files under the directory and sub directories in which that .htaccess resides will be forbidden. That means that if you place the blocklist directives inside the main .htaccess in your web root (e.g., public_html), all files and folders will be affected. You are free to edit the <Files directive to only block certain directories, or file types, or to place the blocklist .htaccess inside a particular director where it will block just that folder tree.
The addition of an IP blocklist adds a layer of defense against bad bots, script kiddies and automated probes. It cannot stop a determined human hacker who can hide behind a variety of IP proxies, many of which are not on a blocklist (yet). A lot of these probes are for unpatched exploitable CMS software, like Joomla, WordPress, some shopping carts and guestbooks. If you are using any of these PHP driven 1-Click install scripts and are not making sure they are updated (better yet, auto-updated) as soon as vulnerabilities are announced, your website will likely get compromised.
If you find this information useful, please consider making a donation for my efforts.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.