IP blocker for multi sites

[KnightsMultiMedia]

Hi, i webmaster multi sites and at the moment run php code to block unwanted ip addresses because of bad submittings.

 

I am running this code at the moment

<?php

$deny = array("159.224.160.42", "91.200.14.59", "146.0.74.205", "91.200.14.59", "5.39.219.26", "91.232.96.8", "216.151.137.34", "216.151.137.35", "216.151.137.36", "213.238.175.4", "91.232.96.2", "188.92.75.82", "91.207.7.141");

if (in_array ($_SERVER['REMOTE_ADDR'], $deny)) {

   header("location: http://www.cnn.com/");

   exit();

} ?>

 

The problem is that each time i want to block a person i have to add their ip address to all the index.php.

I would like to run this code but get the ip addresses from a single site, my main site.

 

Please help me with what the file would look like on my site, how i would read it in so that the array would look like the above.

 

Thanks

Warren

[Mothy]

Blocking users by IP isn't always the best way to go as user's easily fake their IP.

Having said that if you are dead set on this you would be best to store all blocked IPs in a database and simply searching the database for the user's IP address you could create a MySQL database with a table which stores all IP address then use Php (either mysqli or PDO) to search if the user eg:

 SELECT ID FROM blocked users where IP=?

and if any rows are returned you use the header...

 

The advantage of this is assuming you have a database host that accepts external requests you can use the same code snippet on ALL of your pages. Having said that if they goto (for example the) /about page have you put in the same code or are you using an MVC structure so that the user always goes through the index page?

 

I would recommend forwarding the blocked user to a 403-Forbidden page rather than just cnn.com.. 

If you dont want to have to edit the database via phpmyadmin you could then make a simple form for inputting IP addresses...

There are many tutorials around for connecting a database to php but you should use one of the above functions and NOT the depreciated mysql function.

Edited May 13, 2014 by Mothy

[MDCode]

Blocking by IP can be bypassed by a proxy or other.

 

If you want to do it cross domain without creating load with Remote MySQL, something like requesting a txt file could work if you have allow_url_fopen set to On

 

If you have each IP separated by a new line in a txt file such as

1.2.3.4
2.3.4.5
3.4.5.6

You could do something like:

<?php
$ip_list = file_get_contents("http://yourdomain/file.txt");
 
$ip = explode("\n", $ip_list);
 
if(in_array($_SERVER['REMOTE_ADDR'], $ip)) {
// Do your stuff
}
?>

[Mothy]

if you want to avoid the use of a database like SocialCloud has suggested - you could also store the IPs in a JSON format and use json_decode($filename,true) to convert this to an array.

[Jacques1]

Hi,

 

blocking IP addresses is not only naïve, it's downright harmful, because it will affect many legitimate users as well. Contrary to popular belief, one IP address does not equal one person. There are proxies, VPNs, hotspots, company networks, private networks, Tor nodes etc. If you (accidentally) block their addresses, you'll lock out hundreds or even thousands of innocent people.

 

So the solution is: Don't do it.

 

If you insist on the brute-force way, you'll need more than a simple text file. You have no right to publish the blocked IP addresses, so you can't just put them into a public file. At the very least, you must limit access to the specific IP addresses of the other servers. But you actually need an authentication mechanism, that is, the other servers must provide a password or certificate to prove their identity. Only then may you hand out the blocked IP addresses.

 

Are you sure you wanna go through this for a silly blacklist?

[Psycho]

You have no right to publish the blocked IP addresses . . .

 

What do you base that comment on? I've never seen any information that states an IP address is considered PII (personally identifiable information) that has to be safeguarded. Although it would be a bad business decision to expose IP addresses, they are 'public'. This page, supposedly a Google blog seems pretty clear that it is not confidential information but that they take the conservative approach to protect the information.

 

 

the IP addresses recorded by every website on the planet without additional information should not be considered personal data, because these websites usually cannot identify the human beings behind these number strings

 

While I agree that blocking by IP is not foolproof, there really isn't much that is. Even large sites use IP blocking - my company (a very large world-wide organization with thousands of employees) has been struggling with Google detecting us as potentially malicious. Many times Google will require us to enter in a captcha to perform a search.

 

If the problems are with automated processes, those can usually be thwarted with UI preventatives (such as captcha or capturing JavaScript events - e.g. onclick). But, if it is a malicious user, then sometimes an IP block is the only way. Yes, they can spoof their IP address, but it may not be worth that persons trouble to do that and they will turn their efforts elsewhere.

[Jacques1]

No offense, but I find your approach to privacy and security rather narrow-minded and cynical.

 

Have you considered that privacy is a value by itself and that protecting user-related data is a matter of fairness? It's not always about money and laws.

 

Which websites I've accessed at which point of time with my IP address is none of anyone's business. I definitely do not want this data to be in some public text file, regardless of whether or not U. S. legislation agrees. Is it so hard to respect this? Is it unthinkable to do something simply because it's the right thing to do?

 

If people want their silly IP blacklists, by all means, let them have them. But violating the privacy of (innocent) visitors is unacceptable.

[MDCode]

Chmod the txt file to 0640 and it won't be publicly accessible.  It would take development knowledge to view it.

 

One could even go farther and instead of requesting a txt file, request a php file that pulls the IP list from the database, or, load a txt file with stricter rules outside of the document root.