How do I block certain IP addresses from accessing my site

andreea115 · May 28, 2012, 6:35am

Hello everyone

I am not sure if this is the correct place to ask this question; but since it involves PHP I felt that I should try. I have 3 questions

What is the best way to block a region/country from accessing a site?
Is it possible to create a ‘fake IP address’ so that it fools a website into thinking the user is accessing the site from a different country?
Where can I get the list of IP addresses from?

I have built a travellers members sites (a guide to travelling around the world); the problem is that I have fake travellers registering on the site and then targeting legitimate members with fake scams.

i am now spending a substantial amount of my time searching out these fake members and deleting them from the site. I have noticed that all the fake travellers come from a certain african country ( I will not mention the name but i suspect that everybody knows which country I am talking about).
Accordingly, rather than waste my valuable time on ‘search and delete’ operations, why not simply block the entire country or region from, where the scammer are accessing the site,

Question One

What is the best and most cost effective way to block a region or country.

I realise that it’s possible to use .htaccess to block regions/countries; but I have also read that this solution is very consuming on your systems and also slows your systems down. Is there a PHP/Mysql solution that will not be a drain on my systems and will also not slow down my site.
I was thinking of using the following function to block user from registering on the site.

It works by simply checking whether the IP address of a ‘proposed new member’ is a blocked IP address :


//first obtain the IP address of user
$value  =    mysqli_real_escape_string ($dbc, $_SERVER['REMOTE_ADDR']);
			
				

//Next; check if it’s a banned or blocked IP address
	
	
		// If   a banned IP address is submitted
		// the system will simply return an empty string-and since the system requires an IP //address for registration-  the user is simply prevented from registering.

function   banned_IPaddresses($value) {
	
	  	$banned_IP = array('91.228.1.85' );
		
	foreach ($banned_IP as $v) {
			if (stripos($value, $v) !== false) return '';
		}
			
	}

Question Two

I am using the code below to track the IP address of users to my site. The problem is that I am now engaged in a ‘cat and mouse game’ with this scam gang; they know that the ONLY WAY that I have been able to catch them thus far is by their IP addresses (i.e. they claim on their profile that they live in one country but the IP address clearly shows that they are actually accesses the site from another country).

I am therefore extremely concerned that they will soon find a way to fool my systems into thinking that they are indeed accessing the site from the stated country.

My question therefore is this; is it possible to do this or can I reply upon the code below to give me an accurate reading of where a user is accessing my system from.
If not, is there a better system/function for tracking IP addresses ?



$IP =    mysqli_real_escape_string ($dbc, $_SERVER['REMOTE_ADDR']);
			
				
					$SSID = htmlentities(SID);
					// If IP address exists
					// Get country (and City) via  api.hostip.info
				if (!empty($IP)) {
					$country=file_get_contents('http://api.hostip.info/get_html.php?ip='.$IP);

					// Reformat the data returned (Keep only country and country abbr.
                                  list ($_country) = explode ("\
", $country);
                                  $_country = str_replace("Country: ", "", $_country);

                                }

Question Three
Does anybody know where I can find the codes for IP addresses from; i.e the country and region codes ?

Thank you very much for your help everyone.

Warm regards

Andreea

aufshebung · May 28, 2012, 9:59pm

There are some types of proxy servers that do not identify themselves as such, nor do they make the original IP address available. So that’s just one example of a situation where you wouldn’t be able to rely on IP address

Also, for what it’s worth (and particularly for a travelling website), automatically banning an entire country because of a few scammers seems a little harsh.

terry_79 · May 28, 2012, 11:31pm

I would recommend you to use iptables firewall tool on your server to block certain IP addresses. In this way, they will be blocked on connection level instead of the web server level.

Another alternative solution might be blocking on .htaccess

Terry.

ServerStorm · May 29, 2012, 2:34am

Hi,

I’m with terry_79. You should use your firewall (if it supports iptables) or iptable chaining tool to block certain IP addresses. This is far more reliable way of filtering individual and even rage of addresses; although this is as you said ‘a cat and mouse game’.

Most of the IP addresses you will block come from compromised system. In most cases hacker/spammers don’t use the same IP for very long and they know it will be blocked.

Still hardware firewall IP blocking is a low-cost, effective way to block I.P.s. You can put together a pretty good firewall like PFSense on even a slightly older desktop machine. You only need more robust hardware if you run VPN’s on them, but if it was used for blocking I.P.s then an older system may be fine. It also has Intrusion Detection (using SNORT) and their are Inline Antivirus plugins that you can have (again your hardware may need to be a little more robust).

Regards,
Steve

kduv · May 29, 2012, 3:08am

You can also check out free software firewalls, like Config Server Firewall. They can achieve the same result without the need of additional hardware. If you find that most of your issues are coming from certain regions/countries, you can block by IP range instead of individual IPs. IE: 192.168.. or whatever. Most regions/countries will use a specific range.

As said above, blocking by IP isn’t 100% as people can change their IPs or use various proxy services… but it can help reduce the problem some.

Just like with security, there is no fool-proof approach. The best you can do is make it as inconvenient as possible for the spammer and hope they don’t want to put in the effort to get around your measures.

ServerStorm · May 29, 2012, 3:17am

The problem with software firewalls is that the machines they run on can get compromised more easily with viruses, malware, adware because of inconsistent patching, user behaviour and vulnerabilities in desktop OSes. The linux based firewalls, like the one I suggested, have a far more secure and streamlined kernel that is less vulnerabile. They come with excellent ‘hands-off’ updates, and they have far greater controls to filter. The dedicated hardware also offloads the performance hit that you may have (depending on your traffic) on a local machine running a software firewall; they are better at allowing a site to have good performance with multiple connections.

Steve

kduv · May 29, 2012, 3:21am

I agree whole heartedly. Software firewalls also don’t do a very good job at protecting against DOS attacks. Unfortunately though, not everyone has the resources or know-how to install/setup their own hardware firewall. In cases like that, a software firewall can be “the next best thing”.

terry_79 · May 29, 2012, 8:17am

Yes, software firewalls are not good at preventing from DOS attacks but it’s a good (and cheap start). What I would do is to use iptables + Apache’s access log (piped to a PHP script). With the help of apache’s access log (piped to a php script), I can notice IP addresses causing too many requests and dynamically setup iptables config to block those ip addresses for x hours/days/weeks. I already use this method on my server and prevented many bot accesses from Russia, India based IP addresses