Home / Blog / Ban them all! Security on your Website through .HTAccess (and cPanel) IP Denials.

Ban them all! Security on your Website through .HTAccess (and cPanel) IP Denials.

Posted on

If you have a blog or run a website, one of the things you may consider is who is your “permitted audience.” Wait, what? If you run a website you have to think about who is your permitted audience? I thought if you ran a website or blog everyone had access?

Why would I want to block people from a website?

You may not, let’s get that part out of the way first. You may be running a business or wanting to communicate to the whole world. And that is ok.

However, you should really consider who your audience is on your blog or website. Do people in known hacking countries really need to read what you are posting or access your business? For example, if you have a local candy shop or a regional service business, do the folks in Russia, China, North Korea or Vietnam really need to know about your services? If you are running a security blog do you really want to teach those in Syria and other similar locations about security (think ISIS/ISIL here)? Maybe not.

If your site is a business site, it may be best to conduct a formal Business Impact Analysis (BIA) to determine the answer to that question. If your site is a personal blog site, simply ask yourself who really should be accessing your blog?

Business Impact Analysis – What is that?

A Business Impact Analysis (BIA) can be rather simple or complex. A BIA is simply your business formalizing a business decision process and documenting your answer. Some, especially in small and medium sized business (SMB) would ask why bother with formalizing what I do in my head? There are a few good reasons why.

  1. The act of formalizing and documenting items like a BIA shows maturing in your business (or a mature business) and will gain you customers. Many large “Fortune” customers will ask, when conducting their own vulnerability assessments, if you conduct risk assessments etc. If you do BIA’s, you can answer yes and show them your results.
  2. When your company doubles in size and someone asks you why you do things the way you do, or maybe it did not double but you simply are revisiting questions, you can pull out a document and say this is why and how we made the decision.
  3. Let’s face it, we are all human and having this documented means it is something you don’t have to clog your memory with.

A BIA is a security or at least a compliance issue. Many auditors ask for BIA’s and as noted in item (1) above, many large companies and financial institutions that have to comply with the alphabet soup of laws, regulations and directives, such as Sarbanes-Oxley (“Sox”) or the Gramm-Leech-Bliley Act (GLBA), have to ask you for a formalized risk assessment process. In general, security is looking for maturity and thought process in decisions, a BIA shows that.

Do the Russians (or fill in the blank) really care about my little site?

Russian Olympic Matryoshka - traditional Russian toy (doll)I have run several personal websites for my photography hobby, my consulting business and more for a number of years. The sites have always been hit by potential hackers. In fact, I don’t mind telling you that this site, within 24hrs of it going online, had over a dozen hits from one source in Russia, and I had not even posted any content yet. In fact, I decided to watch and see what would happen for a few days and quickly, over fifty (50) hits came from one location in central Russia. One must ask, why would a Russian care about a blog that had not really identified that it was even a security blog? Simple, they are hackers and were probing my site or hackers in training (my suspicion) and they were using the site to learn how to conduct intelligence gathering and eventual hacking.

That was enough for me to block them out, so I left Russia open and then watched. Slowly, other Russian addresses came in for a sniff too. So, it is time to block them all, and then some.

How do I Block a potential or real bad guy?

There are a number of ways to block them, but my favorite and the subject of this post is IP blocking. In most any method, the goal is for the restricted address to receive a 400 or similar error code instead of the web site, such as “403.6 Forbidden.”

IP Address Primer:

IPv4 Example (Local Address)First off, a little IP address primary. IP stands for Internet Protocol. IP addresses are the numerical “street addresses” for computers and network on the Internet. Each address should be unique (required to be) so as not to cause conflicts. IP addresses (our IP’s for short) come in two forms, IPv4 and IPv6 (the v equal to version). We will get into a more indepth understanding of IP in a future post. But for this post, you need to know that an IPv4 address looks like this and an IPv6 looks like this 22:00:0a:a7:0f:7c.

Selecting the Block:

The second step in your process should be to determine what addresses or countries you want to block. Google Analytics is good for identifying who is accessing your site. Also, web server log files can help with this and identify specific IP Addresses. The problem is that IP Addresses are dynamic, meaning that they can change (and easily). The most effective way is to block entire networks (large blocks of IP addresses) or entire country blocks. In my BIA for this site, I have determined that I want a few entire countries to be off-limits. I don’t want to be teaching ISIS, the Russians, Iranians or Chinese anything about security. That may be a bit puffed up as reality is, I just don’t want them accessing this site. Most (99% or more) of the persons that would access the site would be up to no good. There are sites out available that have categorized entire networks and country IP address blocks. One of the most effective is http://www.ipdeny.com/, which lists blocks by country. You do have to be a bit careful in that some blocks crossover one another.

Derailing the malicious intent:

There are a number of ways to block an IP address. To determine which method you would use, it would be best to communicate with your hosting / service provider to determine what options you have access to. One of the first things you need to do is determine what operating system and web Derailing the Bad Guysserver power your site. On Windows server machines, there is a built in server for “Dynamic IP Address Filtering.” More information can be found at this site depending upon the version of IIS you are using. The referenced site will walk you through adding IP addresses or even limiting the number of concurrent connections from one specific IP address, which is also an effective method to prevent automated attacks.

On Linux / Unix type systems, which are what many hosting companies provide to their client, there is a file called .htaccess. Finding this file may not always be easy because it is a hidden file. In many cases, a user would access the file through a file manager service through CPanel (more in a moment). Within .htaccess, one could list each individual IP or IP Block. An effective block script would look like this:

<Files 403.shtml>
order allow,deny
allow from all
deny from
deny from

I will break down what is happening here:

The <Files 403.shtml> identifies what file will be displayed (called) when the criteria within this script is met and a block occurs. This is the file you can edit to make it look like what you want it to look like. Some companies make it look like their company with the company header etc. Others make it look totally different so as not to give away what company it comes from.

The “order allow, deny” tells the computer what order to read the file, in this case first read the allow list and then then deny list. You could reverse this scenario and state “order deny, allow”.

The first command issued is to “allow from all” meaning that all IP Addresses are allowed access.

The </Files> closes the HTML access code request.

#Russia simply is a marker for me that tells me all the IP’s below are from Russia. The # actually comments out the line and the computer will not read / process this. You could type anything into this field with a # in front of it.

Deny from is where the real action happens. The command may be obvious – deny, this is where it starts to tell the computer to deny from this network. The IP address field is where more knowledge of IP addressing would be helpful, but if you are using the IP’s from the ipdeny.com site, simply cut and past them in. Quickly, another IP promer though, when there is a slash number “/14” after the IP, that is telling the system it is multiple IP’s. /14 is a lot of addresses.

You can then use this “deny from ##.##.##.##/## in a repeated fashion until everything you want to block is blocked.

Another effective method is to reverse this and instead of using the “allow from all” statement, one could use the “deny from all” statement, which will then block everyone, and explicitly allow an IP address / country access. In place of the “deny from…” field, you would put “allow from…” It all depends upon your perspective. There are legitimate reasons to allow access from only the U.S., Canada, Britain and certain other countries. But again, you BIA will provide to you this answer.

One final way to access the .htaccess file is through the popular site management tool, cPanel. CPanel offers an option called “IP Address Deny Manager.” This allows you to edit the .htaccess file through a graphical interface. This tool is useful for single IP addresses or single entries of IP addresses. But to add a whole country would be difficult and it is recommended to use the direct access method to .htaccess.


Blocking an IP address or block is an easy and effective method of keeping the bad guys out. Running a site free from the bad guys even being able to access the site at all is a front line / first line defense that should be considered. If you are running a company, you should consider conducting a BIA that identify the impact of such actions upon your systems.