[Question] iP bann from site

[ryaku]

Hello,
I've been getting some annoying people in my web site and I want to block them from viewing my site.
I added the follownig code to my index.php but it din't work, If any one knows please help me out.

<?php
$ip = getenv('REMOTE_ADDR');
$blocked = "xx.xx.xx.xx";
if (ereg($blocked,$ip))
{
echo "You Have Been Banned";
exit();
}
?>

Thanks in advice.

 

[FragFrog]

Dude.. Regular expressions for a simple stringmatch? Its not C you know.. :icon6:

if($_SERVER['REMOTE_ADDR'] == 'xx.xx.xx.xx')
  die("Access to this page is restricted. You are teh suck!");

If you want to make a more general blacklist you can simply use an array:

$blaclist = array('xx.xx.xx.xx', 'yy.yy.yy.yy');
if(in_array($_SERVER['REMOTE_ADDR'], $blacklist))
  die("Access to this page is restricted. You are teh suck!");

 

[ryaku]

hehe thanks a lot FragFrog, I'll check it out now
and btw i like that ' You are teh suck!' LOL

EDIT: Worked man! thanks

 

[kost]

hehe thanks a lot FragFrog, I'll check it out now
and btw i like that ' You are teh suck!' LOL

EDIT: Worked man! thanks

Off topic: i like teh suck too
On topic: I tried what FF posted and its working like a machine
GL & HF

 

[username1]

sage

Learn to use .htaccess.

And unless you're trying to block very stupid n00bs, they'll get around it pretty easily.

 

[FragFrog]

You cannot easily block people dynamically using a .htaccess file username1, which is why this sollution is a lot more elegant. You could easily add the IP's in the blacklist to a database and make a form to add new ones which would mean you could make an instant 'IP-ban' button on userprofile pages for example. You can't do that with a .htaccess file without resorting to file functions, which is quite ugly in my opinion.

As for bypassing this, you have a point there, a nice way to make it harder for them is to give banned users a cookie (logic there would be: if (user = banned) -> setcookie (banned = true) ), and if someone comes in on a new IP with a banned cookie, automatically add that IP to the banlist. Great way to detect proxies too.

Ofcourse, if someone FIRST clears his cookies, THEN uses a proxy and doesn't login, he'd be able to see the site, but I think less then 1% of your users will be that smart..

 

[ryaku]

Thanks for the useful information FragFrog.
About the .htaccess I din't even try that because is confusing and kinda hard so meh..

FragFrog, mind telling me how to do the cookie bann thing? xD sounds like a great idea.

 

[FragFrog]

Well, its quite easy, as I said, all you need to do is add a cookie for people who are banned and if the cookie is found add the visiting IP to your banlist.

Writing it out in code is a tad bit more difficult then a simple IP ban with a static list of banned IP's, but if you have a bit of experience with databases it shouldn't be too hard.

If you'd use my database class (see zip attached) and created a MySQL table with the name banlist and a column ba_IP it'd look like this:

  /****
    $remote is the IP adres of the user
    $dbase is a new instance of our database class:
  ****/
$remote = $_SERVER['REMOTE_ADDR'];
$dbase  = new myDbase;

  /****
    Search for this IP in the blacklist:
  ****/
$dbase -> select("        COUNT(*)
                  FROM    banlist
                  WHERE   ba_IP = '$_SERVER[REMOTE_ADDR]'");

  /****
    If the IP is found, give the user a cookie and stop the script:
  ****/                    
if($dbase -> affected) {
  setcookie('banned', true, time() + (3600 * 24 * 30), '/');
  die("You are teh suck! Access denied!");
}   

  /****
    If the IP isn't found, but the user does have a banned cookie,
    add his new IP to the blacklist and then stop the script:
  ****/
elseif($_COOKIE['banned']) {
  $dbase -> insert("        banlist
                            (ba_IP)
                    VALUES  ('$remote')");
  die("You are teh suck! Access denied!");                      
}

Ofcourse you can add additional info in the database (like username, time, etc), but this is about the most basic version.

How to get the database class to work is written in the comments by the way :smile:

Alternatively you can do the same thing with a textfile, but I prefer databases :icon6:

 

[username1]

sage

Ofcourse, if someone FIRST clears his cookies, THEN uses a proxy and doesn't login, he'd be able to see the site, but I think less then 1% of your users will be that smart..

...or easier, just renew IP after clearing cookies, if you have dynamic IP.

The point being that whatever you do to stop someone from accessing your site, there will always be a way around it (short of stopping *everyone* from accessing your site...)

 

[FragFrog]

Well, most crappy users come from internet cafe's in the philipines, polen, argentinia, etc. They will have a lot more trouble bypassing security settings and especially IP bans. If you have a registred-user system and keep track of IP's you can very easily ban most proxies etc.

Sure, its not perfect, but the point is not to be perfect, the point is just to have better security then your collegue. Its the same in real life: you can't make your bike unstealable, but you can make it so difficult thiefs will look at the next one. Using my system above in combination with a good user tracking system means you can force people to get a new IP adres and clear their cookies for every few visits to your site. You'd be amazed at how many give up after the first 2, 3 attempts

Me, personally, I once recieved an email from a internet cafe in the philipines whose IP I blocked after someone tried to hack my Mu server from there, begging me to unban his IP because all his clients wanted to play the server - never had any hacking attempts from that IP afterwards! :icon6:

 

[kip0130]

does this code even work effectively any more it used to work

<?php
$realip = isset($_SERVER['HTTP_X_FORWARDED_FOR']) ?
$_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];
echo 'Haha, you trying to trick me with your proxy? Your <i>real</i> IP is '.$realip;
?>

 

[ryaku]

I don't think that will work but umm maybe am wrong... lets wait for fragfrog to see what he tells you xD

His 1337^^ lol

 

[FragFrog]

Why not just read the

You must be registered to see links

instead?

There is no such thing as a super global $_SERVER[''HTTP_X_FORWARDED_FOR'], so I'm guessing it won't work :icon6: