| |
|
|
|
|
|
|
|
|
-
.Htaccess Blocking Users:
-
User Blocking And Access Prevention Using .htaccess
Files
The htaccess file is a wonder of website coding. It
can do a great deal of things that we might otherwise
be dependent on our host providers to do, in many
cases charging admin fees to add the appropriate
features to our accounts or to set it up in the first
place. Unfortunately, though, the use of htaccess
files is not always permitted by host providers
because done incorrectly it can cause a security risk.
Not only is this a problem for your site but it can
also be a problem for other sites hosted on the same
server. That said it is not impossible to find a host
that offers the ability to use htaccess files and if
you want to use htaccess files then you should look
for a host that allows it.
Blocking Users
We already covered the use of htaccess to password
protect pages and to use custom error pages but these
are only two uses of the htaccess file. It is also
possible to block users based on their IP addresses,
IP ranges, referring domain, and block bots or
automated software from accessing your site or
folders. While the uses of blocking specific IP
addresses are relatively limited the htaccess file
does prevent an incredibly simple but effective method
of doing just that should the need arise.
Blocking Users By IP Address
Blocking users by IP address or IP range are both very
simple things to achieve and only require a couple of
htaccess commands to be added to the appropriate
htaccess file.
To block a single IP address add the following lines:
order allow,deny
deny from 111.22.3.4
allow from all
Blocking Users By IP Range
Because the commands are read and actioned from the
top down it is important to close the block by using
the allow function. Without doing this it can cause
the htaccess script to keep running, slowing your site
and your server. The code above would only block an
individual with the IP address 111.22.3.4. However,
the following code would block a range of IP addresses
as we will discuss;
order allow,deny
deny from 111.22.3.
allow from all
Combining IP Blocking Methods
Instead of blocking an individual user this would
block all users with an IP address beginning in
111.22.3 and allow all other users access to the
folder. It is possible to combine these two methods in
order to block a single user and a range of IP
addresses using the following as an example:
order allow,deny
deny from 111.22.3.4
deny from 222.33.4.
allow from all
Blocking Users From Multiple Domains
Blocking users according to IP address or IP range is
easy as you can see from these examples. A slightly
more complex procedure, although still relatively
easy, is to block users depending on the referrer that
sent them. For example it is possible to block every
user that visits your site from a link on the website
www.blockreferrer.com and www.blockreferrer2.com by
adding the following code to your htaccess file in the
usual manner.
RewriteEngine on
# Options +FollowSymlinks
RewriteCond %{HTTP_REFERER} blockreferrer\.com [NC,OR]
RewriteCond %{HTTP_REFERER} blockreferrer2\.com
RewriteRule .* - [F]
Obviously this blocks all users from visiting your
site having followed a link from either of these two
domains. This also includes sub-domains such as
mail.blockreferrer.com or example.blockreferrer.com.
Blocking Users From A Single Domain
To block users visiting your website from a single
referrer simply remove the second RewriteCond line (in
this case the blockreferrer2\.com) line and remove the
“OR” from the end of the first line. In our example
your amended file would now read:
RewriteEngine on
# Options +FollowSymlinks
RewriteCond %{HTTP_REFERER} blockreferrer\.com [NC]
RewriteRule .* - [F]
Blocking Bots And Offline Scripts
As well as blocking users it is also possible and
often beneficial in terms of bandwidth or traffic
resource to block bad bots and site scrapers. Below we
provide the code to do this but obviously you will
need to find the names of the bots to block.
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^BadBot1 [OR]
RewriteCond %{HTTP_USER_AGENT} ^BadBot2
RewriteRule ^.* - [F,L]
In the above examples any users that are blocked
because of the code you enter will be redirected to
your 403 error page. Because they aren’t taking up
your valuable bandwidth this can improve the speed of
your website loading time for your other, genuine
users. It may also prevent your server from completely
failing, or crashing, thanks to an overload. By
blocking bad bots it is also possible to prevent email
harvesting software from taking your email address and
sending you regular spam. Again, this is not only
irritating but causes your mailbox usage to increase
dramatically.
Securing Your htaccess File – Stop Prying Eyes
The process of preventing your htaccess file from
being read is an incredibly easy one that requires
four short lines of code to be placed into the
htaccess file itself. The code required is as follows:
<Files .htaccess>
order allow,deny
deny from all
</Files>
This is another deny function similar to those
discussed earlier in the article but the first line
tells htaccess that you wish to block all users (deny
from all) from accessing the .htaccess file (files .htaccess).
What Is Hotlinking?
Other methods exist, through the use of the htaccess
file, to prevent the unwarranted usage of your
bandwidth. Hot linking is an activity undertaken by
people wanting to display images that appear on your
website without saving and uploading the images to
their own server. Leeching on your bandwidth in this
way means that every time the image is downloaded to a
user’s browser you essentially pay the price in
bandwidth and potentially in money.
Preventing Hotlinking With A Denial
There are two methods to do this. One is a simple
prevention of hot linking, essentially banning all
domains except your own from showing this content and
instead displaying a broken image icon. The other
enables you to display an alternative image whenever
hot linking is detected. While this may still use your
bandwidth initially, the perpetrator of the hot
linking is unlikely to continue displaying the image
once he or she realizes that it isn’t what they were
intending.
rewriteEngine on
rewriteCond %{HTTP_REFERER} !^$
rewriteCond %{HTTP_REFERER} !^http://(www\.)?your-website.com/.*$
[NC]
rewriteRule \.(gif|jpg|js)$ - [F]
Replacing Images In Hotlinks
This version displays the broken link icon or a
similar icon. The last line is used to determine the
types of file that this works for. In this case gif,
jpg, and js files cannot be hotlinked from outside the
your-website.com domain. In order to replace an image
and display an alternative image, use the following
code in your htaccess file:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?your-website.com/.*$
[NC]
RewriteRule \.(gif|jpg)$ http://www.your-website.com/nohotlink.jpg
[R,L]
Again, you need to replace the your-website.com with
your own domain and the image path on the bottom line
with the path to the replacement image.
Preventing The Display Of All Your Directory Contents
Preventing access to an index of images or files is a
good idea for the sake of site security and often
because you simply don’t want people to browse through
the images on your site out of context. Many hosts
provide this as a matter of course, with all indexes
being invisible to visitors. However, this may not be
the case with the host you are currently using. As
long as you do, instead, have access to your htaccess
file then it needn’t be a problem and is in fact one
of the easiest htaccess commands to include.
IndexIgnore *
Adding this to the htaccess file in any directory will
prevent the index for that directory, and all
subdirectories, from being displayed. This means that
placing it in the root folder of your site will
prevent all indexes from being displayed.
Limiting Directory Viewing
By adding a limiter after the wild card symbol “*”it
is possible to specify the types of file you wish to
restrict within the index.
IndexIgnore *.jpg
Enabling The Display Of Directory Contents
This means that any .jpg files within that directory
and subdirectories will not be listed when the
directory listing is shown. Sometimes you may want to
display the contents of a particular subdirectory but
not the parent directory. Include either of the two
above examples in the directory itself. In the
subdirectory that you wish to display include an
htaccess file with the following command:
Options +Indexes
Conclusion
For many people it is a surprise to learn that the
simple htaccess file has so many uses but we have
really only scratched on the surface of its potential.
As well as these simple commands it is possible to
command redirects, add MIME types, and enable Server
Side Includes (SSI). If you want a greater degree of
control over your own website than you currently have
then htaccess provides an excellent way to go about
this.
The most important thing is to check that your host
allows you to amend or edit your htaccess file, or
even to add one in the first place. Used incorrectly
they can cause a security threat to your website, the
server, and other websites hosted on your server.
However it is also possible to reduce the amount of
spam you receive, cut down your bandwidth usage,
prevent others from accessing your site, and much
more. Htaccess commands are refreshingly simply to
include even for the complete beginner.
|
| |
|
|
|
|
|
|
|
|
|
