Block Access from a Range of IP Addresses

There are some guys from certain locales who keep posting spamming comments to my web site on a daily basis. Although most of them were caught automatically and won’t be shown, yet some of the spammers spam so frequently with very big posts, it’s really annoying to delete these periodically in order to avoid the waste of resourses.

Analyzing the IP addresses of these spammers, we can find that some of the most active spammers use a different IP address every time (they may intentionally use dynamic IP address provided by their ISP’s), so that you can hardly block them, for enumerating all the IP addresses in config files of Apache or firewall is very tedious. But fortunately, all these IP addresses belong to the same IP range (I think that the spammer didn’t use a proxy), and normal internet surfers from this IP range are hardly willing to browse my web site due to language / locale / interest reasons. So we can simply block the access from all IP addresses in this range. For this reason, I created this “IP Range Calculator” online tool to make this process easier: it does the tedious IP address mask & CIDR calculation and generates firewall commands as well as proper lines for Apache’s config file.

Here is a real example. Note that I don’t have any discrimination to people or IP addresses in this range, just as I said, a real surfer from this range won’t actually browse my web site, and the only ones who do access my web site are usually spammers. So it’s not unfair to restrict access from this range.

First, get one of the most frequent spammer’s IP addresses:

Then use “whois” service to get the IP range:

Now launch the “IP Range Calculator“, enter the IP range got from whois, and click “Calculate” button. Then the calculation result is used to generate related firewall commands and lines for Apache config file to block the IP addresses. You can use either of them according to your needs.

Grab the Internet Trouble Makers!

There are a lot of people trying to crack or spam others’ web sites (in vain)… What they usually do can be categorized into two types: one is trying to post their articles (usually advertisements for drugs and so on) automatically to a lot of forums; the other one is trying to download files that the web masters might put there carelessly (for example, *.mdb, web.zip, etc.).

I don’t care about this too much, unless they keep doing this all the time, which consumes my band width. In order to grab them out and filter their requests out using a firewall, I did the follows:

First, in Apache’s configuration file, filter all these suspecious requests into a separate log file. For example, I am using Apache in Linux, but if someone requests for /forum/post.asp, or /data.mdb, then it’s for sure that they are from crackers or spammers. I put all of these in a file called worm_log (these things used to be from worms…).

Then I wrote a small script to calculate the number of hostile requests:

#!/bin/sh

allIPFile=/tmp/ips.txt
ipListFile=/tmp/ip_list.txt

myTmpFile=/tmp/mytmp.txt

cat worm* | cut -d ' ' -f 1 | sort > $allIPFile

cat $allIPFile | uniq > $ipListFile

lines=`cat $ipListFile`

rm -f $myTmpFile > /dev/null 2>&1

for ip in $lines ; do
        n=`grep $ip $allIPFile | wc -l`
        echo "$ip: $n" >> $myTmpFile
done

cat $myTmpFile | sort -nr -k 2,2 > spammers.txt

The output is something as follows:

222.73.173.10: 404
58.215.65.183: 355
222.73.173.11: 351
210.83.81.80: 314
121.14.212.82: 140
118.102.26.197: 117
221.231.114.10: 56
221.5.6.198: 48
...

Now we are very clear about who are the top trouble makers and should be blocked out of the firewall.

Published
Categorized as IT Tagged ,