I'd like to know this too - I can forsee no benefit (only evil - to me) from my site being available to a number of countries - and I'd like to make my site unavailable to them.

IP address ranges are assigned on a per-demand basis, and not on a per-country basis.

So you have several choices:

Use mod_access, mod_rewrite, or your firewall to block all IP ranges assigned to a particular country after you make a list of them

Use the same methods to block based on a GeoIP lookup of the requesting IP address

Block only address ranges which actually present you with a problem

The first method results in rather large lists, since there are many small subranges which you may consider 'welcome' embedded in the larger ranges which you may deem 'unwelcome'. Also, as IP range assignments change over time, you will need to maintain your list of ranges, and adjust for changes in the sub-ranges as well.

The second method is more 'real-time' but requires either that your server check with the GeoIP service for each incoming request, or that you download the GeoIP database periodically and refer to your local copy instead of making requests from their server. You'll also need a script to interface to the GeoIP data format. But at least this method is more real-time, and maintenance of the IP list can be automated.

The third method is the easiest, and practical for small sites -- Just block the serious troublemakers, and don't worry about the rest. This is more in-line with the spirit of the "World-Wide Web."

A search for GeoIP will turn up a lot of info on this subject.

Jim

Hello,

jdMorgan, thank you for all information.
Shall I follow the third option, which means I should ban only the troublemakers, how do I ban a specific ip range? For example, I keep having several visitors continuously trying to use (unsuccesfully) my login form (vBulletin based forum) using Comcast:

Comcast Cable Communications, Inc. JUMPSTART-1 (NET-68-32-0-0-1)
68.32.0.0 - 68.63.255.255
(info from ARIN)

So, the range I need to ban (I guess they are trying to exploit something on my board, they are also abusing my bandwidth and even sometimes use me as a way to visit other sites*) is: 68.32.0.0 - 68.63.255.255.

What do I write on .htaccess to block them?

*When I view who's online, and what's the exact path they are viewing, bad visitors view not a path like "/index.php" or "/forum/..." but "http://www. here-is-a-random-website . com". Are they using me as a proxy or something? Do they try to call some exploit from those sites? I really don't know, but I guess this isn't something I shouldn't be afraid of.

A better solution for these "proxy" attempts is to detect them directly:

# BLOCK attempts to use our server as a proxy, but allow absolute URIs
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /?http:// [NC]
RewriteCond %{THE_REQUEST} !^[A-Z]{3,9}\ /?http://([^.]+\.)*example\.com/ [NC]
RewriteRule .* - [F]

Here, "example.com" is your own domain name. This code directly examines the HTTP request header sent by the client (browser or robot), which might look like this:

GET /index.html HTTP/1.1

- or -

GET http://www.some-other-site.com/ HTTP/1.0

-- the first being a legitimate access, while the second is a proxy attempt.

IP address range comparisons vary from simple to very complicated.

To unconditionally block a range such as you've shown --which I don't recommend by the way, because you're potentially blocking a lot of innocent Comcast users-- you can simple leave off the end-anchor and all the octet digits that range from 0 to 255:

RewriteCond %{REMOTE_ADDR} ^68\.32\.
RewriteRule .* - [F]

That blocks all 16,384 addresses with the 68.32.0.0 to 68.32.255.255 range.

However, things get complicated when you need to block a sub-range within 0-255, or a range that crosses octet boundaries, because mod_rewrite does NOT do a numerical compare, it does a text-character compare. Therefore, you must test for all possible character combinations that might be used to express an IP address within the specified range. For example, to block 63.146.13.64 through 63.146.13.95 inclusive:

RewriteCond %{REMOTE_ADDR} ^63\.146\.13\.(6[4-9]¦[78][0-9]¦9[0-5])$
RewriteRule .* - [F]

It is often easier in these cases to use mod_access, which allows IP ranges to be specified using netmask or CIDR notation.

If you use the code above as an example, be sure to change all broken pipe "¦" characters to solid pipe characters before use; Posting on this forum modifies the pipe characters, and using broken pipes will lead to pattern-matching errors.

For more information, see the documents cited in our forum charter [webmasterworld.com] and the tutorials in the Apache forum section of the WebmasterWorld library [webmasterworld.com].

Jim