1

I'm trying to block some of my website's users. Well I need two things:

  • getting user's IP
  • blocking it

I've searched about them. And I understand I have to get user's IP like this:

$ip = $_SERVER['REMOTE_ADDR']; // or sometimes $_SERVER['HTTP_X_FORWARDED_FOR']

And I have to block it like this:

$network = ip2long("10.12.0.0"); $mask = ip2long("255.255.0.0"); $ip = ip2long($_SERVER{'REMOTE_HOST'}); if (($network & $mask) == ($ip & $mask)) { die("Unauthorized"); }

As you see, for blocking an IP, it uses $_SERVER{'REMOTE_HOST'}. Well that's the different between $_SERVER{'REMOTE_HOST'} and $_SERVER['REMOTE_ADDR']? And which one is containing the IP ?

Improve this question
32
  • You can just write your own php codes to block ips. In your database, have a table like ipBan or something, and then whenever an user visits your website, search their ip in the ipBan table. If found, just redirect them to a page like blank.php or something. Easy. Commented Jul 1, 2016 at 0:18
  • I have no idea what the network/mask stuff, and the ip2long is totally unnecessary. if($_SERVER['REMOTE_ADDR'] == 'ip you want to block') { die('Unauthorized.'); } Commented Jul 1, 2016 at 0:18
  • 2
    @stack Yes, very wrong. Commented Jul 1, 2016 at 0:21
  • 1
    Correct. Note that per the PHP docs REMOTE_HOST is not present unless your Apache server has HostnameLookups On turned on (not sure if nginx has something similar). Since that's a bit heavy on the server, chances are it's off and empty. Commented Jul 1, 2016 at 0:21
  • 1
    You seem to be making this much more complicated than it needs to be. Commented Jul 1, 2016 at 0:30

1 Answer 1

Reset to default
2

REMOTE_HOST usually contains the result of a reverse dns lookup and can also be done in PHP using gethostbyaddr in the case, that your server does not fill this environment variable. It gets derived from the $_SERVER['REMOTE_ADDR'] value, which represents the (IP)-address as its name suggests.

Banning IP-Addresses on a shared host is not optimal and I will come to that later. Assuming you are using a shared host I would not let the script die like you did. Instead I would just return a HTTP header in order to (at least) save some bandwidth on that IP, like:

if($_SERVER['REMOTE_ADDR'] == "127.0.0.1") { header("HTTP/1.1 403 Forbidden" ); exit; }

and returns something like this to your visitor (using chromium):

enter image description here

A cleaner and more professional approach to block IP addresses is not possible on many shared hosts, but should be mentioned here anyways, because it saves bandwidth, memory and cpu-cycles and can be described as dynamic creation of firewall rules. There are tools like fail2ban helping to overcome compatibility issues between different firewalls keeping your PHP application portable between root servers. Fail2ban can scan all kinds of log files, even custom ones. Your PHP application could just write to a log file and fail2ban would disallow any connection attempt from that IP address to your server. Sounds cool? Root servers ain't expensive nowadays if you would like to try it.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Ah I see, upvote. Just what happens when an user uses the proxy? I guess I need to check $_SERVER['HTTP_X_FORWARDED_FOR'] too. Am I right?
Yes, but in any case IP addresses ain't so reliable. I assume, that you also have a router at home, but if this router is used by all people of a university and you ban the IP address you would end up blocking the whole university from reaching your site, just because one person 'did something'. The real person behind an IP Address is really hard to identify and could also be using tor for example.
Ok, just I want to know, what happens when an user uses the proxy? A real IP is still into REMOTE_ADDR? Or it will be into HTTP_X_FORWARDED_FOR? Or both of them are containing two different IPs?
I would use HTTP_X_FORWARD_FOR to supersede the REMOTE_ADDR as it -more probably- contains the originating IP. But I would consider using other information you have about the visitor, like when does he/she usually visit, which browser version and so on and I think also google does those kinds of checks to identify users. I have read that google can partially identify users by their typing speed and which words they usually misspell and so on ;)
Ah :-) I marked your answer as accepted-answer. thanks again. Just my last question: you said in your explanations that which one is better? Doing that by PHP or using something like fail2ban?
|

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.