As my blog has become more popular, I am collecting my share of “spam-boys” and was looking for an easy way to black list IP addresses.

Sure you can use iptables , but it would be nice if Apache used tcpwrapper (host.deny), but alas that requires Apache to be re-compiled.

As it turns out there is an easy way using features built right into Apache – deny from – sweet

Edit your main Apache configuration file, and at the bottom add (assume you want to black list 111.222.33.444 or it’s subnet).

< Location />
< Limit GET POST PUT>
order allow,deny
allow from all
deny from 111.222.33.444
deny from 111.222.33
< /Limit>
< /Location>

Note: I had to put spaces at the front of the < Location> and < Limit> tags for them to show-up on this blog entry, remove them or Apache will give you error messages.

Rules explained :

order allow,deny
allow from all

Allows from all ip unless an ip address is specifically denied.

deny from 111.222.33.444
deny from 111.222.33

This is your blacklist, by ip address.

111.222.33 == 111.222.33.** (the entire 111.222.33 subnet, helpful from spammers who change IP, mean otherwise )

After making your edits, restart Apache :

Debian / Ubuntu :

sudo /etc/init.d/apache2 restart

RHEL / Centos / Fedora :

service httpd restart

What I like about this technique, more then anything else, is the “Permission Denied” message Apache gives. Just my way of giving back to the spamming community (iptables is just too impersonal that way).

Another thing, this seems to cover all virtual hosts in a single location (ie this does not need to be configured per VirtualHost, sweet).