IP blocking and custom 404 & 403 with htaccess
This is old news, but because I’ve often needed to look for the exact syntax, I’m putting it up here.
To block an IP from your website, create a (text) file (if you don’t already have one on your server) and name it “.htaccess”. Put the following in that text file:
<Limit GET>
order allow,deny
allow from all
deny from 123.456.789.0
deny from 123.4.5.
</Limit>
replace the “123.456.789.0″ with the IP you want to block. (you can have as many “deny from …” lines as you want) the “123.4.5.” will block a range of IPs.
If you want to have a custom 403 page (the page that people get when they’re blocked) put these lines below what you have above:
ErrorDocument 403 /403.htm
(the 403.htm is the page that you’ve designed… maybe you want to give them an email address to reach to request access…)
You can also have a custom 404 page (page not found). So add this in there too:
ErrorDocument 404 /404.htm
again, the 404.htm page is one that you’ve created.
Now upload the .htacess file to your server. Wherever you put it - it will effect the current directory, and all its subdirectories. Also, the FULL file name is .htaccess - no other suffix there…
UPDATED 3/18/04: I recently updated this post because of a problem I had. (Actually it was corrected sometime ago in the comments - but I didn’t understand what they were talking about) 
In any case - I also wanted to add this: here’s some more information on htaccess
November 26th, 2002 at 8:57 am
This may be a silly question — but what’s the difference between a 403 and a 404 page?
November 26th, 2002 at 9:06 am
404 - someone tries to go to a page on your site that doesn’t actually exist.
403 - someone tries to go to a page from which they are being blocked (via htaccess)
Make sense?
November 26th, 2002 at 9:53 am
Perfect sense — thanks!
November 26th, 2002 at 10:17 am
I did this and whne i uploaded the .htaccess file it’s hidden. I just tried it to do the 404 and it works but what if i want to delete the file? Would it work to just uplaod a new blank one?
November 26th, 2002 at 10:32 am
Yeah, some hosts won’t show you the file when you connect via FTP - not sure if it shows you when you connect via ssh.
If you want to completely blow it away, upload a .htacess file that is blank.
Some hosts have a “cpanel” that will allow you to go in a navigate through your space - a file manager… I know that Blogomania does. If you do that, you’ll be able to see AND EDIT that .htaccess file. That’s how I add IPs. I’ll go through the file manager in cpanel, and edit the htaccess file that’s already on the server.
November 26th, 2002 at 10:40 am
just a note, but i think that .htaccess will only work on a linux/unix host?
November 26th, 2002 at 11:47 am
i saw something like this on a blog a few weeks ago that also gave you inctructions on blocking people coming from specific addresses (ie. google.com, yahoo.com, etc. etc.) in your .htaccess file but i’ve since lost the address. can this be used in that case as well?
November 26th, 2002 at 11:55 am
yes, i believe you can just add in domains in as a deny from line - ie. deny from pacbell.net - so anyone surfing on pacbell isp would be denied (that’s a pretty wide block!)
However, this method (as far as I know) does not mean a REFERRER block. (Someone correct me if I”m wrong). If you put in deny from google.com - that doesn’t block people coming to your site from a link from google - it just blocks anyone surfing on a google.com isp (if there is one).
Not sure if you can block REFERRERS using htaccess…
November 26th, 2002 at 11:58 am
actually here it says you can and how to do it:
setenvifnocase Referer “^http://www.sitetobeblocked.org” spam_ref=1
<FilesMatch “(.*)”>
Order Allow,Deny
Allow from all
Deny from env=spam_ref
</FilesMatch>
November 26th, 2002 at 12:07 pm
Lots more info here too…
November 27th, 2002 at 3:34 am
With regards to seeing the .htaccess file via ftp:
Any files or folders with names which start with a full stop (.) are treated by Unix as hidden files. They aren’t visible in most FTP programs, but there are several that can easily be easily configured to show your hidden files. Two that come to mind are Ws_ftp (both the LE and Pro versions) and Cuteftp.
November 27th, 2002 at 12:23 pm
Just chiming in to say this is incredibly interesting and helpful - is there anything you goddesses can’t do?
November 27th, 2002 at 12:40 pm
Scriptygoddess Jennifer has a little tutorial up about using .htaccess files to redirect to custom error pages and block IPs - it’s just that easy.
November 27th, 2002 at 5:24 pm
what about only allowing certain ips instead of the other way arround, say you only want your friends to view the site, or in a corprate situation you only want a range of ips to see it, possible?
November 27th, 2002 at 11:38 pm
Just recently, I started an .htaccess file for my site, so I really appreciate this information.
Adding a little to what Gaile said, to view hidden files with CuteFTP, do the following:
1. Open Filters [Edit/Filter or CTRL L]
2. “X” the box for “Enable remote filter (server applied filter)
3. In the remote filter box type “-la” [without the quotes]
4. Click OK
November 28th, 2002 at 9:20 am
Scott, to allow only specific IP addresses, you effectively use Jennifer’s code the other way around:
<limit GET>
order deny,allow
deny from all
allow from 123.456.789.0
allow from 122.344.455.9
</limit>
…obviously replacing with the IP address(es) you want.
HTH
November 28th, 2002 at 8:39 pm
there is a setting in flashfxp that allows you to view hidden files too. now i can see it. thank you
scott
December 1st, 2002 at 2:26 pm
I’ve always wanted to do a .htaccess file on my site to prohibit some people from accessing my site, but
December 2nd, 2002 at 8:38 pm
You might want to take a look over at http://www.php.net/urlhowto.php for info on some really cool 404 pages.
I’ve been playing around with it a bit and would love to know why my server isn’t setting $REDIRECT_REDIRECT_ERROR_NOTES and/or is messing with $REQUEST_URI when doing the redirect.
December 3rd, 2002 at 9:14 am
I actually solved my own problems with the redirect. I was using an “external” style url for the errorpage. Once I switched to an “internal” style all was well. For example:
NOT -> http://www.domain.com/404.php
yes -> /404.php
January 7th, 2003 at 3:50 am
“.htaccess ” works this also on a site installed on a frontpage server? or is there a possibilty to work arround to get the same result?
January 23rd, 2003 at 9:38 am
I edited my .htaccess (it was blank) in Cpanel.
I wanted to deny access to a particular site. All I got was an internal server error. When I deleted my imput to the .htaccess file it worked fine again.
Any help would be greatly appreciated.
Roy
January 30th, 2003 at 3:19 pm
Just a note - someone mentions that some hosts don’t let you see files that begin with . - some clients also hide those.
For instance, I can’t see .htaccess when I connect to my host using CuteFTP or ws-FTP, but I *can* see it using one of the FTP programs I use in Redhat Linux.
January 30th, 2003 at 3:20 pm
Roy - what was the line you used?
January 30th, 2003 at 3:22 pm
Uh just realized someone already mentioned that certain FTP programs allow you to see . files and some don’t, but obviously I can’t edit or delete my comments.. so please excuse my dumb lookingness by posting too fast without reading all the comments carefully
February 10th, 2003 at 3:29 pm
I can’t get it to work! Is it “*.htaccess” or “.htaccess” or “.htaccess.txt” ? Geocities won’t let me do those! Is there another way?
February 10th, 2003 at 5:51 pm
it’s just “.htaccess”
however- I *seriously* doubt that Geocities will let you do anything with .htaccess files…
February 16th, 2003 at 3:58 pm
I’m trying to try this with my .htaccess but it denies everyone instead of the two domains I try to block. My old server shut my site down becuase someone from frii.net went to one of my pages over 12000 times in one hour, and I am trying to block them from my site.
February 17th, 2003 at 7:57 am
Mandie - do you have an “allow from all” statement in your .htaccess file? That needs to be there first before you begin listing “deny” statements. Just a thought…
March 6th, 2003 at 12:47 pm
A few site tips and tricks of note…some new, some not… Individual link “click tracker” script Oldie but a goodie…how to prevent your site from being Googled Combined form for MT and Bloglet subscriptions Kristine’s wonderful MT Plugin Directory H…
March 6th, 2003 at 8:34 pm
I’m just a simple blogspot user with someone I would love to block. Will this work for me?
March 6th, 2003 at 8:40 pm
Unfortunately - no. .htaccess requires that you have access to your server (also - I think NT and other Windows servers do not have .htaccess)
March 7th, 2003 at 5:16 am
i’ve tried creating the .htaccess file online using tripod’s html editor.
fyi, i signed up with them as a free member.
when i tried to save the file, they did not allow filenames that contain special characters.
does this mean i cannot create the file in tripod at all?
or can i create it offline and then upload it thru ftp?
March 7th, 2003 at 8:03 am
Pretty good rule of thumb: if you’re not paying for your hosting, unless it’s a situation where your friend is hosting you on his/her server, then I think odds are you don’t have permission from the server administrator to play with .htaccess stuff, and they’ll block your attempts to do so.
There’s lots of inexpensive hosting around… Can I recommend Blogomania? Scriptygoddess is hosted there. Christine runs it and rocks my socks off. And there are a variety of plans. Some very inexpensive.
March 8th, 2003 at 1:54 am
thx jennifer
gotta start saving up now…
March 10th, 2003 at 11:49 am
:bsmile: If you have not already read the information at GeekGrrl or Robyn’s sites. You might want to look over what was discovered. After reading through I found out my site was also being stolen and reprinted without the CSS…
March 16th, 2003 at 12:36 am
I was warned. I read the solutions to prevent it. Yet I ignored them. And now I got my
March 18th, 2003 at 6:33 am
I’m a scripting student in the school of BeinginChargeoftheCorpWebsiteWhetherIknowAnythingAboutItOrNot(WhichIDont) and was thinking of giving myself the following homework assignment. I would hope the goddess could warn me if she thinks I’m asking for big trouble.
Assignment: Write a script that dynamically blocks certain malicious hosts. Ie. the kind that request /root.exe, /cmd.exe. Any host which requests these kinds of files will be added to the list of blocked IPs.
Anyone done this before? Or considered it and then declined due to a sudden prudent insight? Please share.
May 3rd, 2003 at 5:12 pm
I tried to creat a .htaccess file, but my ftp program won’t let me. I also can’t find one if there is one already on there. I use ws_ftp, and I have a Linux server. Help, please?
May 7th, 2003 at 1:50 pm
hi i have a simple question i think.
i want to take my external ip address from a linux
box behind a NAT router, and upload it to a web
page. what is the simplist way of going about that ?
to be more clear, the linux box cant see what the
external ip is it has an internal address.
BUT a tracert program will bring up my external ip
as a hop.
I want to create a web page with my ip in it as a forwarder,
and upload that via ftp to a site.
The idea is i can serve from a machiene behind
a firewall on a dynamic ip,
PLEASE HELP :>>>>>
lots of smileys for helpers,
May 26th, 2003 at 2:24 pm
I’m very interested in using this on my personal domain, I have been for a while now. Only problem is that i want to block my whole town, but I’m not sure what the IP for that would be, but yet, allow my IP, can my IP change?
June 13th, 2003 at 12:35 am
Your definition of a 403 is not correct. A 403 is returned for a page you are not authorized to view, not necessarily because of an .htaccess deny. A 403 will be returned if you fail to enter the correct name/password for a protected page.
June 13th, 2003 at 12:44 am
For the person who wants a script to deal with malicious attacks such as CodeRed, click the link on my name. I’ve already done the work. You’ll have to have root access on a Linux type box to be able to implement the script.
For Kate, who wants to block her town., can’t be done. IP addresses are not allocated by that small of a geographic area. The best you can do is block by country.
For Thomas, your URL will be returned if you grab this web page: checkip.dyndns.org:8245
My work here is done.
July 1st, 2003 at 5:40 pm
Sure you can block your town! Just put something at the top that says ‘Click here if you live in Thistown’ And when they click on the link, have that block them some how. Okay, so it can be bypassed… But its better than nothing!
July 23rd, 2003 at 7:46 pm
I’m attempting to use this code and I’m getting the following error message (I’m testing it by trying to block my own IP address)
“Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, netops@cox.com and inform them of the time the error occurred, and anything you might have done that may have caused the error.
More information about this error may be available in the server error log.”
First off, I don’t even know how to access the server error log so I couldn’t look there to see what’s what.
The only modificatons I made in the original code were putting in the proper IP address and location for the error message.
I took the code off of the site, but the .htaccess document is uploaded at:
http://members.cox.net/dream4muse/.htaccess.txt
If a code that will just block someone from the main page would rid me of the error message, I could use that instead because it would still do the trick.
August 7th, 2003 at 3:26 pm
do you know if it is possible to block a range of addresses (less than 256) in one line? for example, if i wanted to block the subnet 192.168.5.0 - 192.168.5.127 (subnet mask 255.255.255.128), can this be done on one line, or would I have to list every ip?
August 10th, 2003 at 8:07 pm
20030810
I’m new here but have a couple of items..
1. Should it be ‘referrer’ (as in javascript) or ‘referer’ (as in perl) when blocking ips in htaccess?
2. to add blocking of referring ips to an existing htaccess file, does it suffice to just start a new line?
3. any advice how to customise the startup password entry page when entering an htaccess password protected directory?
thank you - rs
September 19th, 2003 at 4:16 pm
Is there any html codes that also work at blocking IP#s? The .htaccess file won’t work on angelfire or freewebs because of the “.” before it. So is there any other way?
September 20th, 2003 at 6:23 am
I’m going to annoy you all fast. Answering (if I may..lol) some of the above, one at a time.
As Rossz pointed-out, a 403 error can be alot of things specifically. It just means you are not authorized, and there is no way to authorize yourself. Actually 403 comes in sub-codes as do most of the error codes (ie: There is a diffrence between a 403.4 error and a 403.6 error). An example of the two can be found by trying to go to MSN’s Zone game site’s Admin area. To see the 403.4 go to it non-SSL at http://admin.zone.msn.com , and to see it with the 403.6 error go to it SSL at https://admin.zone.msn.com . For a brief list of Error codes (click on the links of the code-numbers for more detail) go to http://www.argis.net/ErrorCodes/ (Note, this is not a complete list; you can just look-up “HTTP error codes” in any old search
As to these being done with .htaccess or not, neither of those are. Further examples (diffent code on last of the two, which actually uses .htacess) are at my company’s domain: Go to http://maximumscripts.com (403.6 like above, not .htaccess) and http://admin.maximumscripts.com (401, authorization allowed, but you don’t have or didn’t enter correct).
Marie pointed-out that Cute-FTP will show hidden files with “-la”. If that does not work, try the more common (alot of FTP’s use the old standard) “-a” .
A note on using “ErrorDocument ### http://yourdomain.com/###.html“: Make sure if it is to deny access from the get-go, that the URL they are being shown as the error page is not within the folder being protected, or one of its subdirectories. If, for example, you IP block in the folder “private” and you put “ErrorDocument 403 http://yourdomain.com/private/403.html” they will get an error instead of your custom error page. The “ErrorDocument” command can not over-ride the rest of the .htaccess and show it, becuase the custom error page is IP blocked also in that case.
The question came-up about using .htaccess in Windows servers. It can be done, but unless you have some major permissions (dedicated server) or run the server, you can’t normally. It requires setting a rename-command in the Windows httpd.conf file. If you have access to this, just search for “Apache htaccess in windows”…Alot of info on it, and I advice read carefully, not to be played with without extreme care
Taine………$REDIRECT_REDIRECT_ERROR_NOTES -nor- $REDIRECT_ERROR_NOTES is a valid PHP predefined variable or fuction. Where are you seeing that?
Maurice, yes, .htaccess works on FrontPage (if server has it normally accessable to you. HOWEVER, frontpage has its own configuration of .htaccess that will be messed-up by custom htaccess (unless you are careful) , and if you just overwrite the .htaccess with what non-FrontPage users would use, the FrontPage extentions may not then work. You need to check the FrontPage docs for more info. Official warning reads as follows (and is infact the case): “FRONTPAGE WARNING: FrontPage sites have a .htaccess file in the root directory that is created when the FrontPage extensions are installed. FrontPage users should proceed with caution and make a backup copy of their .htaccess file before making any changes. Incorrect changes to your .htaccess file can result in your site being unreachable.”
Whoever (how to refer to folks with “” as a name?) asked about “Write a script that dynamically blocks certain malicious hosts”, a simple way (research…research, and you’ll find alot more) is to simply not let them request those particular docs in the first place(look-up “RewriteCond” or “htaccess rewritecond”.BUT, Rossz seems to have done that one!!!!!!
Dom, I belive the following will accomplish this (note I said I think..lol)…I think you can follow the logic of it:
SetEnvIf Remote_Addr “192.168.5.[0-9]$” ban
SetEnvIf Remote_Addr “192.168.5.[0-9][0-9]$” ban
SetEnvIf Remote_Addr “192.168.5.[0-1][0-1¦0-9]$” ban
SetEnvIf Remote_Addr “192.168.5.120″ ban
SetEnvIf Remote_Addr “192.168.5.121″ ban
SetEnvIf Remote_Addr “192.168.5.122″ ban
SetEnvIf Remote_Addr “192.168.5.123″ ban
SetEnvIf Remote_Addr “192.168.5.124″ ban
SetEnvIf Remote_Addr “192.168.5.125″ ban
SetEnvIf Remote_Addr “192.168.5.126″ ban
SetEnvIf Remote_Addr “192.168.5.127″ ban
<limit>
deny from env=ban
</limit>
rs…. 1) ‘referer’ 2) yes, new lines always 3) IF I UNDERSTAND YOUR QUESTION RIGT… You can’t change the htaccess password prompt (other than the “relm” name) . You can however replace it with a form (example found at http://javascript.internet.com/navigation/htaccess-login.html ) NOTE however, if you use the form method: The password appears in the users address-bar when they are let in (like http://username:password@yourdomain.com/protectedpage.html )…Some folks will not like that (folks looking over their shoulder and password not encrypted in plain site). In addition, if they enter it wrong (invalid login) on form, the normal htaccess prompt appears for them to try again (not the form).
Jen…assuming they have javascript enabled (I don’t think you can use PHP or other as adapt languages on those sites…sorry, and I don’t know if either allows htaccess- read others tips above on trying to upload then rename it), then the following javascript would work (In IE and Opera, not test in NS…call me lazy). Also note, you would have to have a site with SSI (server-side includes) enabled and rename the page from .html to .shtml:
<script language=javascript>
var ip = ‘<!–#echo var=”REMOTE_ADDR”–>’;
function blockthem()
{
<!– Add all the IP#’s you want below, just make sure to seperate with two | symbols –>
if (ip == “1.2.3.4.” || ip == “7.8.9.0″)
{
alert(”GO AWAY! I banned you’re IP# !”);
window.location.replace(”http://yourdomain.com/banned.html”);
}
}
blockthem();
</script>
OK, I know I missed something here…lol
October 9th, 2003 at 8:37 pm
What do the IP numbers mean? Like I know if you ban the first set of numbers, it’ll ban everyone on that ISP, but what if you don’t want to ban everyone on the ISP but don’t know if that person has a static IP? Is there anyway around this?
Thanks
November 5th, 2003 at 9:42 pm
Did I do this right?
I blocked my own IP to see if I did the script right and it works, but it won’t take me to my 403 page that I created. Here is my script:
order allow,deny
allow from all
deny from 66.167.113.96
deny from 68.171.106.5
ErrorDocument 403 http://www.etiphany.com/403.htm
What am I doing wrong? I want the person/people banned to know they are banned and if someone accidentally gets banned, I want them to be able to contact me as well.
November 5th, 2003 at 9:49 pm
I just posted and forgot to add this:
Do I have to do a re-direct instead? Or have my 403 page listed somewhere else, like on a different website? Maybe I will do that.
November 5th, 2003 at 9:57 pm
Okay, sorry. I got it now. I re-directed it to a geocities site. =) Whoo hooo! Thanks for the script, though.
Cheers.
November 6th, 2003 at 9:12 pm
What I am wanting to do is I basiclly have everyone blocked. But there is a group of IP’s I want to redirect to a different site, How is the best way to do this if at all possible.
ErrorDocument 403 /ipw-web/errdocs/403.html
ErrorDocument 401 /ipw-web/errdocs/401.html
ErrorDocument 500 /ipw-web/errdocs/500.html
ErrorDocument 400 /ipw-web/errdocs/400.html
ErrorDocument 404 /ipw-web/errdocs/404.html
order allow,deny
deny from all
allow from 270.86.70.22
allow from 61.41.139.
allow from 22.94.57.
November 19th, 2003 at 2:15 pm
Thanks for posting the IP blocking code. You’re the top link when one googles IP blocking and now I can (hopefully) block linking from Czech porn sites.
December 6th, 2003 at 8:30 pm
For people who want only certain people to have access to their site it is easier to use a .htpasswd file.
More info about .htpasswd:
http://www.dansie.net/cgi-bin/faq.pl?htpasswd+protect+directories
Password entry generator:
http://www.euronet.nl/~arnow/htpasswd/
(I haven’t tried this myself, but if you search for some docs, you’d have to find out how to set it up properly)
(On a sidenote: I couldn’t help noticing you are requesting users to replace characters to their html equivalent themselves, while you can do this quite easily on submit in php: $resultstring=str_replace (text_to_change, string_to_change_to, $initialstring); )
December 21st, 2003 at 6:25 am
Yo, check your logs. I’ve gotten spam through this page.
williamduke01@fsmail.net sending message “MESSAGE FROM WILLIAM”
alt. e-mail provided in spam: williamduke01@netscape.net
message sent: Sun, 21 Dec 2003 11:28:14 -0800
Speaking of htaccess, check your logs and see if you can find him, then ban his ip.
May 5th, 2004 at 1:12 am
does it matter if you put the 403 error code or the ip deny code first ? please email me thanks
also say my denied page is http://www.djfarm.com/banned.htm
would i put ErrorDocument 403 /banned.htm
May 5th, 2004 at 1:11 pm
I”m trying to do something similar. I thought I saw it here once.
I’m migrating my files from HTML to PHP. But I don’t want people’s external links to break.
I’m looking for a script to either make my .htaccess 404 error smart enough to redirect them to the same page with a .PHP or if I can index my current site with a redirect for all my current files (this might be what I saw most recently).
May 5th, 2004 at 1:40 pm
Gary - actually what you can do is have your site CONTINUE to use the “.html” extension so your links don’t change - and then just modify your htaccess file to tell your server to process .html pages AS IF they were php (so you can have php code on your .html page)
the post about how to do that is here
May 5th, 2004 at 1:59 pm
Jennifer, I was considering that. It was actually part of my comment but I deleted it. I just wasn’t sure if should parse every page on the site (just because I can), although if I rename every page (in this section of my site) it’s going to get parsed anyways. Thanks! (I’ll see if my provider lets me make that change to my .htaccess file).
May 5th, 2004 at 2:15 pm
You could probably do some kind of a “mod rewrite” thing in your htaccess file to, as you suggested, re route requests for “page.html” to “page.php”… but I’m not sure if that’s better than my suggestion. As well - I’m not familiar with mod rewrite - more than just copy/paste.
September 22nd, 2004 at 3:09 pm
I have read through the postings here and if I hvae missed this I’m sorry….
basically I want to redirect my banned ips to another site as I don’t have root access in order to upload the 403.htm file to. When I tried the ip block on my own ip it worked great!!! However it kicks me out to the main test page for the site and not the 403 file I created. I don’t want this. Thus how can I redirect to another site? Everytime I tried it, it created an internal server error.
October 21st, 2004 at 4:29 am
I cant make a file .htaccess it is .htaccess.txt I clicked show extensions of know file types, renamed the file .htaccess and it said you must have a file name.
How can I get round this, would it work if I copyed it from a website throught ftp to my tripod site?
If it would please give me a site to use.
Is it posible to do it in geocities?
October 21st, 2004 at 6:08 am
I worked out how to.
My FTP program let me rename the file, and remove the .txt at the end.
October 21st, 2004 at 6:13 am
Tripod will not let me upload it via http://ftp. Geocities will not allow me to upload it via its file manager
How can I upload it?
Or where can I upload it for free?
October 21st, 2004 at 7:22 am
I worked it out, I used tripod file manger, upload and it worked.
Sorry for wasting some space but at least some people might find this usefull and it is related