Here’s the thing. I don’t think blocking an IP address is a good idea.
Will it prevent spammers from registering on your site? Yes. But much like CAPTCHA, I think it does more harm than good.
See, IP addresses are numerical labels assigned to each device (e.g., computer, printer) participating in a computer network that uses the Internet Protocol for communication. Big words. Shorter version: The IP address is the phone number. DNS is Caller ID. When you dial ‘Home’ on your cell-phone, the phone translates that into a number and dials, right? Well on the internet, you say “I want to go to ipstenu.org” and it’s DNS that says “Okay, my big bad directory says that’s 67.227.208.52 so here you go!” (actually it says “You want extension #1 on 67.227.208.52” if I can stretch that metaphor).
The IP address for websites is pretty static. Just as most of us don’t want to change our phone numbers and teach all our parents new contact info, we don’t want to have to update all the DNS servers in the world with our new IP address. It’s a pain in the ass, it takes up to 72 hours to propogate to everyone (usually less), but that still means there’s a period of time where people can’t get to your website.
This is all over-simplified, but you get the gist.
Here’s where it gets weird. In order for the internet to know who YOU are and send you back the website you asked for, it has to assign you an IP address. And this changes. A lot. Most ISPs (the people who give you access to the net for moneies) have a ‘range’ of IP addresses which numbers less than the number of people they have who pay for internet access. In order to make sure everyone can get on, when you connect to the net, you get a new IP. Back in the day of dial-up, every time you dialed in, you had a new IP. This was normal, and was one of the many reasons no one bothered to block by IP. All the idiot had to do was reconnect. These days, my IP changes about once a week or so, and I have no idea when or why, but it does. That doesn’t bother me.
Lately, I’ve gotten complaints and requests to make Ban Hammer or Register IP MS block people by IP address. And after playing with that a bit, I’ve decided I won’t. Not because I can’t (it’s really not that hard, and actually, Ban Hammer already does it for Single Site WordPress by accident), but because I don’t think it adds any value. The IP address can change too easily to make this a useful tool, and the odds are I’m going to accidentally block someone who should be able to access the site!
This is not to say I don’t block IP addresses at all, just that I don’t do it the way people seem to want to go about it. Maintaining my own blacklist of IPs is insane, and stupid. I don’t need to waste my time clicking and banning spammers or auto-register bots. Instead, I block IPs using one of two tools that was designed to look for bad behavior. I detailed all this in Spam / Splog Wars. That’s how I stop spammers and it works.
So no, I will not be wasting my time telling you how to edit my plugins to block people from the IP level. There are perfectly good ways of doing this that work without you having to field complaints from innocent users.
Block the bots, not the people.
Comments
3 responses to “Blocking IPs – Don’t”
I once built a set of perl scripts plus a WordPress plugin which would automatically create IP-based firewall rules to block malicious traffic. But I had it set up with hit counters and timestamps, and I automatically deleted IPs from the list after a certain amount of time went by with no further activity from that address.
As long as you don’t keep IP blocks around forever, it’s generally okay. The problem is when people block an address, then forget about it. Then later on, some innocent bystander gets assigned that address, and can’t visit your site, and won’t know why.
Right, and most directions I see for blocking IPs are static lists. The closest I’ve seen to your scripts is ZB Block, which I’m on the fence about its efficacy right now.
Still, blanket blocking of IPs doesn’t serve anyone. You have to have some ‘intelligence’ behind it to compensate.
Yeah, I keep meaning to revive my SpamValve stuff. A while back, I moved hosts, and switched from a FreeBSD server to an Ubuntu-based one. I need to rewrite the perl scripts to account for the new firewall system. Or better yet, complete my idea to make a class library that can be overridden for different servers.
Back when I had it running, it was pretty good at automagically stopping zombie hosts that tried to hit me with massive comment spam.