For reasons I won't go into, I wish to ban an entire company from accessing my web site. Checking the remote hostname in php using gethostbyaddr() works, but this slows down the page load too much. Large organizations (eg. hp.com or microsoft.com) often have blocks of IP addresses. Is there anyway I get the full list, or am I stuck with the slow reverse-DNS lookup? If so, can I speed it up?
由于我不打算进入的原因,我希望禁止整个公司访问我的网站。使用gethostbyaddr()在php中检查远程主机名有效,但这会减慢页面加载速度。大型组织(例如,hp.com或microsoft.com)通常具有IP地址块。无论如何,我得到完整列表,还是我坚持慢速反向DNS查找?如果是这样,我可以加快速度吗?
Edit: Okay, now I know I can use the .htaccess file to ban a range. Now, how can I figure out what that range should be for a given organization?
编辑:好的,现在我知道我可以使用.htaccess文件来禁止范围。现在,我怎样才能弄清楚给定组织的范围应该是什么?
11 个解决方案
#1
11
How about an .htaccess:
.htaccess怎么样:
Deny from x.x.x.x
if you need to deny a range say: 192.168.0.x then you would use
如果你需要拒绝一个范围说:192.168.0.x然后你会使用
Deny from 192.168.0
and the same applies for hostnames:
这同样适用于主机名:
Deny from sub.domain.tld
or if you want a PHP solution
或者如果你想要一个PHP解决方案
$ips = array('1.1.1.1', '2.2.2.2', '3.3.3.3');
if(in_array($_SERVER['REMOTE_ADDR'])){die();}
For more info on the htaccess method see this page.
有关htaccess方法的更多信息,请参阅此页面。
Now to determine the range is going to be hard, most companies (unless they are big corperate) are going to have a dynamic IP just like you and me.
This is a problem I have had to deal with before and the best thing is either to ban the hostname, or the entire range, for example if they are on 192.168.0.123 then ban 192.168.0.123, unfortunatly you are going to get a few innocent people with either method.
现在要确定范围会变得很难,大多数公司(除非他们是大合作)将会像你我一样拥有动态IP。这是我以前必须处理的一个问题,最好的事情是禁止主机名,或者整个范围,例如,如果它们在192.168.0.123然后禁止192.168.0.123,不幸的是你会得到一些两种方法无辜的人。
#2
4
If you're practicing safe webhosting, then you have a firewall. Use it.
如果您正在练习安全的虚拟主机,那么您就拥有防火墙。用它。
Large companies have blocks of IP addresses, but even smaller companies rarely change their IP. So there's an easy way to do this without reducing your performance:
大公司拥有IP地址块,但即使是规模较小的公司也很少改变其IP地址。因此,在不降低性能的情况下,可以轻松实现此目的:
Every month do a reverse lookup on all the IPs in your log and then put all the IPs used by that company in your firewall as deny.
每个月都会对日志中的所有IP进行反向查找,然后将该公司使用的所有IP放在防火墙中作为拒绝。
After awhile yo'll begin to see whether they have dynamic addresses or not. If they do, then you may have to do reverse lookups for each connection attempt, but unless they are a small company you shouldn't have to worry about it.
过了一会儿,你会开始看他们是否有动态地址。如果他们这样做,那么您可能必须为每个连接尝试进行反向查找,但除非他们是一家小公司,否则您不必担心它。
#3
2
Continue to use gethostbyaddr(), but behind a cache. You should only have to resolve it once per IP address, and then it would not be a significant performance issue. If you want, prime the cache from your server logs so returning users won't even hit the one-time slowdown.
继续使用gethostbyaddr(),但在缓存后面。您应该只需要为每个IP地址解析一次,然后它就不会是一个重要的性能问题。如果需要,可以从服务器日志中填充缓存,这样返回的用户甚至不会达到一次性减速。
#4
2
If your goal in doing this is to make it slightly inconvenient for people from a company to access your site, follow the advice above. But you won't be able to completely ensure you're blocking every access because they could always be going through a proxy. And if it's accessible to the rest of the public, you'll have to worry about archive.org, search engine caches, etc.
如果您这样做的目的是让公司的人员访问您的网站稍微不方便,请遵循上面的建议。但是你无法完全确保阻止每次访问,因为它们总是可以通过代理。如果其他公众可以访问它,您将不得不担心archive.org,搜索引擎缓存等。
Probably not the answer you're looking for, but it's accurate.
可能不是你正在寻找的答案,但它是准确的。
#5
1
Take a look at .htaccess if you're using apache: .htaccess tutorial
如果您正在使用apache,请查看.htaccess:.htaccess教程
#6
1
First search for the company on whois.net. If you know they are just one domain, do a whois lookup. Otherwise, search for domains they own by keyword.
首先在whois.net上搜索公司。如果您知道它们只是一个域,请执行whois查找。否则,按关键字搜索他们拥有的域。
You can find out the main IP ranges assigned to the company through whois queries, and then build your deny rule(s) accordingly.
您可以通过whois查询找出分配给公司的主要IP范围,然后相应地构建您的拒绝规则。
#7
1
I know WikiScanner lets you search for a company or other organization, and then lists the IP address ranges belonging to them. Just as an example, here's all the IP addresses belonging to Google, at least according to WikiScanner.
我知道WikiScanner允许您搜索公司或其他组织,然后列出属于它们的IP地址范围。举个例子,这里是属于Google的所有IP地址,至少根据WikiScanner。
According to HowStuffWorks, they use something called "IP2Location".
根据HowStuffWorks,他们使用了一种名为“IP2Location”的东西。
#8
0
Do you have access to the actual server config? If so depending on the server you could do it in the configuration.
您是否可以访问实际的服务器配置?如果是这样,取决于服务器,您可以在配置中执行此操作。
See this thread for some information that may be helpful.
请参阅此主题以获取可能有用的一些信息。
#9
0
http://en.wikipedia.org/wiki/Rwhois telnet rwhois.arin.net 4321
http://en.wikipedia.org/wiki/Rwhois telnet rwhois.arin.net 4321
This used to work.
这曾经工作过。
#10
0
The load shouldn't be put on the webserver, you should put it on the firewall.
不应将负载放在Web服务器上,您应该将其放在防火墙上。
#11
0
Note that using the techniques above it will never be possible to completely ban the specific company from accessing your website. It will still be possible for them to use proxy servers or look at your site from home.
请注意,使用上述技术永远不可能完全禁止特定公司访问您的网站。他们仍然可以使用代理服务器或在家中查看您的网站。
If you absolutely want to control who has access, you should only allow authenticated and authorized users to access your site.
如果您绝对想要控制谁有权访问,则应该只允许经过身份验证和授权的用户访问您的网站。
#1
11
How about an .htaccess:
.htaccess怎么样:
Deny from x.x.x.x
if you need to deny a range say: 192.168.0.x then you would use
如果你需要拒绝一个范围说:192.168.0.x然后你会使用
Deny from 192.168.0
and the same applies for hostnames:
这同样适用于主机名:
Deny from sub.domain.tld
or if you want a PHP solution
或者如果你想要一个PHP解决方案
$ips = array('1.1.1.1', '2.2.2.2', '3.3.3.3');
if(in_array($_SERVER['REMOTE_ADDR'])){die();}
For more info on the htaccess method see this page.
有关htaccess方法的更多信息,请参阅此页面。
Now to determine the range is going to be hard, most companies (unless they are big corperate) are going to have a dynamic IP just like you and me.
This is a problem I have had to deal with before and the best thing is either to ban the hostname, or the entire range, for example if they are on 192.168.0.123 then ban 192.168.0.123, unfortunatly you are going to get a few innocent people with either method.
现在要确定范围会变得很难,大多数公司(除非他们是大合作)将会像你我一样拥有动态IP。这是我以前必须处理的一个问题,最好的事情是禁止主机名,或者整个范围,例如,如果它们在192.168.0.123然后禁止192.168.0.123,不幸的是你会得到一些两种方法无辜的人。
#2
4
If you're practicing safe webhosting, then you have a firewall. Use it.
如果您正在练习安全的虚拟主机,那么您就拥有防火墙。用它。
Large companies have blocks of IP addresses, but even smaller companies rarely change their IP. So there's an easy way to do this without reducing your performance:
大公司拥有IP地址块,但即使是规模较小的公司也很少改变其IP地址。因此,在不降低性能的情况下,可以轻松实现此目的:
Every month do a reverse lookup on all the IPs in your log and then put all the IPs used by that company in your firewall as deny.
每个月都会对日志中的所有IP进行反向查找,然后将该公司使用的所有IP放在防火墙中作为拒绝。
After awhile yo'll begin to see whether they have dynamic addresses or not. If they do, then you may have to do reverse lookups for each connection attempt, but unless they are a small company you shouldn't have to worry about it.
过了一会儿,你会开始看他们是否有动态地址。如果他们这样做,那么您可能必须为每个连接尝试进行反向查找,但除非他们是一家小公司,否则您不必担心它。
#3
2
Continue to use gethostbyaddr(), but behind a cache. You should only have to resolve it once per IP address, and then it would not be a significant performance issue. If you want, prime the cache from your server logs so returning users won't even hit the one-time slowdown.
继续使用gethostbyaddr(),但在缓存后面。您应该只需要为每个IP地址解析一次,然后它就不会是一个重要的性能问题。如果需要,可以从服务器日志中填充缓存,这样返回的用户甚至不会达到一次性减速。
#4
2
If your goal in doing this is to make it slightly inconvenient for people from a company to access your site, follow the advice above. But you won't be able to completely ensure you're blocking every access because they could always be going through a proxy. And if it's accessible to the rest of the public, you'll have to worry about archive.org, search engine caches, etc.
如果您这样做的目的是让公司的人员访问您的网站稍微不方便,请遵循上面的建议。但是你无法完全确保阻止每次访问,因为它们总是可以通过代理。如果其他公众可以访问它,您将不得不担心archive.org,搜索引擎缓存等。
Probably not the answer you're looking for, but it's accurate.
可能不是你正在寻找的答案,但它是准确的。
#5
1
Take a look at .htaccess if you're using apache: .htaccess tutorial
如果您正在使用apache,请查看.htaccess:.htaccess教程
#6
1
First search for the company on whois.net. If you know they are just one domain, do a whois lookup. Otherwise, search for domains they own by keyword.
首先在whois.net上搜索公司。如果您知道它们只是一个域,请执行whois查找。否则,按关键字搜索他们拥有的域。
You can find out the main IP ranges assigned to the company through whois queries, and then build your deny rule(s) accordingly.
您可以通过whois查询找出分配给公司的主要IP范围,然后相应地构建您的拒绝规则。
#7
1
I know WikiScanner lets you search for a company or other organization, and then lists the IP address ranges belonging to them. Just as an example, here's all the IP addresses belonging to Google, at least according to WikiScanner.
我知道WikiScanner允许您搜索公司或其他组织,然后列出属于它们的IP地址范围。举个例子,这里是属于Google的所有IP地址,至少根据WikiScanner。
According to HowStuffWorks, they use something called "IP2Location".
根据HowStuffWorks,他们使用了一种名为“IP2Location”的东西。
#8
0
Do you have access to the actual server config? If so depending on the server you could do it in the configuration.
您是否可以访问实际的服务器配置?如果是这样,取决于服务器,您可以在配置中执行此操作。
See this thread for some information that may be helpful.
请参阅此主题以获取可能有用的一些信息。
#9
0
http://en.wikipedia.org/wiki/Rwhois telnet rwhois.arin.net 4321
http://en.wikipedia.org/wiki/Rwhois telnet rwhois.arin.net 4321
This used to work.
这曾经工作过。
#10
0
The load shouldn't be put on the webserver, you should put it on the firewall.
不应将负载放在Web服务器上,您应该将其放在防火墙上。
#11
0
Note that using the techniques above it will never be possible to completely ban the specific company from accessing your website. It will still be possible for them to use proxy servers or look at your site from home.
请注意,使用上述技术永远不可能完全禁止特定公司访问您的网站。他们仍然可以使用代理服务器或在家中查看您的网站。
If you absolutely want to control who has access, you should only allow authenticated and authorized users to access your site.
如果您绝对想要控制谁有权访问,则应该只允许经过身份验证和授权的用户访问您的网站。