...

View Full Version : Should I block this IP? If so how do I do that?



low tech
05-27-2011, 03:47 AM
Hi all.

I have two questions.

I'm teaching myself PHP and trying to learn how to use logs to improve my site.

Question 1:
Should I block this IP? If so how do I do that?

I have a small site that I only expect to get busy at certain periods of the year
and hits should be 90% from within my country.
I wanted to work out if my site did in fact get busier during these periods so
in March I set up a simple PHP script to get the IP and date of sites visiting my homepage.


Now when I look at the log I find this

/index.php, RUSSIA, May 25th 16:48:19 //IP is from Russia. Not sure I can show the actual IP here.
/index.php, RUSSIA, May 25th 16:48:20
/index.php, RUSSIA, May 25th 16:48:21
/index.php, RUSSIA, May 25th 16:48:21


which has been logged every two days since March.
Just the times are different.

Why would I get this? Is it a robot and harmless or an attack?
I don't have a database on my site or any sensitive info.

Should I block this IP? If so how do I do that?


Question 2:

Is there any way that I can show the place of origin instead of the IP?
so for example instead of this

/index.php, 000.12.345.678, May 25th 07:01:10

I would see this
/index.php, London, May 25th 07:01:10


any help would be greatly welcomed

low tech

tangoforce
05-27-2011, 10:04 AM
Its probably a search engine. If it was an attack you'd see in your logs calls to phpmyadmin/ and all sorts of others where it is trying to find a vulnerability.

When you first start a website its easy to become paranoid about who's connecting to your site because you're not sure how well you've defended it. Search engines crawl websites frequently to ensure they've got the latest data and their search results are accurate. Google for instance crawls every 2 minutes on some websites and every 10 on others.

If you want, you can create a mysql table, put your blocked IPs in there and then in your index.php check for the incoming ip connection against the table. If its in there then you can call exit() or just do what i do - sleep(600) (10 mins) which is long enough for bots to get bored and move on to their next victim. Just be careful though that you don't actually block the search engines or you'll be back asking why you can't get into them. Admittedly i've blocked some chineese and russian search engines on my site though as there was a botnet trying to hit my guestbook on a daily basis to find weaknesses and it all started after a crawl from those 2 countries.

low tech
05-27-2011, 10:43 AM
Thanks tangoforce


put my mind at ease a bit hhahahahaa

stupid question but is there anyway to tell the difference between search engine and a user hitting the page after a google search for instance?

I'm collecting IPs at the moment because I thought I would be able to see more hits on my index page during my busy periods and cross that against how many actual enquires I get. But of course I don't want to include search engine hits hahahhaaha


I'm new at this so I don't if I should be collecting IPs --- should I be using http_referer?


Does this make sense?

thanks for your input --- really appreciated

low tech
ps :-)smile

tangoforce
05-27-2011, 11:50 AM
hahahahahaha? I don't see anything funny about IPs and search engines..

I think you're worrying too much. Yes you can block ips but you need to look in the logs for the referrers and query strings.

Most big search engines will tell you who they are like googlebot (although google is guilty of not doing this sometimes).

At the end of the day unless you're a terrorist theres not much point blocking people and search engines from reaching your site or they'll never find it on a search.

I personally think you're worrying too much. When you start seeing repeated attempts to get into /phpmyadmin or /admin or /cpanel etc then you know you've got a bot problem and need to start blocking them. Until that time..

low tech
05-27-2011, 12:09 PM
Hi tangoforce

I think we are a bit mixed up

forget about blocking IPs because you've answered that question just fine:-)

What i'm trying to say is:
how do I find out if my index page is being viewed? (excluding search engines)

I did this


$address = $_SERVER['PHP_SELF'];
$ipaddress = $_SERVER['REMOTE_ADDR'];
$date = date("M dS H:i:s");

but doing it this way seems to capture search engine IPs which I don't need.

At the moment this is the only log i'm looking at ie this one I created:-)

I'm just trying to create a record of how many times my index page gets hit.

Should I use http_referer instead of remote_addr?

low tech
:-)


you need to look in the logs for the referrers and query strings
what logs? where will I find them? I thought I had to create my own log:-(

tangoforce
05-27-2011, 01:19 PM
Yes you can use the HTTP_REFERRER in the $_SERVER array but tht will only tell you where people have been referred from.

The best method is simply to look at the webserver logs because there are a lot of different things you need to take into consideration to determine if a request is a viewer or a bot and even if its a viewer, is it from the same session, ip, browser etc. It's a small minefield as you could have two different users on the same shared network at home looking at your site at the same time. Now do you classify that as one visit or two?

See what i mean?

low tech
05-27-2011, 02:56 PM
Hi tangoforce

Thanks for your replies


It's a small minefield

hahha yeh I am beginning to see that hahahaa

but it's a good learning curve and you've given me some things to think about,


I'll check out the webserver logs ---- I've had the site for years but up to now I've never looked at the logs hahahhaha

again thanks

low tech
:-)

tangoforce
05-27-2011, 05:06 PM
Good luck!

krypton
05-27-2011, 07:28 PM
1.detect users ip with $REMOTE_ADDR
2.dectect the country from the ip2country script posted here.
3.deny access of the country like

if($iso_country_code=="uk")
{
echo " Sorry We dont allow UK visitors here.";
}
else
{ echo " acess link to the site.";
}

tangoforce
05-27-2011, 08:27 PM
@krypton: How does that work with users who are proxying through the TOR network? - who could be from any country..

low tech
05-27-2011, 11:42 PM
Hi krypton


1.detect users ip with $REMOTE_ADDR
2.dectect the country from the ip2country script posted here.
3.deny access of the country like

PHP Code:
if($iso_country_code=="uk")
{
echo " Sorry We dont allow UK visitors here.";
}
else
{ echo " acess link to the site.";
}

Thank you for the code.

appreciated

low tech

ps
@tangoforce
good point
:-)

krypton
05-28-2011, 05:16 AM
@krypton: How does that work with users who are proxying through the TOR network? - who could be from any country..

u can block ip range too if this happens :)

tangoforce
05-28-2011, 01:40 PM
@krypton:You're missing the point. Supposing someone from an allowed country is connecting via the TOR network using another country IP. They will be wrongfully blocked.

Now how do you account for that?

krypton
05-28-2011, 04:56 PM
@krypton:You're missing the point. Supposing someone from an allowed country is connecting via the TOR network using another country IP. They will be wrongfully blocked.

Now how do you account for that?

why someone will connect by changing another ip address? that man must have something wrong in his mind then only he will connect with another ip address...... and that person should be totally blocked from site........

Dan13071992
05-30-2011, 05:30 PM
this may sound a bit old, however i just wanted to add that if you use statcounter you can see which pages are being viewed most ect, i do believe the url is statcounter.com, a quick google search would do, just include it in all pages, would be easier if u had an include file thats included in every page.

low tech
05-31-2011, 02:49 AM
Hi Dan

Actually that seem to be a very useful link an I will definately look into it.

Thanks very much

LT:-)

Dan13071992
05-31-2011, 09:28 PM
No problem LT, it is what i was using and it can also run as invisible coding, glad i could help, as I said just stick it in a file that is included in all of your pages, then on statcounter.com log in and you can view the ip address, what time they was there, where they came from ect.

regards.

Dan



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum