Magento 1 – block ip addresses
If you have a running Magento live shop you may have to block ip addresses. This is a good option the protect you shop against attackers. In this tutorial I show you how to do this and also how to find out which ip addresses you should block.
Magento 1 – block ip addresses
Attacks against Magento shops are very common. In recent years Magento was in the media, because many online shop owners are too lazy with security patches. An unpatched shop is a easy target for attacks. Random attacks are running around the clock. If your shop is vulnerable, a hacker can easily steal credit card data or manipulate you shop in an other way. Your task is to recognize such attacks and take action against it.
Forbid ip addresses
Most shops are running on managed hosts, so you have no direct access to the server firewall. You do not need it. You can block ip addresses by two different possibilities:
- .htaccess (web server level)
Magento needs a .htaccess file to define redirection and some other settings for web server. You can append this file to block ip addresses. The code for this, simply add one line per ip address:12Deny from 91.223.133.41Deny from 206.72.117.57 - index.php (PHP level)
if you do not use .htaccess files or my first attempt doesn’t work, you can also do it at PHP level. For this add the folloging code on top of index.php file:123456<?php$deny = array("206.72.117.57", "91.223.133.41");if (in_array ($_SERVER['REMOTE_ADDR'], $deny)) {header("location: http://www.google.com/");exit();}
Both possibilities work and protect your shop from requests from a specified ip address.
Detect bot ip addresses
It is easy to protect a shop from requests of ip addresses. The harder part is to find out who wants to harm you. Most hosters blocks DOS attack patterns. Brute force attacks for password guessing is nearly impossible. Most hackers now this, so they time their tries. If the bots waits for some seconds between requests, it is inconspicuous for most server security routines.
A good extension to detect those silent attacks is watchlog. If you block ip addresses manually, you do not need a pro version of this extension. For a problem in one of our shops it showed the following statistics:
As you can see, the number of failed login tries to backend increased dramatically the last days. A detailed list of login tries looks like this:
Two bots (you can see two different ip addresses) are trying to get access over RSS feed six times an hour. You can prevent this attack before it has success by blocking ip addresses. It is always a good idea to block this bots, even if you have no user like mage or administrator. Such bots are updated regularly and my use current security leaks.
Conclusion
It is a good idea to block ip addresses of random attack bots. Such Magento bots are searching for Magento shops and then run attacks on known security leaks. It is important to patch you shop and to close all that leaks as fast as possible.
