The Apache mod_accessdocumentation describes several methods of defining single IP addresses and ranges.
These vary from omitting the trailing number groups (called octets because they each represent 8 bits of binary data) to the use of Network/CIDR or Network/Netmask declarations which can be used to achieve finer granularity in the number of addresses to be blocked and in the "base addresses" of those numbers.
You can indeed block huge numbers of IP addresses with something like
Deny from 63
However, be aware that the number of addresses blocked by that line is 33,554,432 -- that's over 33.5 million. Because IP addresses and blocks of IP addresses are not assigned based on national boundaries, regions, or any other "organized" methods, you run the risk of blocking thousands of users in thousands of different places.
Your best bet when investigating unwelcome visits is to enter the IP address into one or more "WHOIS" tools and see who the IP address belongs to and how big the range of addresses owned/controlled by the same ISP is. For example, you can use the tools at [
arin.net...] to look at the assigned numbers for many North American ISPs. If the number is not assigned to North America, then the output from the tool will tell you that, and suggest the appropriate number registry to use to get the information you need. Other majors are RIPE for Europe and APNIC for Asia/Pacific Rim. Then there are also smaller ones for Africa (AFRINIC) and South America (LACNIC). Japan and Korea also have national registries, sharing only some of their assignment data with APNIC. APNIC will inform you if a national directory can be used to get more info.
Selecting a blocking method depends mostly on exactly what you want to do, but to a certain extent, it also depends on which method you're most comfortable using. For example, the following three lines are equivalent:
Deny from 192.168
Deny from 192.168.0.0/255.255.0.0
Deny from 192.168.0.0/16
Each blocks 65,536 IP addresses starting with "192.168.0.0"
However, if you only wish to block 16,536 IP addresses, you can't use the first method, because the desired blocking range comprises only one-fourth of the possible addresses that fall within the 16-bit range defined by each of the above directives. If you wish to block, say, 192.168.128.0 through 192.168.191.255, you can only use the last two methods to achieve this granularity, as in:
Deny from 192.168.128.0/18
Deny from 192.168.128.0/255.255.192.0
These two notations both say to take the requesting IP address, convert it to binary, mask it with 18 "1" bits followed by 14 "0" bits, and then compare that result to the specified base address (also masked before the compare.) Note that this 18 plus 14 adds up to 32 -- the same number of bits represented by the four octets in the IP address, which each represent 8 bits.
Obviously, this is not a simple exercise, and the decision must be taken to learn about decimal octet to binary number conversion or to forgo the use of the more-complex methods. The "calculator" program on Windows has a "programmer mode" that can come in quite handy if you wish to use them. And after many years of "thinking in these terms" it is possible to do CIDR and netmask calculations in your head, as I usually do... However, I'll admit to having more than 36 years of practice at it. :o
There are also Netmask/IP address "calculators" available on the Web and in downloadable-program form.
The reason these apparently-complex CIDR/Netmask methods are used is that to a computer which "thinks" in binary numbers, these methods are actually the most simple, and therefore even long lists of "Denys" can be evaluated very, very quickly. If the logic required to parse human-natural range notations like "Deny from 192.168.128.0 through 192.168.191.255 was supported, one could expect server performance to suffer by a factor of five or so.
It can easily be observed that Apache modules are best adapted to the needs of the server, and not to those of the people who administrate them. The emphasis is on compact "code" and speed and efficiency. The result is that although the code is often obscure, its handling by the server can be blazingly-fast. This is the reason that even a twelve-year-old PC can be used to set up a dedicated Apache server, and that server will have excellent performance as long as it only serving Web pages and not running a lot of scripts or database inquiries; Compared to most applications programs, the core of an Apache server (i.e. not including PHP, MySQL, etc.) is tiny and very, very efficient.
Jim
