I think posting what you have so far is a good start.

<Files *>
order deny,allow

# Nigerian (NG), Ivory Coast and other African 419 Scammers IP addresses follow:
deny from 12.166.96.32/27 41.58.0.0/16 41.66.192.0/18 41.71.128.0/17 41.78.208.0/22 41.85.160.0/19 41.93.128.0/17 41.136.0.0/16 41.138.88.0/22 41.138.160.0/19 41.139.64.0/18 41.155.0.0/17 41.184.0.0/16 41.189.0.0/19 41.189.32.0/19 41.189.96.0/19 41.190.0.0/19 41.190.88.0/22 41.191.84.0/22 41.191.108.0/22 41.194.52.0/22 41.202.0.0/17 41.202.128.0/19 41.202.192.0/19 41.203.64.0/18 41.203.208.0/21 41.203.224.0/20 41.204.0.0/17 41.204.128.0/18 41.204.224.0/19 41.205.0.0/19 41.205.64.0/19 41.205.160.0/19 41.206.0.0/18 41.206.64.0/19 41.207.0.0/19 41.207.160.0/19 41.207.192.0/19 41.208.48.0/23 41.208.128.0/18 41.210.0.0/18 41.210.192.0/18 41.211.0.0/19 41.211.192.0/18 41.212.128.0/17 41.214.0.0/17 41.215.160.0/20 41.216.32.0/19 41.217.0.0/17 41.218.192.0/18 41.219.128.0/17 41.220.0.0/16 41.221.80.0/20 41.221.160.0/20 41.222.0.0/21 41.222.24.0/21 41.222.40.0/21 41.222.64.0/21 41.222.192.0/22 41.223.24.0/22 41.223.64.0/22 41.223.248.0/22 41.242.48.0/19 61.11.230.112/29 62.24.96.0/19 62.56.128.0/17 62.56.235.0/24 62.56.236.0/24 62.56.244.0/22 62.56.248.0/24 62.128.160.0/20 62.173.32.0/19 62.192.128.0/19 62.192.140.250 62.193.160.0/19 63.70.178.0/24 63.73.58.0/24 63.100.193.0/24 63.103.138.0/24 63.103.139.64/26 63.103.140.0/22 63.109.245.168/29 63.109.247.0/24 63.109.248.128/25 63.122.154.0/24 64.14.48.128/26 64.86.155.0/24 64.86.210.0/23 64.110.30.0/24 64.110.31.0/24 64.110.64.16/28 64.110.76.0/23 64.110.81.0/24 64.110.93.16/28 64.110.93.176/28 64.110.147.0/24 64.201.33.0/24 65.209.91.0/24 65.209.92.0/24 66.18.64.0/19 66.110.31.0/24 66.178.0.0/17 66.199.241.82 66.205.20.0/24
deny from 77.70.128.0/24 77.70.129.0/26 77.70.137.0/25 77.70.138.0/23 77.73.184.0/21 77.220.0.0/20 78.138.2.0/24 78.138.3.0/25 78.138.3.128/26 78.138.3.192/27 78.138.3.224/28 78.138.8.8/29 78.138.32.32/27 78.138.33.144/29 80.78.16.168/29 80.78.16.176/28 80.78.16.192/28 80.78.17.0/24 80.78.18.88/29 80.78.18.96/27 80.78.18.128/29 80.78.19.16/29 80.78.19.104/29 80.78.19.112/28 80.78.23.16/28 80.87.64.0/19 80.88.128.0/20 80.88.129.0/24 80.88.130.0/24 80.88.131.0/24 80.88.132.0/26 80.88.132.64/27 80.88.132.104/29 80.88.132.128/26 80.88.132.192/27 80.88.132.224/28 80.88.132.240/29 80.88.133.0/25 80.88.134.0/26 80.88.134.64/29 80.88.135.0/24 80.88.136.0/24 80.88.137.0/24 80.88.138.0/25 80.88.138.128/26 80.88.138.192/27 80.88.139.0/25 80.88.139.128/26 80.88.139.192/27 80.88.139.224/28 80.88.140.0/24 80.88.141.0/25 80.88.141.128/27 80.88.142.0/24 80.88.143.128/29 80.88.144.0/23 80.88.146.0/24 80.88.147.0/24 80.88.148.0/24 80.88.149.0/25 80.88.149.128/26 80.88.149.192/28 80.88.150.0/24 80.88.151.0/24 80.88.152.0/24 80.88.153.0/24 80.88.154.32/27 80.88.154.72/29 80.88.154.80/29 80.88.154.96/28 80.88.155.0/25 80.88.155.128/27 80.88.155.160/29 80.89.176.0/24
deny from 80.179.102.0/24 80.179.107.64/27 80.179.107.224/29 80.179.128.0/17 80.231.4.0/23 80.240.192.0/20 80.247.136.0/24 80.247.137.0/24 80.247.141.32/27 80.247.141.64/26 80.247.141.128/25 80.247.142.0/24 80.247.147.16/28 80.247.147.32/29 80.247.147.64/27 80.247.147.96/28 80.247.151.0/24 80.247.153.0/24 80.247.156.0/26 80.247.156.128/28 80.247.157.0/24 80.247.159.0/24 80.248.0.0/20 80.248.64.0/20 80.250.32.0/20 80.255.40.48/28 80.255.40.96/29 80.255.40.112/28 80.255.40.128/28 80.255.40.192/28 80.255.40.224/27 80.255.40.240/28 80.255.41.160/28 80.255.43.0/24 80.255.46.0/29 80.255.46.16/28 80.255.46.64/29 80.255.58.160/27 80.255.58.192/26 80.255.59.19 80.255.59.232/29 80.255.59.240/29 80.255.61.0/25 81.18.32.0/20 81.18.40.0/24 81.18.42.0/24 81.23.194.0/27 81.23.194.64/27 81.23.194.128/25 81.23.195.0/24 81.23.196.0/25 81.23.196.128/29 81.23.200.0/21 81.24.0.0/20 81.91.224.0/20 81.199.0.0/16 82.128.0.0/17 82.206.136.0/24 83.137.59.8/29 83.137.61.0/24 83.138.167.40/29 83.143.8.0/22 83.229.0.0/17 84.254.188.3 84.254.128.0/18
deny from 105.112.0.0/12 154.66.0.0/18 154.68.192.0/18 154.113.0.0/16 154.117.64.0/18 154.118.0.0/17 154.120.64.0/18 155.239.0.0/16 160.226.0.0/17 169.159.64.0/18 192.116.64.0/18 192.116.128.0/18 192.116.152.0/21 192.118.71.0/24 193.93.96.0/22 193.95.0.0/17 193.110.2.0/23 193.189.0.0/18 193.189.64.0/23 193.189.128.0/24 193.194.64.0/19 193.219.192.0/18 193.220.0.0/16 193.220.26.0/24 193.220.30.0/26 193.220.30.64/27 193.220.31.0/26 193.220.31.64/27 193.220.45.0/25 193.220.47.0/25 193.220.77.0/26 193.220.187.0/26 193.220.187.128/27 194.200.0.0/14 195.8.22.0/24 195.10.109.192/26 195.24.192.0/19 195.44.168.0/21 195.44.176.0/21 195.137.13.0/24 195.137.14.0/24 195.166.224.0/19 195.214.240.0/21 195.219.176.0/24 195.225.62.0/23 195.245.108.0/23 196.0.0.0/16 196.1.176.0/20 196.3.60.0/22 196.3.180.0/22 196.12.12.0/22 196.20.0.0/19 196.29.96.0/19 196.29.216.0/21 196.29.224.0/20 196.40.160.0/20 196.44.96.0/19 196.45.192.0/18 196.46.240.0/21 196.47.96.0/19 196.128.0.0/10 196.192.0.0/12 196.208.0.0/14 196.212.0.0/14 196.216.64.0/19 196.220.0.0/19 196.220.128.0/19 197.210.0.0/16 197.234.32.0/19 197.242.96.0/19 197.251.128.0/17 197.253.0.0/18 198.54.0.0/16
deny from 204.16.124.0/22 204.118.170.0/24 206.82.128.0/20 206.113.97.0/24 208.70.0.0/21 208.78.56.0/21 209.88.163.0/24 209.101.84.0/24 209.159.160.0/20 209.198.240.0/23 209.198.242.16/28 209.198.242.96/29 209.198.242.104/30 209.198.242.108/31 209.198.242.128/27 209.198.246.240/28 212.49.64.0/19 212.52.128.0/19 212.60.64.0/19 212.85.192.0/19 212.96.0.0/19 212.100.64.0/19 212.165.128.0/17 212.165.132.64/27 212.165.135.0/24 212.165.140.16/29 212.165.140.64/26 212.165.140.128/25 212.165.141.0/24 212.165.147.0/26 212.165.147.128/26 212.165.183.0/24 212.199.108.0/24 212.199.251.0/24 212.247.93.0/24
deny from 213.136.96.0/19 213.140.62.0/23 213.150.192.0/23 213.154.64.0/19 213.166.160.0/19 213.181.64.0/19 213.185.96.0/21 213.185.106.0/24 213.185.112.0/24 213.185.113.0/26 213.185.113.64/27 213.185.113.96/27 213.185.118.160/27 213.185.118.192/26 213.185.124.0/24 213.187.135.0/24 213.187.145.0/24 213.211.128.0/18 213.211.188.0/24 213.232.96.0/24 213.255.193.0/24 213.255.194.0/24 213.255.195.0/24 213.255.198.0/24 213.255.199.0/24 216.72.104.0/21 216.74.187.0/24 216.118.252.0/24 216.118.253.0/24 216.118.254.0/24 216.129.147.128/28 216.129.159.0/24 216.133.174.0/24 216.139.160.0/19 216.147.132.144/28 216.147.132.160/28 216.147.134.0/24 216.147.159.0/24 216.185.79.0/24 216.236.200.96/28 216.236.202.96/28 216.236.205.0/24 216.236.222.128/26 216.250.195.0/27 216.250.195.64/26 216.250.221.0/24 216.250.222.0/24 216.252.176.0/24 216.252.177.0/24 216.252.231.0/25 216.252.245.0/24 217.10.163.128/26 217.10.163.192/27 217.10.163.224/27 217.10.166.0/26 217.10.166.64/28 217.10.169.0/24 217.10.170.0/24 217.10.171.0/24 217.10.173.0/26 217.10.182.0/27 217.10.184.0/24 217.14.80.0/20 217.15.124.0/25 217.20.240.0/20 217.20.241.0/25 217.20.241.128/29 217.20.241.136/29 217.20.241.144/28 217.20.241.160/29 217.20.241.168/29 217.20.241.176/29 217.20.241.184/29 217.20.241.192/29 217.20.241.200/29 217.20.241.208/29 217.20.242.0/24 217.20.243.16/28 217.20.243.32/27 217.21.64.0/19 217.21.112.0/20 217.78.64.0/20 217.117.0.0/20 217.146.3.144/28 217.146.3.160/28 217.146.3.176/29 217.146.3.224/27 217.146.4.64/26 217.146.5.0/24 217.146.6.0/25 217.146.6.160/27 217.146.7.0/24 217.146.8.0/25 217.146.9.0/24 217.146.10.128/25 217.146.11.0/25 217.146.12.0/24 217.146.13.0/24 217.146.14.0/25 217.146.15.0/25 217.146.16.0/27 217.146.16.32/29 217.168.112.0/20 217.194.140.0/22 217.194.144.0/20 217.212.242.0/23
allow from all
</Files>

Ouch.

You've got a lot of things smaller than /24 in that list. At that size, odds are overwhelming that you're dealing with a server farm and you should look upstream and block the whole thing. This goes double when it's not even an AfriNIC range.

:: shuffling papers ::

AfriNIC: 41, 102, 105, 154, 196, 197. (I mainly see 41 and 154.) Maybe parts of a few other Early Allocation ranges, but those are most likely to be universities.

Edit with double-take and louder OUCH!
You say "Order deny,allow" so what are all those Deny lines even for? They're going to be overridden by the global "Allow from all".

Further edit:
I wish I knew who was responsible for the <Files *> locution, because it's generally a terrible idea. What you're doing is overriding any and all Files or FilesMatch directives inherited from the server as a whole (the host, if you're on shared hosting). That includes things like "don't let anyone see htaccess ever" and "do let everyone see your 403 document".

[edited by: bill at 12:43 am (utc) on Jan 15, 2016]
[edit reason] fix acroynm [/edit]

I figured there would be a correct way, and easier way.
How do I ban the whole country of Nigeria?

I believe I can go here, get a list of CIDR's for Nigeria and then add

<Limit GET HEAD POST>
order deny
deny from #every CIDR line by line
# when done add
allow from all
</Limit> 

But I'm sure there is a more effective way that also keeps up to date with new and changed Nigerian CIDR's.

All we have ever gotten from Nigeria are fraudulent orders, and a bunch of you know what's running false and stolen credit card numbers to see if they are good.

order deny

Typo, I hope, unless you're angling for a universal 500 error ;) The "order" directive kicks in any time a request matches both conditions (Allow and Deny) or neither condition: in practice, when one side says "all" and the other doesn't. You want "Order Allow,Deny" meaning "let everyone in unless they're on my ###list".

When I've got a list of IPs by country, the first thing I do is pull out everything less than /24 (in fact, anything under /22 is suspect for most ranges, but smaller than /24 just doesn't occur in nature).* Look those up individually and see what's upstream; 19 times out of 20 it's a server farm so you can proceed directly to the whole /20 or /15 or whatever it may be.

Now, if there are some continents you simply don't ship to, you can go ahead with massive denials like "Deny from 41". It's your call whether you want to worry about someone in Durban trying to send a surprise present to their cousin in Basingstoke.


* ([\d.]+/(2[5-9]|3\d)\n) if the list is already in CIDR form.

Thank You lucy24
I would prefer not to have to have a list a bazillion CIDR's long with deny from in front of each one.

In checking Nigeria I have found IP CIDR addresses seem to start with a variety of numbers
31
38
41
57
62
66
67
60
70 and more.
And I'm sure there are some other countries that also have CIDRs starting with those numbers

Too bad there is not a simple "deny from Nigeria" I could set up in Apache :)

So I guess it looks like a giant list of deny's.
Will IvP4 also work with IvP6 and vice versa? Or is there one format better to use than the other?

If it is not too much trouble can you please explain this below:
([\d.]+/(2[5-9]|3\d)\n)

Thank You.

31 38 41 57 62 66 67 60 70 and more.

The official list is 41, 102, 105, 154, 196, 197. (Incidentally, when my fingers typed APNIC up above, my brain meant AfriNIC. I've asked the next passing moderator to fix it.) Many of the others are probably server farms.

Too bad there is not a simple "deny from Nigeria"

If you Deny from anything other than a CIDR range or an environmental variable, it forces the server into lookups mode (can't remember if this is the correct term, so don't quote me) which is horribly inefficient and makes a mess of your logs. Besides, some of them may come through in lookups as belonging to the US or Netherlands or wherever the server happens to be located. I strongly suspect-- but, again, don't quote me-- that Nigeria is another of those places like Ukraine that has very few servers of its own, but makes up for it with plenty of infected human computers. So you may be better off blocking on some basis other than IP.

can you please explain this below:
([\d.]+/(2[5-9]|3\d)\n)

Regular Expression search applied to a text string. It means: "a bunch of numbers and periods, slash, and then a number that's in the range 25-29 OR 30-and-up". (The highest possible is actually 32.) For IPv6 there would be a different pattern, but I don't know how you'd structure it. Oh, and if your list isn't on separate lines, omit the final \n. No risk of false positives.

Taking your list from a few posts back and plugging into a text editor, I find about 1/3 of your whole list is tiny ranges. But the question is: from how many of those areas have you actually had offending visitors? No point in making your server slog through a list of 450-plus IPs-- remember, it has to do this on every single request if we're talking htaccess-- if only ten of them are guilty of wrongdoing.

41.58.0.0/16 41.66.192.0/18 41.71.128.0/17 41.78.208.0/22 41.85.160.0/19 41.93.128.0/17 41.136.0.0/16 41.138.88.0/22 41.138.160.0/19 41.139.64.0/18 41.155.0.0/17 41.184.0.0/16 41.189.0.0/19 41.189.32.0/19 41.189.96.0/19 41.190.0.0/19 41.190.88.0/22 41.191.84.0/22 41.191.108.0/22 41.194.52.0/22 41.202.0.0/17 41.202.128.0/19 41.202.192.0/19 41.203.64.0/18 41.203.208.0/21 41.203.224.0/20 41.204.0.0/17 41.204.128.0/18 41.204.224.0/19 41.205.0.0/19 41.205.64.0/19 41.205.160.0/19 41.206.0.0/18 41.206.64.0/19 41.207.0.0/19 41.207.160.0/19 41.207.192.0/19 41.208.48.0/23 41.208.128.0/18 41.210.0.0/18 41.210.192.0/18 41.211.0.0/19 41.211.192.0/18 41.212.128.0/17 41.214.0.0/17 41.215.160.0/20 41.216.32.0/19 41.217.0.0/17 41.218.192.0/18 41.219.128.0/17 41.220.0.0/16 41.221.80.0/20 41.221.160.0/20 41.222.0.0/21 41.222.24.0/21 41.222.40.0/21 41.222.64.0/21 41.222.192.0/22 41.223.24.0/22 41.223.64.0/22 41.223.248.0/22 41.242.48.0/19

The following may be more manageable than the above, although the speed will be slightly slower and lucy's statement regarding the apprx 450 server requests will remain.

RewriteCond %{REMOTE_ADDR} ^41\.(58|66|7[18]|85|93)\. [OR]
RewriteCond %{REMOTE_ADDR} ^41\.1(3[689]|55|8[49]|9[14])\. [OR]
RewriteCond %{REMOTE_ADDR} ^41\.2(0[2-8|1[0124-9]|2[0-4]|30)\.
RewriteRule .* - [F]

These just provided as an example. Not about to 'slosh' through all those IP's and convert!

Thank You!

I think I will follow lucy24's advice, and when I get a problem from one IP add, I will just ban the whole CIDR and avoid too much thrashing. If it gets overwhelming, then I will look at stronger measures.

And yeah, I get a lot of hack attempts from Ukraine IP's as well.