Last Updated on January 22, 2019 by Aether
How do I safely block Amazon AWS from accessing my website? I received this question via email by a user that is having her website hammered by Amazon AWS IP’s. She operates an e-commerce store and the software she uses has a tool that shows who’s currently accessing her site. Multiple occurrences of Amazon IP addresses are going to her site for what purpose, I don’t know, but she wants to block them. I gave the solution of using Apache’s Access Control to reject the Amazon AWS IP address connection attempts. If your website is getting hammered by bots and you use Apache Webserver then follow these steps to stop the bots in their tracks.
Determine the CIDR Block the IP Address Belongs To
You may skip this part if you only need to block a single address, but if you happen to notice that a lot of the IP addresses are similar then you may want to just block the entire range. In the real world case we needed to block all of the Amazon AWS CIDR’s. Through a quick Google search, I came across a page that had a list of all the current AWS IP ranges. If Amazon is also your problem then you can find the page here.
To find the CIDR of an IP you have a couple options. If you have access to the Linux command-line and whois is installed then you can use that.
[root@server ~]# whois 220.127.116.11
There may be a chance the CIDR is not available and instead you’ll receive the start and end IP addresses, at which point you’ll need to use a CIDR calculator. If you need to use the browser route then here are a couple sites you can use: Whois by IP Address and CIDR Utility Tool. See the examples below.
Add the CIDR Block(s) To .htaccess
If you already have a .htaccess file then you’ll be adding these rules to it, otherwise you will create a new file. For our example we’ll create one from scratch. Open your favorite text editor drop in the text below.
# BLOCK/FORBID AmazonAWS by CIDR Block Order Allow,Deny Deny from 18.104.22.168/15 Allow from all
Add all IP/CIDR Blocks on separate lines preceded with Deny from statements. Save your .htaccess and upload it to your website’s root directory (or other location if necessary). Restarting Apache is not needed as these rules take immediate effect. Any IP/CIDR Blocks set in the rules will now receive a 403 Forbidden.