{"id":2037,"date":"2021-10-10T22:10:33","date_gmt":"2021-10-10T19:10:33","guid":{"rendered":"https:\/\/www.etemkeskin.com\/?p=2037"},"modified":"2021-10-10T23:16:38","modified_gmt":"2021-10-10T20:16:38","slug":"restrict-or-block-ip-to-prevent-hacking-in-laravel","status":"publish","type":"post","link":"https:\/\/www.etemkeskin.com\/index.php\/2021\/10\/10\/restrict-or-block-ip-to-prevent-hacking-in-laravel\/","title":{"rendered":"Full Tutorial To Restrict or Block Ip Address To Prevent Hacking In Laravel"},"content":{"rendered":"\n

There may be malicious users using our applications on the web. These users may either annoy other visitors or want to crash the application using our forms (like SQL injection\u2026). By detecting the ips of such visitors, we can block them at the application level. In this post, I will explain how to prevent malicious users by blacklisting their IPs in Laravel 8, which is the most used PHP framework in web applications.<\/p>\n\n\n\n

Adding the last_login_at and last_login_ip Fields to the User Table<\/h3>\n\n\n\n

First, we will save the time information and ips of the users when they log in to our application in the database. Since the Laravel User model does not initially have these fields, we will add these fields to the User table<\/strong>. For this, we will first create the migration file. We create the migration file by running the following command in Laravel.<\/p>\n\n\n\n

php artisan make:migration add_login_fields_to_users_table<\/code><\/p>\n\n\n\n

class AddLoginFieldsToUsersTable extends Migration\n{\n    \/**\n     * Run the migrations.\n     *\n     * @return void\n     *\/\n    public function up()\n    {\n        Schema::table('users', function (Blueprint $table) {\n            $table->datetime('last_login_at')->nullable();\n            $table->string('last_login_ip')->nullable();\n        });\n    }\n}<\/pre><\/div>\n\n\n\n
We add last_login_at<\/strong> and last_login_ip<\/strong> fields to the migration file and run the php artisan migrate<\/code> command in the terminal.<\/p>\n\n\n\n
In the app\\Models\\User.php <\/strong>model php file, we define the fields we add to the database.<\/p>\n\n\n\n
class User extends Authenticatable\n{\n  protected $fillable = [\n        'name',\n        'email',\n        'password',\n    \t'last_login_at', \n    \t'last_login_ip',\n    ];<\/pre><\/div>\n\n\n\n
In the last step, we override the authenticated method<\/strong> in LoginController <\/strong>to save the ip <\/strong>and login time<\/strong> when the user logs into our web application.<\/p>\n\n\n\n
app\/Http\/Controllers\/Auth\/LoginController.php<\/strong> <\/p>\n\n\n\n
function authenticated(Request $request, $user)\n{\n    $user->update([\n        'last_login_at' => Carbon::now()->toDateTimeString(),\n        'last_login_ip' => $request->getClientIp()\n    ]);\n}<\/pre><\/div>\n\n\n\n
blocked_ips Table <\/h3>\n\n\n\n
Then we will create the blocked_ips<\/strong> table where the ips to be blocked will be kept. For this, we create the php artisan make:migration create_blocked_ips_table<\/code> migration file and define the ip field in it.<\/p>\n\n\n\n
class CreateBlockedIpsTable extends Migration\n{\n    public function up()\n    {\n        Schema::create('blocked_ips', function (Blueprint $table) {\n            $table->id();\n            $table->string('ip')->nullable();\n            $table->timestamps();\n        });\n    }<\/pre><\/div>\n\n\n\n
php artisan migrate<\/code> diyerek tablomuzu olu\u015fturuyoruz.<\/p>\n\n\n\n
We create our table by running php artisan migrate<\/code>.<\/p>\n\n\n\n
class BlockedIps extends Controller\n{\n    protected $fillable = [\n        'ip'\n    ];\n}<\/pre><\/div>\n\n\n\n
We define routes in the routes\/web.php<\/strong> file for the CRUD(create, read, update and delete) operations of this table.<\/p>\n\n\n\n
\t\tRoute::get('blocked_ips', 'BlockedIpsController@getAll')->name('dashboard.blocked_ips');\n\t\tRoute::get('blocked_ips', 'BlockedIpsController@create')->name('dashboard.create_blocked_ip');;\n\t\tRoute::post('blocked_ips', 'BlockedIpsController@store')->name('dashboard.store_blocked_ip');;\n\t\tRoute::delete('blocked_ips\/{id}', 'BlockedIpsController@delete')->name('dashboard.delete_blocked_ip');;<\/pre><\/div>\n\n\n\n
We create our controller with the php artisan make:controller BlockedIps<\/code> <\/code>command. We write the methods we will use in it.<\/p>\n\n\n\n
<?php\nnamespace App\\Http\\Controllers;\n\nuse Illuminate\\Http\\Request;\nuse Illuminate\\Support\\Facades\\Log;\n\nclass BlockedIpsController extends Controller\n{\n    public function getAll(Request $request){\n      \ttry{\n            $blocked_ips = \\App\\BlockedIp::get();\n        }catch(\\Exception $e){\n            Log::error('Error when fetching blocked ips' . $e->getMessage());\n        }\n        return view('blocked_ips', $blocked_ips);\n    }\n  \n  \tpublic function create(Request $request){\n        return view('create_blocked_ip');\n    }\n\n    public function store(Request $request){\n        $params = $request->all();\n      \n        try{\n            $blocked_ip = new \\App\\BlockedIps();\n            $blocked_ip->fill($params);\n            $blocked_ip->save();\n        }catch(\\Exception $e) {\n            Log::error('Admin: new blocked ip error : ' . $e->getMessage());\n        }\n        return redirect()->route('dashboard.blocked_ips');\n    }\n\n    public function delete(Request $request, $id){\n      \t$blocked_ip = \\App\\BlockedIp::find($id);\n \t\ttry{\n                $blocked_ip->delete();\n           }catch(\\Exception $e){\n                Log::error('Admin: delete blocked ip error : ' . $e->getMessage());\n           }\n        return redirect()->route('dashboard.blocked_ips');\n    }\n}<\/pre><\/div>\n\n\n\n
After creating the methods in controller, we create our view<\/strong> files.<\/p>\n\n\n\n
We list the ips in our blocked_ips.blade.php<\/strong> file.<\/p>\n\n\n\n
<h2>Blocked IP list<\/h2>\n    <a href="{{route('dashboard.create_blocked_ip')}}" class="btn btn-success" style="float: right;">Add IP<\/a>\n    <table class="table table-hover">\n        <thead>\n            <tr>\n                <th>IP<\/th>\n                <th><\/th>\n             <\/tr>\n        <\/thead>\n        <tbody>\n             @for($blocked_ips as $blocked_ip)\n                 <tr>\n                     <td>{{$blocked_ip->ip}}<\/td>\n                     <td><a href="{{route('dashboard.delete_blocked_ip', ['id' => $blocked_ip->id])}}" class="btn btn-danger delete-button">Delete<\/a><\/td>\n                 <\/tr>\n             @endfor\n\t\t<\/tbody>\n\t<\/table><\/pre><\/div>\n\n\n\n
We blacklist the ip we want to block with the form in our add_blocked_ip.blade.php<\/strong> file.<\/p>\n\n\n\n
<form action="" method="post" action="{{ route('dashboard.store_blocked_ip') }}">\n      <!-- CROSS Site Request Forgery Protection -->\n      @csrf\n      <div class="form-group">\n      \t<label>Ip<\/label>\n       \t<input type="text" name="ip" required="required" class="form-control" placeholder="___.___.___.___">\n      <\/div>\n      <button type="submit" value="Submit" class="btn btn-dark btn-block">Save<\/button>\n<\/form><\/pre><\/div>\n\n\n\n
RestrictIpMiddleware<\/h3>\n\n\n\n
Now we create middleware<\/strong> to prevent the user whose ip we have detected in the database from entering the application. For this, we run the php artisan make:middleware RestrictIpMiddleware<\/code> command on the terminal screen.<\/p>\n\n\n\n
We add the RestrictIpAddressMiddleware middleware<\/strong> to the $middleware array in the kernel.php<\/strong> file to run it on every request.<\/p>\n\n\n\n
protected $middleware = [\n        \\App\\Http\\Middleware\\TrustProxies::class,\n        \\Fruitcake\\Cors\\HandleCors::class,\n        \\App\\Http\\Middleware\\PreventRequestsDuringMaintenance::class,\n        \\Illuminate\\Foundation\\Http\\Middleware\\ValidatePostSize::class,\n        \\App\\Http\\Middleware\\TrimStrings::class,\n        \\Illuminate\\Foundation\\Http\\Middleware\\ConvertEmptyStringsToNull::class,\n    \t\\App\\Http\\Middleware\\RestrictIpAddressMiddleware::class,\n    ];<\/pre><\/div>\n\n\n\n
RestrictIpAddressMiddleware.php<\/strong><\/p>\n\n\n\n
We prevent unwanted users from using our application by overriding the handle method<\/strong> of middleware as follows.<\/p>\n\n\n\n
<?php\n\nnamespace App\\Http\\Middleware;\n\nuse Closure;\n\nclass RestrictIpAddressMiddleware\n{\n\n    \/\/ Blocked IP addresses\n    public $restrictedIp = [];\n    \n    public function restrictedIp(){\n        $this->restrictedIp = \\App\\BlockedIps::get();\n    }\n    \n    \/**\n     * Handle an incoming request.\n     *\n     * @param  \\Illuminate\\Http\\Request  $request\n     * @param  \\Closure  $next\n     * @return mixed\n     *\/\n    public function handle($request, Closure $next)\n    {\n        $this->restrictedIp();\n        if (in_array($request->ip(), $this->restrictedIp->pluck('ip')->toArray())) {\n            return response()->json(['message' => "You are not allowed to access this site."]);\n        }\n        return $next($request);\n    }\n}\n<\/pre><\/div>\n\n\n\n
Now we can detect the ip of unwanted users and keep them away from our app.<\/p>\n\n\n\n
Good luck …<\/p>\n","protected":false},"excerpt":{"rendered":"
There may be malicious users using our applications on the web. These users may either annoy other visitors or want to crash the application using our forms (like SQL injection\u2026). By detecting the ips of such visitors, we can block them at the application level. In this post, I will explain how to prevent malicious […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[66,2],"tags":[],"yoast_head":"\nFull Tutorial To Restrict or Block Ip Address To Prevent Hacking In Laravel - blog website<\/title>\n<meta name=\"description\" content=\"There may be malicious users using our applications on the web. These users may either annoy other visitors or want to crash the application using our forms (like SQL injection\u2026). By detecting the ips of such visitors, we can block them at the application level. In this post, I will explain how to prevent malicious users by blacklisting their IPs in Laravel 8, which is the most used PHP framework in web applications.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.etemkeskin.com\/index.php\/2021\/10\/10\/restrict-or-block-ip-to-prevent-hacking-in-laravel\/\" \/>\n<meta property=\"og:locale\" content=\"tr_TR\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Full Tutorial To Restrict or Block Ip Address To Prevent Hacking In Laravel - blog website\" \/>\n<meta property=\"og:description\" content=\"There may be malicious users using our applications on the web. These users may either annoy other visitors or want to crash the application using our forms (like SQL injection\u2026). By detecting the ips of such visitors, we can block them at the application level. In this post, I will explain how to prevent malicious users by blacklisting their IPs in Laravel 8, which is the most used PHP framework in web applications.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.etemkeskin.com\/index.php\/2021\/10\/10\/restrict-or-block-ip-to-prevent-hacking-in-laravel\/\" \/>\n<meta property=\"og:site_name\" content=\"blog website\" \/>\n<meta property=\"article:published_time\" content=\"2021-10-10T19:10:33+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-10-10T20:16:38+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Tahmini okuma s\u00fcresi\" \/>\n\t<meta name=\"twitter:data1\" content=\"4 dakika\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.etemkeskin.com\/#website\",\"url\":\"https:\/\/www.etemkeskin.com\/\",\"name\":\"blog website\",\"description\":\"Etem KESK\\u0130N\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":\"https:\/\/www.etemkeskin.com\/?s={search_term_string}\",\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"tr\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.etemkeskin.com\/index.php\/2021\/10\/10\/restrict-or-block-ip-to-prevent-hacking-in-laravel\/#webpage\",\"url\":\"https:\/\/www.etemkeskin.com\/index.php\/2021\/10\/10\/restrict-or-block-ip-to-prevent-hacking-in-laravel\/\",\"name\":\"Full Tutorial To Restrict or Block Ip Address To Prevent Hacking In Laravel - blog website\",\"isPartOf\":{\"@id\":\"https:\/\/www.etemkeskin.com\/#website\"},\"datePublished\":\"2021-10-10T19:10:33+00:00\",\"dateModified\":\"2021-10-10T20:16:38+00:00\",\"author\":{\"@id\":\"https:\/\/www.etemkeskin.com\/#\/schema\/person\/dcbc30282861ce578b96a79ce8789629\"},\"description\":\"There may be malicious users using our applications on the web. These users may either annoy other visitors or want to crash the application using our forms (like SQL injection\\u2026). By detecting the ips of such visitors, we can block them at the application level. In this post, I will explain how to prevent malicious users by blacklisting their IPs in Laravel 8, which is the most used PHP framework in web applications.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.etemkeskin.com\/index.php\/2021\/10\/10\/restrict-or-block-ip-to-prevent-hacking-in-laravel\/#breadcrumb\"},\"inLanguage\":\"tr\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.etemkeskin.com\/index.php\/2021\/10\/10\/restrict-or-block-ip-to-prevent-hacking-in-laravel\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.etemkeskin.com\/index.php\/2021\/10\/10\/restrict-or-block-ip-to-prevent-hacking-in-laravel\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Ana sayfa\",\"item\":\"https:\/\/www.etemkeskin.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Full Tutorial To Restrict or Block Ip Address To Prevent Hacking In Laravel\"}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.etemkeskin.com\/#\/schema\/person\/dcbc30282861ce578b96a79ce8789629\",\"name\":\"etemkeskin\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.etemkeskin.com\/#personlogo\",\"inLanguage\":\"tr\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/6af0148b790691ed24ae245fb3dc773b?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/6af0148b790691ed24ae245fb3dc773b?s=96&d=mm&r=g\",\"caption\":\"etemkeskin\"},\"url\":\"https:\/\/www.etemkeskin.com\/index.php\/author\/etemkeskinyahoo-com\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","_links":{"self":[{"href":"https:\/\/www.etemkeskin.com\/index.php\/wp-json\/wp\/v2\/posts\/2037"}],"collection":[{"href":"https:\/\/www.etemkeskin.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.etemkeskin.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.etemkeskin.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.etemkeskin.com\/index.php\/wp-json\/wp\/v2\/comments?post=2037"}],"version-history":[{"count":90,"href":"https:\/\/www.etemkeskin.com\/index.php\/wp-json\/wp\/v2\/posts\/2037\/revisions"}],"predecessor-version":[{"id":2200,"href":"https:\/\/www.etemkeskin.com\/index.php\/wp-json\/wp\/v2\/posts\/2037\/revisions\/2200"}],"wp:attachment":[{"href":"https:\/\/www.etemkeskin.com\/index.php\/wp-json\/wp\/v2\/media?parent=2037"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.etemkeskin.com\/index.php\/wp-json\/wp\/v2\/categories?post=2037"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.etemkeskin.com\/index.php\/wp-json\/wp\/v2\/tags?post=2037"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}