Drupal 7 included the ability to block specific IP addresses from accessing a site.

This feature was removed from Backdrop core because IP blocking should ideally be done before the traffic reaches the application layer.

To block by IP at the Apache layer, you can add something like the following to the .htaccess file:

<Limit GET HEAD POST>
order deny,allow
deny from 38.101. # To block an IP range
deny from 39.32.0.0/11  # To block an IP block
</LIMIT>

If someone absolutely needs to do IP blocking at the application layer, they can add a few lines into settings.php to kill matching requests. Example follows.

$deny = array("111.111.111", "222.222.222", "333.333.333");
if (in_array ($_SERVER['REMOTE_ADDR'], $deny)) {
   header("location: https://example.com/");
   exit();
}

There are also several contrib modules that can block by IP. We recommend Ban or Autoban.

Introduced in branch: 
1.0.x
Introduced in version: 
1.0.0
Impacts: 
Architects, Administrators, Editors
Module developers
Related Github Issues: 
https://github.com/backdrop/backdrop-issues/issues/1394
https://github.com/backdrop/backdrop-issues/issues/35