The FreeBSD Diary

Providing practical examples since 1998

If you buy from Amazon USA, please support us by using this link.

Things look quiet here. But I've been doing a lot of blogging at dan.langille.org because I prefer WordPress now. Not all my posts there are FreeBSD related. I am in the midst of migrating The FreeBSD Diary over to WordPress (and you can read about that here). Once the migration is completed, I'll move the FreeBSD posts into the new FreeBSD Diary website.

Blocking apache access by host 27 January 2000

Need more help on this topic? Click here
This article has no comments
Show me similar articles

If your web server is under attack, but you don't have access to a firewall (perhaps you are hosting your site on someone else's box), you can deny access by host. Here's how.

.htaccess is your friend

The .htacess file can be used to deny and allow access. Here is a typical configuration:

<Limit GET POST>
   order deny,allow
   deny from all
   allow from all
</Limit>

For more detail on this, please see the following Apache documentation:

What I did was change the order directive to be mutual-failure. Which, according to the documentation, "those hosts which appear on the allow list and do not appear on the deny list are granted access". Which is what I want.

So here is what you can do:

<Limit GET POST>
   order mutual-failure
   deny from aa.bb.cc.dd  ff.gg.hh.0/24
   allow from all
</Limit>

This will deny access from the IP address aa.bb.cc.dd and the ff.gg.hh.0/24 subnet.

Be careful with those addresses!

If you are blocking subnets, be sure to use ff.gg.hh.0/24 and not ff.gg.hh.ii/24. In order words, the non specified parts of the address must be zero. I like being able to specify the IP address and then the mask, mostly because it reminds me of the IP address which caused the problem in the first place.

Need more help on this topic? Click here
This article has no comments
Show me similar articles