The FreeBSD Diary
Providing practical examples since 1998If you buy from Amazon USA, please support us by using this link.
Blocking apache access by host 27 January 2000
|If your web server is under attack, but you don't have access to a firewall (perhaps you are hosting your site on someone else's box), you can deny access by host. Here's how.|
.htaccess is your friend
|The .htacess file can be used to deny and allow access.
Here is a typical configuration:
<Limit GET POST> order deny,allow deny from all allow from all </Limit>
For more detail on this, please see the following Apache documentation:
What I did was change the order directive to be mutual-failure. Which, according to the documentation, "those hosts which appear on the allow list and do not appear on the deny list are granted access". Which is what I want.
So here is what you can do:
<Limit GET POST> order mutual-failure deny from aa.bb.cc.dd ff.gg.hh.0/24 allow from all </Limit>
This will deny access from the IP address aa.bb.cc.dd and the ff.gg.hh.0/24 subnet.
Be careful with those addresses!
|If you are blocking subnets, be sure to use ff.gg.hh.0/24 and not ff.gg.hh.ii/24. In order words, the non specified parts of the address must be zero. I like being able to specify the IP address and then the mask, mostly because it reminds me of the IP address which caused the problem in the first place.|