The FreeBSD Diary

The FreeBSD Diary (TM)

Providing practical examples since 1998

If you buy from Amazon USA, please support us by using this link.
[ HOME | TOPICS | INDEX | WEB RESOURCES | BOOKS | CONTRIBUTE | SEARCH | FEEDBACK | FAQ | FORUMS ]
Blocking apache access by host 27 January 2000
Need more help on this topic? Click here
This article has no comments
Show me similar articles
If your web server is under attack, but you don't have access to a firewall (perhaps you are hosting your site on someone else's box), you can deny access by host.  Here's how.
.htaccess is your friend
The .htacess file can be used to deny and allow access.  Here is a typical configuration:
<Limit GET POST>
   order deny,allow
   deny from all
   allow from all
</Limit>

For more detail on this, please see the following Apache documentation:

What I did was change the order directive to be mutual-failure.  Which, according to the documentation,  "those hosts which appear on the allow list and do not appear on the deny list are granted access".  Which is what I want.

So here is what you can do:

<Limit GET POST>
   order mutual-failure
   deny from aa.bb.cc.dd  ff.gg.hh.0/24
   allow from all
</Limit>

This will deny access from the IP address aa.bb.cc.dd and the ff.gg.hh.0/24 subnet.

Be careful with those addresses!
If you are blocking subnets, be sure to use ff.gg.hh.0/24 and not ff.gg.hh.ii/24.  In order words, the non specified parts of the address must be zero.   I like being able to specify the IP address and then the mask, mostly because it reminds me of the IP address which caused the problem in the first place.

Need more help on this topic? Click here
This article has no comments
Show me similar articles