[Dshield] Help Request

jayjwa jayjwa at atr2.ath.cx
Mon May 16 20:22:02 GMT 2005


On Sun, 15 May 2005, Glenn Jarvis wrote:

-> Hi all,
-> I never had to use this specific method before, but due to circumstances
-> beyond my control
-> and I really don't wish to explain the whole thing... it would takes pages, I
-> need to add ip
-> blocking to my .htaccess file. I think I had the format correct, but when I
-> try it , I get a
-> 500 internal server error.

As far as I know, and what I've always done that's worked for me is the 
Allow/deny rules need to go in a location, like <Directory "/somewhere"> 
when used in httpd.conf, which is the preferred way, and they can't use 
the 0.0.0.0/0 format. Ordering of allow/deny is also 
important because they both are used. I use the httpd.conf for my 
blocking, but these directives supposedly work the same from within 
htaccess's, as long as the main httpd.conf allows the .htaccess files with 
AllowOverride directives.

ex:

<Directory "/www/root/secret-stuff">
 	Order deny,allow
 	deny from cn cn.net kr kr.net netvigator.com
 	deny from 207.46.98 googlebot.com msn.com
 	deny from 222 61 221 inktomi.com
</Directory>

...is mostly open access, but bans some known trouble networks and some 
annoying search bots. If you are blocking ALOT of address and ip ranges, 
it's much better to use iptables. It's more flexible, and can match based 
on -m iprange --src-range, for example or -s 222.0.0.0/8 notation.

The newer netfilter patch-o-matics have some really useful packet matching 
modules. You might want to check out the Apache docs, particularly
manual/howto/auth.html

-- 
1 Copy MS Windows XP...$200; 1 Anti-virus ...$80; 2 3rd
party firewalls....$120; 1 Visa Credit No. Stolen from same
machine when hacked.....$50,000; 2 Anti-Spyware Packages ...
$60; 4 Trips to PC Service Center to remove Adware....$380..
Never worrying about this because I use Linux...Priceless



More information about the list mailing list