You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Norman Peelman <np...@cfl.rr.com> on 2011/01/14 02:40:45 UTC

[users@httpd] How to properly block IP ranges server wide?

Hello all,

  I've got a server with name based virtualhosts. I am getting spammers 
from various countries and would like to block these IP ranges. But I 
can't seem to figure out how to block them. How can I block them by 
default for the entire server? Where do I put the:

<Directory>
    Order Allow,Deny
    Allow from all
    Deny from ip range
    ...
    Deny from ip range
</Directory>


  I've tried putting them in the main apache.conf and in an .htaccess 
file (in a vh) but I still see the spammers logging on and spamming from 
ips' in the list.

Thanks for any help steering me in the right direction.

Norm

-- 
Norman Registered Linux user #461062 -Have you been to www.apache.org yet?-

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] How to properly block IP ranges server wide?

Posted by Eric Covener <co...@gmail.com>.

> So your rule doesn't block anything, because you have an 'allow all'. So
> either change the order to 'Order deny,allow' or remove the 'allow from all'
> line.

The pesudo-config he had is actually correct and "Order deny,allow"
with the rest of his config would be incorrect.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] How to properly block IP ranges server wide?

Posted by Norman Peelman <np...@cfl.rr.com>.

Joost de Heer wrote:
> On 01/14/2011 02:40 AM, Norman Peelman wrote:
>> Hello all,
>>
>> I've got a server with name based virtualhosts. I am getting spammers 
>> from
>> various countries and would like to block these IP ranges. But I 
>> can't seem to
>> figure out how to block them. How can I block them by default for the 
>> entire
>> server? Where do I put the:
>>
>> <Directory>
>> Order Allow,Deny
>> Allow from all
>> Deny from ip range
>> ...
>> Deny from ip range
>> </Directory>
>
> http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#order
>
> Allow,Deny
>     First, all Allow directives are evaluated; at least one must 
> match, or the request is rejected. Next, all Deny directives are 
> evaluated. If any matches, the request is rejected. Last, any requests 
> which do not match an Allow or a Deny directive are denied by default.
>
> So your rule doesn't block anything, because you have an 'allow all'. 
> So either change the order to 'Order deny,allow' or remove the 'allow 
> from all' line.
>
> If you really want to block IP addresses so they can't even reach your 
> webserver, you should use a firewall.
>
> Joost
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server 
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Thanks all, wasn't really sure what was going on here... I will take a 
look at setting up a proper firewall (iptables).


-- 
Norman Registered Linux user #461062 AMD64X2 6400+ Ubuntu 8.04 64bit

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] How to properly block IP ranges server wide?

Posted by Joost de Heer <jo...@sanguis.xs4all.nl>.

On 01/14/2011 02:40 AM, Norman Peelman wrote:
> Hello all,
>
> I've got a server with name based virtualhosts. I am getting spammers from
> various countries and would like to block these IP ranges. But I can't seem to
> figure out how to block them. How can I block them by default for the entire
> server? Where do I put the:
>
> <Directory>
> Order Allow,Deny
> Allow from all
> Deny from ip range
> ...
> Deny from ip range
> </Directory>

http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#order

Allow,Deny
     First, all Allow directives are evaluated; at least one must match, or the 
request is rejected. Next, all Deny directives are evaluated. If any matches, 
the request is rejected. Last, any requests which do not match an Allow or a 
Deny directive are denied by default.

So your rule doesn't block anything, because you have an 'allow all'. So either 
change the order to 'Order deny,allow' or remove the 'allow from all' line.

If you really want to block IP addresses so they can't even reach your 
webserver, you should use a firewall.

Joost

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] How to properly block IP ranges server wide?

Posted by Nilesh Govindarajan <ni...@itech7.com>.

On 01/14/2011 07:10 AM, Norman Peelman wrote:
> Hello all,
>
>  I've got a server with name based virtualhosts. I am getting spammers 
> from various countries and would like to block these IP ranges. But I 
> can't seem to figure out how to block them. How can I block them by 
> default for the entire server? Where do I put the:
>
> <Directory>
>    Order Allow,Deny
>    Allow from all
>    Deny from ip range
>    ...
>    Deny from ip range
> </Directory>
>
>
>  I've tried putting them in the main apache.conf and in an .htaccess 
> file (in a vh) but I still see the spammers logging on and spamming 
> from ips' in the list.
>
> Thanks for any help steering me in the right direction.
>
> Norm
>

You could use mod_geoip, though I have never tried it.
I have written an article on the same thing, blocking ips by countries 
to the whole of server, not only apache at 
http://www.itech7.com/Firewall/Blocking-IPs-by-country-using-IPSet-and-IPTables
In case you chose the second one, just ensure that you run depmod after 
make install. If ipset command says 'module not found' or something 
similar run modprobe ip_set and add ip_set to the list of modules to be 
loaded on boot.

[Sorry I'm not advertising my website, its an original article]

-- 
Regards,
Nilesh Govindarajan
Facebook: http://www.facebook.com/nilesh.gr
Twitter: http://twitter.com/nileshgr
Website: http://www.itech7.com
VPS Hosting: http://www.itech7.com/a/vps


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] How to properly block IP ranges server wide?

Posted by Igor Galić <i....@brainsware.org>.

----- "Norman Peelman" <np...@cfl.rr.com> wrote:

> Hello all,
> 
>   I've got a server with name based virtualhosts. I am getting
> spammers 
> from various countries and would like to block these IP ranges. But I
> can't seem to figure out how to block them. How can I block them by 
> default for the entire server? Where do I put the:

Going from the subject and your description, I'd say:
Layer 3, Firewall.

i

-- 
Igor Galić

Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org