You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by David Blomstrom <da...@yahoo.com> on 2004/06/09 10:18:41 UTC
[users@httpd] Blocking Visitors
I'd like to learn how to block certain visitors or
computers from my website. I remember reading that you
could do it with Apache - based on their IP number, I
believe.
Am I correct in stating that every computer has an IP
number? If so, how do I determine what my IP number
is?
Also, what tricks could a visitor use in beating the
block? In other words, imagine I had an online forum
that requires users to register with a username and
password. If I block a visitor (computer) with IP
number 007, that individual could still register if
s/he had a second computer with a different IP number,
right? Is there any way they can register with the
same computer - like through an "anonymizer" or
something? Are there ways they can hide or change
their IP numbers?
Thanks.
__________________________________
Do you Yahoo!?
Friends. Fun. Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Blocking Visitors
Posted by Joey Hewitt <jo...@joeyhewitt.com>.
Tim Burden <ti...@burden.ca> wrote:
> I assume you have some kind of automated (free) registration system, and
> that's why you can't just ban by username. If you are banning people from
> your forums or whatever by IP address, they'll get back in the next time
> their IP address changes, which is the next time they dial up, or more
> rarely (but still regularly) if they are on DSL. So even non-geeks will
get
> in, without having to do anything special.
>
> A computer can also have more than one IP address at one time, too. And, a
> single IP address can have more than one computer behind it (think masq
> router or proxy). So really there is not much you can tell about the
> identity of a user by his IP address.
I just had an interesting idea. Perhaps you could fetch NetBIOS usernames,
computer names, and workgroup names, and block based on them. It's not very
nice to "exploit" this, but whatever they did to deserve being blocked
wasn't nice either. ;) 'Course, that's assuming that your users are silly
enough to run Windows with NetBIOS over TCP/IP and not have a decent
firewall in place. Actually, I'd be interested in statistics for just how
many web site visitors to a fairly busy site are open to this. Just my 2
cents...
==Joey
> ----- Original Message -----
> From: "David Blomstrom" <da...@yahoo.com>
> To: <us...@httpd.apache.org>
> Sent: Wednesday, June 09, 2004 12:54 PM
> Subject: Re: [users@httpd] Blocking Visitors
>
>
> > Thanks for all the tips and resources. I'm going to
> > check them out today.
> >
> > One more question. To put it in perspective, let's put
> > the situation in reverse. Suppose I'm the one who's
> > being blocked from a website or forum by an .htaccess
> > file.
> >
> > Aside from purchasing a second computer with a
> > different IP, is there a way for me to beat the system
> > and register with a new username and password?
> >
> > I imagine modifying the .htaccess file would
> > effectively screen 95% of the people I want to screen.
> > I just wondered if it's foolproof - or geekproof.
> >
> > Thanks.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Blocking Visitors
Posted by Tim Burden <ti...@burden.ca>.
I assume you have some kind of automated (free) registration system, and
that's why you can't just ban by username. If you are banning people from
your forums or whatever by IP address, they'll get back in the next time
their IP address changes, which is the next time they dial up, or more
rarely (but still regularly) if they are on DSL. So even non-geeks will get
in, without having to do anything special.
A computer can also have more than one IP address at one time, too. And, a
single IP address can have more than one computer behind it (think masq
router or proxy). So really there is not much you can tell about the
identity of a user by his IP address.
----- Original Message -----
From: "David Blomstrom" <da...@yahoo.com>
To: <us...@httpd.apache.org>
Sent: Wednesday, June 09, 2004 12:54 PM
Subject: Re: [users@httpd] Blocking Visitors
> Thanks for all the tips and resources. I'm going to
> check them out today.
>
> One more question. To put it in perspective, let's put
> the situation in reverse. Suppose I'm the one who's
> being blocked from a website or forum by an .htaccess
> file.
>
> Aside from purchasing a second computer with a
> different IP, is there a way for me to beat the system
> and register with a new username and password?
>
> I imagine modifying the .htaccess file would
> effectively screen 95% of the people I want to screen.
> I just wondered if it's foolproof - or geekproof.
>
> Thanks.
>
>
>
>
>
> __________________________________
> Do you Yahoo!?
> Friends. Fun. Try the all-new Yahoo! Messenger.
> http://messenger.yahoo.com/
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Blocking Visitors
Posted by Steven Pierce <pa...@speakeasy.net>.
David,
If you are using the same ISP that does not mean by having
a second computer that you will be able to register a new account.
If the person that is blocking you, is blocking an entire range, you
can have a hundred computers and it willmake little difference.
So if this person is blocking all 192.168.0.x then unless you get
an IP address from a NEW ISP you will still be blocked.
Now if the person is just blocking 192.168.0.1 if you can get
192.168.0.2 then you would be OK.
** Yes I know this is a private IP, using as an example**
I would guess that if the person wants you out bad enough that
they will block a RANGE of IP's. So again a new computer is not
going to help...
*********** REPLY SEPARATOR ***********
On 6/9/2004 at 9:54 AM David Blomstrom wrote:
>Thanks for all the tips and resources. I'm going to
>check them out today.
>
>One more question. To put it in perspective, let's put
>the situation in reverse. Suppose I'm the one who's
>being blocked from a website or forum by an .htaccess
>file.
>
>Aside from purchasing a second computer with a
>different IP, is there a way for me to beat the system
>and register with a new username and password?
>
>I imagine modifying the .htaccess file would
>effectively screen 95% of the people I want to screen.
>I just wondered if it's foolproof - or geekproof.
>
>Thanks.
>
>
>
>
>
>__________________________________
>Do you Yahoo!?
>Friends. Fun. Try the all-new Yahoo! Messenger.
>http://messenger.yahoo.com/
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] "C is not a recognized protocol"
Posted by Eugene Lee <li...@fsck.net>.
On Wed, Jun 09, 2004 at 06:51:51PM -0700, David Blomstrom wrote:
:
: <?php include
: ($_SERVER['DOCUMENT_ROOT']."/includes/footer.php"); ?>
:
: It works fine, but I'm having trouble applying it to
: non-include links. For example, if I change this
: link...
:
: <a href="../../world/index.php">World</a>
:
: to this...
:
: <a href="<?php echo
: $_SERVER['DOCUMENT_ROOT']."world/index.php"?>">World</a>
This won't work. In PHP, it expects absolute pathnames based on the
real filesystem itself. Statements like include() and require() and
any file I/O functions will work with absolute pathnames. But your
HTML file does *not* work with absolute pathnames based on the real
filesystem. It does work with pathnames that appear to be absolute,
but in reality are relative to the *start* of Apache's document root.
: Does this mean there's something wrong with my virtual
: host set up, or is this a PHP problem?
It's more of a PHP problem, although it is not only a PHP problem.
This difference is between the absolute filesystem pathname vs. the
relative ("document root") pathname that starts from some point
within the absolute pathname filesystem.
--
Eugene Lee
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] "C is not a recognized protocol"
Posted by Chris <li...@leftbrained.org>.
Try changing
<a href="C:/sites/../../
to
<a href="file://C:\sites\..\..\
Windows *needs* backslashes , and file is the correct protocol (though I think if you *just* change the backslashes it will still work.
Chris
David Blomstrom wrote:
>OK, I want to start from square one, so you'll know
>exactly where I'm "coming from." If it sounds like a
>PHP question at first, just bear with me.
>
>An error message I received in ZendStudio suggested
>that my include links were a security risk and that I
>switch to "constant" include links. After asking
>around on several forums, I finally wound up with this
>replacement:
>
><?php include
>($_SERVER['DOCUMENT_ROOT']."/includes/footer.php"); ?>
>
>It works fine, but I'm having trouble applying it to
>non-include links. For example, if I change this
>link...
>
><a href="../../world/index.php">World</a>
>
>to this...
>
><a href="<?php echo
>$_SERVER['DOCUMENT_ROOT']."world/index.php"?>">World</a>
>
>then preview my page, I see this in the source code:
>
><a href="C:/sites/../../world/index.php">World</a>
>
>That looks pretty logical, but when I click the link,
>I receive an error message that says "C is not a
>registered protocol."
>
>Does this mean there's something wrong with my virtual
>host set up, or is this a PHP problem?
>
>Thanks.
>
>
>
>
>__________________________________
>Do you Yahoo!?
>Friends. Fun. Try the all-new Yahoo! Messenger.
>http://messenger.yahoo.com/
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] "C is not a recognized protocol"
Posted by David Blomstrom <da...@yahoo.com>.
OK, I want to start from square one, so you'll know
exactly where I'm "coming from." If it sounds like a
PHP question at first, just bear with me.
An error message I received in ZendStudio suggested
that my include links were a security risk and that I
switch to "constant" include links. After asking
around on several forums, I finally wound up with this
replacement:
<?php include
($_SERVER['DOCUMENT_ROOT']."/includes/footer.php"); ?>
It works fine, but I'm having trouble applying it to
non-include links. For example, if I change this
link...
<a href="../../world/index.php">World</a>
to this...
<a href="<?php echo
$_SERVER['DOCUMENT_ROOT']."world/index.php"?>">World</a>
then preview my page, I see this in the source code:
<a href="C:/sites/../../world/index.php">World</a>
That looks pretty logical, but when I click the link,
I receive an error message that says "C is not a
registered protocol."
Does this mean there's something wrong with my virtual
host set up, or is this a PHP problem?
Thanks.
__________________________________
Do you Yahoo!?
Friends. Fun. Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Blocking Visitors
Posted by David Blomstrom <da...@yahoo.com>.
Thanks for all the tips and resources. I'm going to
check them out today.
One more question. To put it in perspective, let's put
the situation in reverse. Suppose I'm the one who's
being blocked from a website or forum by an .htaccess
file.
Aside from purchasing a second computer with a
different IP, is there a way for me to beat the system
and register with a new username and password?
I imagine modifying the .htaccess file would
effectively screen 95% of the people I want to screen.
I just wondered if it's foolproof - or geekproof.
Thanks.
__________________________________
Do you Yahoo!?
Friends. Fun. Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Blocking Visitors
Posted by Thomas Gabrielsen <ap...@arton.no>.
>
> I have no idea how to find your real IP.
>
http://www.myip.com
> ----- Original Message -----
> From: "David Blomstrom" <da...@yahoo.com>
> To: <us...@httpd.apache.org>
> Sent: Wednesday, June 09, 2004 4:18 AM
> Subject: [users@httpd] Blocking Visitors
>
>
> > I'd like to learn how to block certain visitors or
> > computers from my website. I remember reading that you
> > could do it with Apache - based on their IP number, I
> > believe.
> >
> > Am I correct in stating that every computer has an IP
> > number? If so, how do I determine what my IP number
> > is?
> >
> > Also, what tricks could a visitor use in beating the
> > block? In other words, imagine I had an online forum
> > that requires users to register with a username and
> > password. If I block a visitor (computer) with IP
> > number 007, that individual could still register if
> > s/he had a second computer with a different IP number,
> > right? Is there any way they can register with the
> > same computer - like through an "anonymizer" or
> > something? Are there ways they can hide or change
> > their IP numbers?
> >
> > Thanks.
> >
> >
> >
> >
> > __________________________________
> > Do you Yahoo!?
> > Friends. Fun. Try the all-new Yahoo! Messenger.
> > http://messenger.yahoo.com/
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server
Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Blocking Visitors
Posted by "Barth (John) Jones" <mu...@alltel.net>.
David, here are some links to instructions regarding .htaccess:
https://bama.ua.edu/manual/howto/auth.html
https://bama.ua.edu/manual/howto/htaccess.html
I recently succeeded incorporating .htaccess into my site and I'm brand new
with Apache so it's not too hard. You just have to do the research.
You can use two IPs for your local computer: http://localhost or
http://127.0.0.1
This address can be used from your browser to access the index if your local
computer is also serving your website (if you have an index--if not just
trail with /filepath/file.whatever). This makes developing your site a lot
smoother because you don't have to upload your pages every time you want to
test them.
I have no idea how to find your real IP.
----- Original Message -----
From: "David Blomstrom" <da...@yahoo.com>
To: <us...@httpd.apache.org>
Sent: Wednesday, June 09, 2004 4:18 AM
Subject: [users@httpd] Blocking Visitors
> I'd like to learn how to block certain visitors or
> computers from my website. I remember reading that you
> could do it with Apache - based on their IP number, I
> believe.
>
> Am I correct in stating that every computer has an IP
> number? If so, how do I determine what my IP number
> is?
>
> Also, what tricks could a visitor use in beating the
> block? In other words, imagine I had an online forum
> that requires users to register with a username and
> password. If I block a visitor (computer) with IP
> number 007, that individual could still register if
> s/he had a second computer with a different IP number,
> right? Is there any way they can register with the
> same computer - like through an "anonymizer" or
> something? Are there ways they can hide or change
> their IP numbers?
>
> Thanks.
>
>
>
>
> __________________________________
> Do you Yahoo!?
> Friends. Fun. Try the all-new Yahoo! Messenger.
> http://messenger.yahoo.com/
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Blocking Visitors
Posted by Koen Vingerhoets <ko...@ubench.be>.
Hi,
every computer with a network card has an IP.
If no cable connected, or when badly configured, MS (I assume that's what
most people use) assigns an adress in the 169.x.x.x range.
On local networks, you can use 192.168.x.x. VPN networks usually use
10.x.x.x
When connected to the internet, you can compare the PC to your house.
Your adress consists of country, community, street, number
Your IP is your adress, with each number narrowing down the range.
To beat the block:
- use a modem, different IP every time
- use a proxy(chain), different IP
Hiding/changing is usually called spoofing. While many tools are available
(google), you can only completely spoof your IP on Unix.
Koen
-----Original Message-----
From: David Blomstrom [mailto:david_blomstrom@yahoo.com]
Sent: Wednesday, June 09, 2004 10:19 AM
To: users@httpd.apache.org
Subject: [users@httpd] Blocking Visitors
I'd like to learn how to block certain visitors or
computers from my website. I remember reading that you
could do it with Apache - based on their IP number, I
believe.
Am I correct in stating that every computer has an IP
number? If so, how do I determine what my IP number
is?
Also, what tricks could a visitor use in beating the
block? In other words, imagine I had an online forum
that requires users to register with a username and
password. If I block a visitor (computer) with IP
number 007, that individual could still register if
s/he had a second computer with a different IP number,
right? Is there any way they can register with the
same computer - like through an "anonymizer" or
something? Are there ways they can hide or change
their IP numbers?
Thanks.
__________________________________
Do you Yahoo!?
Friends. Fun. Try the all-new Yahoo! Messenger.
http://messenger.yahoo.com/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org