You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@community.apache.org by syscon edm <sy...@gmail.com> on 2021/02/10 22:53:35 UTC
Apache 2.4 - deny access to IP's that are not ban
I run apache-2.4.46 on linux
In .htaccess file I have a long list of IP-subnets (over 500-subnets)
that I ban (mostly spammers).
But I've notices that my .htaccess prevent access to customers from IP
that are not on the ban list.
In the .htaccess the IP's are listed in numerical order, eg.:
<Files history.txt>
Require all denied
</Files>
<RequireAll>
Require all granted
# block spammers:
...
Require not ip 152.32.186.0/24
Require not ip 157.230.0.0/16
Require not ip 157.7.160.0/22
Require not ip 158.255.128.0/19
...
</RequireAll>
apache log:
157.55.39.252 - - [09/Feb/2021:17:04:33 -0700] "GET /product_info.php
HTTP/1.1" 403 199
The above user is from Microsoft Network
CIDR: 157.60.0.0/16, 157.54.0.0/15, 157.56.0.0/14
that does not appear on my list.
So why my configuration is blocking that user?
The apache .htaccess just blocked IP: 159.14.184.11
this is "Organization: The Children's Hospital of philadelphia"
CIDR: 159.14.0.0/16
and that CIDR is not on my list, why apache is locking it?
Do these IP subnets need to be sorted in order for them to work correctly?
I can post them here if somebody wants to test it, if it is OK. They
are just subdomains not an individual IP's.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
For additional commands, e-mail: dev-help@community.apache.org
Re: Apache 2.4 - deny access to IP's that are not ban
Posted by Travis Rodman <tr...@apple.com.INVALID>.
You're totally welcome!
On Thu, Feb 11, 2021 at 12:34:20PM -0700, syscon edm wrote:
> Thank you, THANK YOU Travis, it worked perfectly. It is the first
> time I received such a detailed instruction that would work without
> any hinch.
> Every time I'll run this code I will remember you :-) Thank you again.
>
> On Thu, Feb 11, 2021 at 11:39 AM Travis Rodman
> <tr...@apple.com.invalid> wrote:
> >
> > Hi Syscon,
> >
> > From bash/zsh:
> >
> > 1. install leiningen (https://leiningen.org)
> > 2. `cd /file/location/you/store/project/sources`
> > 3. run `lein new htaccess`
> > (this will create a folder and project stub)
> > 4. `cat /code/from/the/email > htaccess/src/htaccess/core.clj`
> > 5. cd htaccess
> > 6. `lein repl`
> >
> > on my machine, this gives me a prompt that looks like this:
> > ------------------------------------------------------------------------------
> > nREPL server started on port 63648 on host 127.0.0.1 - nrepl://127.0.0.1:63648
> > REPL-y 0.4.4, nREPL 0.6.0
> > Clojure 1.8.0
> > OpenJDK 64-Bit Server VM 1.8.0_265-b01
> > Docs: (doc function-name-here)
> > (find-doc "part-of-name-here")
> > Source: (source function-name-here)
> > Javadoc: (javadoc java-object-or-class-here)
> > Exit: Control+D or (exit) or (quit)
> > Results: Stored in vars *1, *2, *3, an exception in *e
> >
> > htaccess.core=>
> > ------------------------------------------------------------------------------
> >
> > at "htaccess.core=>" you can paste in:
> > (return-matching-blocks "ip.of.my.interest" "/path/to/my/htaccess")
> >
> > It will return a list of all the matching ip/masks from the lines that contain "Require not ip ".
> > Let me know if you would like me to clarify any of the instructions.
> >
> > Alright, that's it. Good luck with managing that list.
> >
> > Best Regards,
> > Travis
> >
> >
> > On Wed, Feb 10, 2021 at 11:09:30PM -0700, syscon edm wrote:
> > > Thanks Travis, I'm surprised; there is a lot I have to learn when it
> > > comes to IP matching to CIDR
> > > I was under the impression that just looking at the beginning of CIDR
> > > address and I would be able to find the match. How wrong I was :-/
> > >
> > > Now, I can install * dev-lang/clojure on Linux
> > > How do I run that code you gave me from the command line?
> > > I suppose I need to put it into a file, now which part?
> > >
> > > Thanks,
> > > Joseph
> > >
> > > On Wed, Feb 10, 2021 at 9:33 PM Travis Rodman <tr...@apple.com.invalid> wrote:
> > > >
> > > > Hi Syscon,
> > > >
> > > > Okay, so I wrote up a little program to parse your .htaccess file, and this comes back as a match:
> > > > 212.129.0.0/1
> > > >
> > > > Here is the code (Clojure), so you can parse any future mystery rejections, if you like.
> > > > ----------------------------------------------------------------------------------------------------------------------------------------------------
> > > > (ns htaccess.core)
> > > >
> > > > (defn parse-ip [s]
> > > > (let [v (clojure.string/split s #"/")]
> > > > (flatten
> > > > (if (< (count v) 2)
> > > > [(clojure.string/split (get v 0) #"\.") "32"]
> > > > [(clojure.string/split (get v 0) #"\.") (get v 1)]))))
> > > >
> > > > (defn convert-str-to-binary-str [s]
> > > > (clojure.string/replace (format "%0$8s" (java.lang.Integer/toBinaryString (java.lang.Integer/parseUnsignedInt (clojure.string/trim s)))) " " "0"))
> > > >
> > > > (defn convert-mask-to-binary-str [s]
> > > > (let [m (java.lang.Integer/parseUnsignedInt (clojure.string/trim s))
> > > > m (if (< 32 m) 32 m)
> > > > l0 (repeatedly m (fn [] 1))
> > > > l1 (repeatedly (- 32 m) (fn [] 0))
> > > > v (apply str (flatten [l0 l1]))]
> > > > v))
> > > >
> > > > (defn binary-string-to-int [s] (java.lang.Integer/parseUnsignedInt (clojure.string/trim s) 2))
> > > >
> > > > (defn masked? [p m]
> > > > (let [s0 p
> > > > s1 m
> > > > p0 (parse-ip s0)
> > > > p1 (parse-ip s1)
> > > > v0 (apply str (map convert-str-to-binary-str (take 4 p0)))
> > > > v1 (apply str (map convert-str-to-binary-str (take 4 p1)))
> > > > m (convert-mask-to-binary-str (last p1))
> > > > im (binary-string-to-int m)
> > > > iv0 (binary-string-to-int v0)
> > > > iv1 (binary-string-to-int v1)]
> > > > (= (bit-and im iv0) (bit-and im iv1))))
> > > >
> > > > (defn get-mask-data [s]
> > > > (map (fn [s] (clojure.string/replace s "Require not ip " ""))
> > > > (filter (fn [s] (clojure.string/includes? s "Require not ip "))
> > > > (with-open [rdr (clojure.java.io/reader s)]
> > > > (doall (line-seq rdr))))))
> > > >
> > > > (defn return-matching-blocks [p f] (filter (fn [a] (masked? p a)) (get-mask-data f)))
> > > >
> > > > ;(return-matching-blocks "1.202.0.0" "/Users/travis/data/projects/clojure/htaccess/resources/htaccess_backup")
> > > > ;(return-matching-blocks "159.14.184.11" "/Users/travis/data/projects/clojure/htaccess/resources/htaccess_backup")
> > > > ;("212.129.0.0/1")
> > > > ----------------------------------------------------------------------------------------------------------------------------------------------------
> > > >
> > > > If you have other IPs that are a mystery, and don't know how to set up Clojure, you can just send them my way, I can easily re-run this. I'm not
> > > > going to chuck the code any time soon.
> > > >
> > > > HTH,
> > > > Travis
> > > >
> > > >
> > > > On Wed, Feb 10, 2021 at 05:25:27PM -0800, Travis Rodman wrote:
> > > > > Thanks, I got it... I will get back to you.
> > > > >
> > > > > Regards,
> > > > > Travis
> > > > >
> > > > > On Wed, Feb 10, 2021 at 06:02:45PM -0700, syscon edm wrote:
> > > > > > Thank you, I sent you the .htaccess file to the email address you provided.
> > > > >
> > > > > ---------------------------------------------------------------------
> > > > > To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
> > > > > For additional commands, e-mail: dev-help@community.apache.org
> > > > >
> > > >
> > > > ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
> > > > For additional commands, e-mail: dev-help@community.apache.org
> > > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
> > > For additional commands, e-mail: dev-help@community.apache.org
> > >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
> > For additional commands, e-mail: dev-help@community.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
> For additional commands, e-mail: dev-help@community.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
For additional commands, e-mail: dev-help@community.apache.org
Re: Apache 2.4 - deny access to IP's that are not ban
Posted by syscon edm <sy...@gmail.com>.
Thank you, THANK YOU Travis, it worked perfectly. It is the first
time I received such a detailed instruction that would work without
any hinch.
Every time I'll run this code I will remember you :-) Thank you again.
On Thu, Feb 11, 2021 at 11:39 AM Travis Rodman
<tr...@apple.com.invalid> wrote:
>
> Hi Syscon,
>
> From bash/zsh:
>
> 1. install leiningen (https://leiningen.org)
> 2. `cd /file/location/you/store/project/sources`
> 3. run `lein new htaccess`
> (this will create a folder and project stub)
> 4. `cat /code/from/the/email > htaccess/src/htaccess/core.clj`
> 5. cd htaccess
> 6. `lein repl`
>
> on my machine, this gives me a prompt that looks like this:
> ------------------------------------------------------------------------------
> nREPL server started on port 63648 on host 127.0.0.1 - nrepl://127.0.0.1:63648
> REPL-y 0.4.4, nREPL 0.6.0
> Clojure 1.8.0
> OpenJDK 64-Bit Server VM 1.8.0_265-b01
> Docs: (doc function-name-here)
> (find-doc "part-of-name-here")
> Source: (source function-name-here)
> Javadoc: (javadoc java-object-or-class-here)
> Exit: Control+D or (exit) or (quit)
> Results: Stored in vars *1, *2, *3, an exception in *e
>
> htaccess.core=>
> ------------------------------------------------------------------------------
>
> at "htaccess.core=>" you can paste in:
> (return-matching-blocks "ip.of.my.interest" "/path/to/my/htaccess")
>
> It will return a list of all the matching ip/masks from the lines that contain "Require not ip ".
> Let me know if you would like me to clarify any of the instructions.
>
> Alright, that's it. Good luck with managing that list.
>
> Best Regards,
> Travis
>
>
> On Wed, Feb 10, 2021 at 11:09:30PM -0700, syscon edm wrote:
> > Thanks Travis, I'm surprised; there is a lot I have to learn when it
> > comes to IP matching to CIDR
> > I was under the impression that just looking at the beginning of CIDR
> > address and I would be able to find the match. How wrong I was :-/
> >
> > Now, I can install * dev-lang/clojure on Linux
> > How do I run that code you gave me from the command line?
> > I suppose I need to put it into a file, now which part?
> >
> > Thanks,
> > Joseph
> >
> > On Wed, Feb 10, 2021 at 9:33 PM Travis Rodman <tr...@apple.com.invalid> wrote:
> > >
> > > Hi Syscon,
> > >
> > > Okay, so I wrote up a little program to parse your .htaccess file, and this comes back as a match:
> > > 212.129.0.0/1
> > >
> > > Here is the code (Clojure), so you can parse any future mystery rejections, if you like.
> > > ----------------------------------------------------------------------------------------------------------------------------------------------------
> > > (ns htaccess.core)
> > >
> > > (defn parse-ip [s]
> > > (let [v (clojure.string/split s #"/")]
> > > (flatten
> > > (if (< (count v) 2)
> > > [(clojure.string/split (get v 0) #"\.") "32"]
> > > [(clojure.string/split (get v 0) #"\.") (get v 1)]))))
> > >
> > > (defn convert-str-to-binary-str [s]
> > > (clojure.string/replace (format "%0$8s" (java.lang.Integer/toBinaryString (java.lang.Integer/parseUnsignedInt (clojure.string/trim s)))) " " "0"))
> > >
> > > (defn convert-mask-to-binary-str [s]
> > > (let [m (java.lang.Integer/parseUnsignedInt (clojure.string/trim s))
> > > m (if (< 32 m) 32 m)
> > > l0 (repeatedly m (fn [] 1))
> > > l1 (repeatedly (- 32 m) (fn [] 0))
> > > v (apply str (flatten [l0 l1]))]
> > > v))
> > >
> > > (defn binary-string-to-int [s] (java.lang.Integer/parseUnsignedInt (clojure.string/trim s) 2))
> > >
> > > (defn masked? [p m]
> > > (let [s0 p
> > > s1 m
> > > p0 (parse-ip s0)
> > > p1 (parse-ip s1)
> > > v0 (apply str (map convert-str-to-binary-str (take 4 p0)))
> > > v1 (apply str (map convert-str-to-binary-str (take 4 p1)))
> > > m (convert-mask-to-binary-str (last p1))
> > > im (binary-string-to-int m)
> > > iv0 (binary-string-to-int v0)
> > > iv1 (binary-string-to-int v1)]
> > > (= (bit-and im iv0) (bit-and im iv1))))
> > >
> > > (defn get-mask-data [s]
> > > (map (fn [s] (clojure.string/replace s "Require not ip " ""))
> > > (filter (fn [s] (clojure.string/includes? s "Require not ip "))
> > > (with-open [rdr (clojure.java.io/reader s)]
> > > (doall (line-seq rdr))))))
> > >
> > > (defn return-matching-blocks [p f] (filter (fn [a] (masked? p a)) (get-mask-data f)))
> > >
> > > ;(return-matching-blocks "1.202.0.0" "/Users/travis/data/projects/clojure/htaccess/resources/htaccess_backup")
> > > ;(return-matching-blocks "159.14.184.11" "/Users/travis/data/projects/clojure/htaccess/resources/htaccess_backup")
> > > ;("212.129.0.0/1")
> > > ----------------------------------------------------------------------------------------------------------------------------------------------------
> > >
> > > If you have other IPs that are a mystery, and don't know how to set up Clojure, you can just send them my way, I can easily re-run this. I'm not
> > > going to chuck the code any time soon.
> > >
> > > HTH,
> > > Travis
> > >
> > >
> > > On Wed, Feb 10, 2021 at 05:25:27PM -0800, Travis Rodman wrote:
> > > > Thanks, I got it... I will get back to you.
> > > >
> > > > Regards,
> > > > Travis
> > > >
> > > > On Wed, Feb 10, 2021 at 06:02:45PM -0700, syscon edm wrote:
> > > > > Thank you, I sent you the .htaccess file to the email address you provided.
> > > >
> > > > ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
> > > > For additional commands, e-mail: dev-help@community.apache.org
> > > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
> > > For additional commands, e-mail: dev-help@community.apache.org
> > >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
> > For additional commands, e-mail: dev-help@community.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
> For additional commands, e-mail: dev-help@community.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
For additional commands, e-mail: dev-help@community.apache.org
Re: Apache 2.4 - deny access to IP's that are not ban
Posted by Travis Rodman <tr...@apple.com.INVALID>.
Hi Syscon,
From bash/zsh:
1. install leiningen (https://leiningen.org)
2. `cd /file/location/you/store/project/sources`
3. run `lein new htaccess`
(this will create a folder and project stub)
4. `cat /code/from/the/email > htaccess/src/htaccess/core.clj`
5. cd htaccess
6. `lein repl`
on my machine, this gives me a prompt that looks like this:
------------------------------------------------------------------------------
nREPL server started on port 63648 on host 127.0.0.1 - nrepl://127.0.0.1:63648
REPL-y 0.4.4, nREPL 0.6.0
Clojure 1.8.0
OpenJDK 64-Bit Server VM 1.8.0_265-b01
Docs: (doc function-name-here)
(find-doc "part-of-name-here")
Source: (source function-name-here)
Javadoc: (javadoc java-object-or-class-here)
Exit: Control+D or (exit) or (quit)
Results: Stored in vars *1, *2, *3, an exception in *e
htaccess.core=>
------------------------------------------------------------------------------
at "htaccess.core=>" you can paste in:
(return-matching-blocks "ip.of.my.interest" "/path/to/my/htaccess")
It will return a list of all the matching ip/masks from the lines that contain "Require not ip ".
Let me know if you would like me to clarify any of the instructions.
Alright, that's it. Good luck with managing that list.
Best Regards,
Travis
On Wed, Feb 10, 2021 at 11:09:30PM -0700, syscon edm wrote:
> Thanks Travis, I'm surprised; there is a lot I have to learn when it
> comes to IP matching to CIDR
> I was under the impression that just looking at the beginning of CIDR
> address and I would be able to find the match. How wrong I was :-/
>
> Now, I can install * dev-lang/clojure on Linux
> How do I run that code you gave me from the command line?
> I suppose I need to put it into a file, now which part?
>
> Thanks,
> Joseph
>
> On Wed, Feb 10, 2021 at 9:33 PM Travis Rodman <tr...@apple.com.invalid> wrote:
> >
> > Hi Syscon,
> >
> > Okay, so I wrote up a little program to parse your .htaccess file, and this comes back as a match:
> > 212.129.0.0/1
> >
> > Here is the code (Clojure), so you can parse any future mystery rejections, if you like.
> > ----------------------------------------------------------------------------------------------------------------------------------------------------
> > (ns htaccess.core)
> >
> > (defn parse-ip [s]
> > (let [v (clojure.string/split s #"/")]
> > (flatten
> > (if (< (count v) 2)
> > [(clojure.string/split (get v 0) #"\.") "32"]
> > [(clojure.string/split (get v 0) #"\.") (get v 1)]))))
> >
> > (defn convert-str-to-binary-str [s]
> > (clojure.string/replace (format "%0$8s" (java.lang.Integer/toBinaryString (java.lang.Integer/parseUnsignedInt (clojure.string/trim s)))) " " "0"))
> >
> > (defn convert-mask-to-binary-str [s]
> > (let [m (java.lang.Integer/parseUnsignedInt (clojure.string/trim s))
> > m (if (< 32 m) 32 m)
> > l0 (repeatedly m (fn [] 1))
> > l1 (repeatedly (- 32 m) (fn [] 0))
> > v (apply str (flatten [l0 l1]))]
> > v))
> >
> > (defn binary-string-to-int [s] (java.lang.Integer/parseUnsignedInt (clojure.string/trim s) 2))
> >
> > (defn masked? [p m]
> > (let [s0 p
> > s1 m
> > p0 (parse-ip s0)
> > p1 (parse-ip s1)
> > v0 (apply str (map convert-str-to-binary-str (take 4 p0)))
> > v1 (apply str (map convert-str-to-binary-str (take 4 p1)))
> > m (convert-mask-to-binary-str (last p1))
> > im (binary-string-to-int m)
> > iv0 (binary-string-to-int v0)
> > iv1 (binary-string-to-int v1)]
> > (= (bit-and im iv0) (bit-and im iv1))))
> >
> > (defn get-mask-data [s]
> > (map (fn [s] (clojure.string/replace s "Require not ip " ""))
> > (filter (fn [s] (clojure.string/includes? s "Require not ip "))
> > (with-open [rdr (clojure.java.io/reader s)]
> > (doall (line-seq rdr))))))
> >
> > (defn return-matching-blocks [p f] (filter (fn [a] (masked? p a)) (get-mask-data f)))
> >
> > ;(return-matching-blocks "1.202.0.0" "/Users/travis/data/projects/clojure/htaccess/resources/htaccess_backup")
> > ;(return-matching-blocks "159.14.184.11" "/Users/travis/data/projects/clojure/htaccess/resources/htaccess_backup")
> > ;("212.129.0.0/1")
> > ----------------------------------------------------------------------------------------------------------------------------------------------------
> >
> > If you have other IPs that are a mystery, and don't know how to set up Clojure, you can just send them my way, I can easily re-run this. I'm not
> > going to chuck the code any time soon.
> >
> > HTH,
> > Travis
> >
> >
> > On Wed, Feb 10, 2021 at 05:25:27PM -0800, Travis Rodman wrote:
> > > Thanks, I got it... I will get back to you.
> > >
> > > Regards,
> > > Travis
> > >
> > > On Wed, Feb 10, 2021 at 06:02:45PM -0700, syscon edm wrote:
> > > > Thank you, I sent you the .htaccess file to the email address you provided.
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
> > > For additional commands, e-mail: dev-help@community.apache.org
> > >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
> > For additional commands, e-mail: dev-help@community.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
> For additional commands, e-mail: dev-help@community.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
For additional commands, e-mail: dev-help@community.apache.org
Re: Apache 2.4 - deny access to IP's that are not ban
Posted by syscon edm <sy...@gmail.com>.
Thanks Travis, I'm surprised; there is a lot I have to learn when it
comes to IP matching to CIDR
I was under the impression that just looking at the beginning of CIDR
address and I would be able to find the match. How wrong I was :-/
Now, I can install * dev-lang/clojure on Linux
How do I run that code you gave me from the command line?
I suppose I need to put it into a file, now which part?
Thanks,
Joseph
On Wed, Feb 10, 2021 at 9:33 PM Travis Rodman <tr...@apple.com.invalid> wrote:
>
> Hi Syscon,
>
> Okay, so I wrote up a little program to parse your .htaccess file, and this comes back as a match:
> 212.129.0.0/1
>
> Here is the code (Clojure), so you can parse any future mystery rejections, if you like.
> ----------------------------------------------------------------------------------------------------------------------------------------------------
> (ns htaccess.core)
>
> (defn parse-ip [s]
> (let [v (clojure.string/split s #"/")]
> (flatten
> (if (< (count v) 2)
> [(clojure.string/split (get v 0) #"\.") "32"]
> [(clojure.string/split (get v 0) #"\.") (get v 1)]))))
>
> (defn convert-str-to-binary-str [s]
> (clojure.string/replace (format "%0$8s" (java.lang.Integer/toBinaryString (java.lang.Integer/parseUnsignedInt (clojure.string/trim s)))) " " "0"))
>
> (defn convert-mask-to-binary-str [s]
> (let [m (java.lang.Integer/parseUnsignedInt (clojure.string/trim s))
> m (if (< 32 m) 32 m)
> l0 (repeatedly m (fn [] 1))
> l1 (repeatedly (- 32 m) (fn [] 0))
> v (apply str (flatten [l0 l1]))]
> v))
>
> (defn binary-string-to-int [s] (java.lang.Integer/parseUnsignedInt (clojure.string/trim s) 2))
>
> (defn masked? [p m]
> (let [s0 p
> s1 m
> p0 (parse-ip s0)
> p1 (parse-ip s1)
> v0 (apply str (map convert-str-to-binary-str (take 4 p0)))
> v1 (apply str (map convert-str-to-binary-str (take 4 p1)))
> m (convert-mask-to-binary-str (last p1))
> im (binary-string-to-int m)
> iv0 (binary-string-to-int v0)
> iv1 (binary-string-to-int v1)]
> (= (bit-and im iv0) (bit-and im iv1))))
>
> (defn get-mask-data [s]
> (map (fn [s] (clojure.string/replace s "Require not ip " ""))
> (filter (fn [s] (clojure.string/includes? s "Require not ip "))
> (with-open [rdr (clojure.java.io/reader s)]
> (doall (line-seq rdr))))))
>
> (defn return-matching-blocks [p f] (filter (fn [a] (masked? p a)) (get-mask-data f)))
>
> ;(return-matching-blocks "1.202.0.0" "/Users/travis/data/projects/clojure/htaccess/resources/htaccess_backup")
> ;(return-matching-blocks "159.14.184.11" "/Users/travis/data/projects/clojure/htaccess/resources/htaccess_backup")
> ;("212.129.0.0/1")
> ----------------------------------------------------------------------------------------------------------------------------------------------------
>
> If you have other IPs that are a mystery, and don't know how to set up Clojure, you can just send them my way, I can easily re-run this. I'm not
> going to chuck the code any time soon.
>
> HTH,
> Travis
>
>
> On Wed, Feb 10, 2021 at 05:25:27PM -0800, Travis Rodman wrote:
> > Thanks, I got it... I will get back to you.
> >
> > Regards,
> > Travis
> >
> > On Wed, Feb 10, 2021 at 06:02:45PM -0700, syscon edm wrote:
> > > Thank you, I sent you the .htaccess file to the email address you provided.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
> > For additional commands, e-mail: dev-help@community.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
> For additional commands, e-mail: dev-help@community.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
For additional commands, e-mail: dev-help@community.apache.org
Re: Apache 2.4 - deny access to IP's that are not ban
Posted by Travis Rodman <tr...@apple.com.INVALID>.
Hi Syscon,
Okay, so I wrote up a little program to parse your .htaccess file, and this comes back as a match:
212.129.0.0/1
Here is the code (Clojure), so you can parse any future mystery rejections, if you like.
----------------------------------------------------------------------------------------------------------------------------------------------------
(ns htaccess.core)
(defn parse-ip [s]
(let [v (clojure.string/split s #"/")]
(flatten
(if (< (count v) 2)
[(clojure.string/split (get v 0) #"\.") "32"]
[(clojure.string/split (get v 0) #"\.") (get v 1)]))))
(defn convert-str-to-binary-str [s]
(clojure.string/replace (format "%0$8s" (java.lang.Integer/toBinaryString (java.lang.Integer/parseUnsignedInt (clojure.string/trim s)))) " " "0"))
(defn convert-mask-to-binary-str [s]
(let [m (java.lang.Integer/parseUnsignedInt (clojure.string/trim s))
m (if (< 32 m) 32 m)
l0 (repeatedly m (fn [] 1))
l1 (repeatedly (- 32 m) (fn [] 0))
v (apply str (flatten [l0 l1]))]
v))
(defn binary-string-to-int [s] (java.lang.Integer/parseUnsignedInt (clojure.string/trim s) 2))
(defn masked? [p m]
(let [s0 p
s1 m
p0 (parse-ip s0)
p1 (parse-ip s1)
v0 (apply str (map convert-str-to-binary-str (take 4 p0)))
v1 (apply str (map convert-str-to-binary-str (take 4 p1)))
m (convert-mask-to-binary-str (last p1))
im (binary-string-to-int m)
iv0 (binary-string-to-int v0)
iv1 (binary-string-to-int v1)]
(= (bit-and im iv0) (bit-and im iv1))))
(defn get-mask-data [s]
(map (fn [s] (clojure.string/replace s "Require not ip " ""))
(filter (fn [s] (clojure.string/includes? s "Require not ip "))
(with-open [rdr (clojure.java.io/reader s)]
(doall (line-seq rdr))))))
(defn return-matching-blocks [p f] (filter (fn [a] (masked? p a)) (get-mask-data f)))
;(return-matching-blocks "1.202.0.0" "/Users/travis/data/projects/clojure/htaccess/resources/htaccess_backup")
;(return-matching-blocks "159.14.184.11" "/Users/travis/data/projects/clojure/htaccess/resources/htaccess_backup")
;("212.129.0.0/1")
----------------------------------------------------------------------------------------------------------------------------------------------------
If you have other IPs that are a mystery, and don't know how to set up Clojure, you can just send them my way, I can easily re-run this. I'm not
going to chuck the code any time soon.
HTH,
Travis
On Wed, Feb 10, 2021 at 05:25:27PM -0800, Travis Rodman wrote:
> Thanks, I got it... I will get back to you.
>
> Regards,
> Travis
>
> On Wed, Feb 10, 2021 at 06:02:45PM -0700, syscon edm wrote:
> > Thank you, I sent you the .htaccess file to the email address you provided.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
> For additional commands, e-mail: dev-help@community.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
For additional commands, e-mail: dev-help@community.apache.org
Re: Apache 2.4 - deny access to IP's that are not ban
Posted by Travis Rodman <tr...@apple.com.INVALID>.
Thanks, I got it... I will get back to you.
Regards,
Travis
On Wed, Feb 10, 2021 at 06:02:45PM -0700, syscon edm wrote:
> Thank you, I sent you the .htaccess file to the email address you provided.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
For additional commands, e-mail: dev-help@community.apache.org
Re: Apache 2.4 - deny access to IP's that are not ban
Posted by syscon edm <sy...@gmail.com>.
Thank you, I sent you the .htaccess file to the email address you provided.
On Wed, Feb 10, 2021 at 5:33 PM Travis Rodman <tr...@apple.com.invalid> wrote:
>
> Hi syscon edm,
>
> So, I guess I am confused, first by mis-associating the CIDR values, and about this statement:
> "In .htaccess file I have a long list of IP-subnets (over 500-subnets) that I ban (mostly spammers)."
>
> So, I suppose I would need to see all the blocked subnets in your .htaccess to compare them.
>
> If you want to post them, I don't mind looking at them a bit later (you can DM me, trodman@apple.com)
>
> But, yes, given this snippet:
> > Require not ip 152.32.186.0/24
> > Require not ip 157.230.0.0/16
> > Require not ip 157.7.160.0/22
> > Require not ip 158.255.128.0/19
>
> and this address:
> 157.55.39.252
>
> I don't see the address being blocked in the .htaccess set you've shown.
>
> If you send your list of blocks, I don't mind coding up an analysis of the addresses, it should only take a few minutes.
>
> Regards,
> Travis
>
> On Wed, Feb 10, 2021 at 04:57:47PM -0700, syscon edm wrote:
> > Thanks for the input Travis. Maybe I wasn't clear.
> > I was blocking in .htaccess only:
> > ....
> > Require not ip 152.32.186.0/24
> > Require not ip 157.230.0.0/16
> > Require not ip 157.7.160.0/22
> > Require not ip 158.255.128.0/19
> > ....
> >
> > These CIDR: 157.60.0.0/16, 157.54.0.0/15, 157.56.0.0/14 (are not on
> > my list in .htaccess)
> > I just pull them up with "whois" to investigate.
> >
> > So how does IP apache blocked: "157.55.39.252" matches what I had in
> > my .htaccess file?
> >
> > On Wed, Feb 10, 2021 at 4:25 PM Travis Rodman <tr...@apple.com.invalid> wrote:
> > >
> > > given this...
> > > ---------------------------------------------------------------------
> > > apache log:
> > > 157.55.39.252 - - [09/Feb/2021:17:04:33 -0700] "GET /product_info.php
> > > HTTP/1.1" 403 199
> > >
> > > The above user is from Microsoft Network
> > > CIDR: 157.60.0.0/16, 157.54.0.0/15, 157.56.0.0/14
> > > that does not appear on my list.
> > >
> > > So why my configuration is blocking that user?
> > >
> > > The apache .htaccess just blocked IP: 159.14.184.11
> > > this is "Organization: The Children's Hospital of philadelphia"
> > > CIDR: 159.14.0.0/16
> > > ---------------------------------------------------------------------
> > >
> > > using this to calculate the binary and the masks...
> > > echo "obase=2;$ip" | bc
> > >
> > > this:
> > > echo "obase=2;157" | bc
> > > echo "obase=2;54" | bc
> > > echo "obase=2;56" | bc
> > > echo "obase=2;60" | bc
> > >
> > > converts to this:
> > > 157 10011101
> > > 60 00111100
> > > 54 00110110
> > > 56 00111000
> > >
> > > 157 | 10011101
> > > 55 | 00110111
> > > 39 | 00100111
> > > 252 | 11111100
> > >
> > > 10011101.00110111.00100111.11111100
> > >
> > > and doing the same with your CIDR masks against the input IP
> > > 157 60 | 10011101.00111100|.00000000.00000000
> > > 10011101.00110111|.00100111.11111100
> > >
> > > 157 54 | 10011101.0011011|0.00000000.00000000
> > > 10011101.0011011|1.00100111.11111100
> > >
> > > 157 56 | 10011101.001110|00.00000000.00000000
> > > 10011101.001101|11.00100111.11111100
> > >
> > > 157 | 10011101
> > > 55 | 00110111
> > > 39 | 00100111
> > > 252 | 11111100
> > >
> > > 10011101.00110111.00100111.11111100
> > >
> > > shows this is the matching (rejecting) IP and mask
> > > this is the matching subnet:
> > > 157 54 | 10011101.0011011|0.00000000.00000000
> > > 10011101.0011011|1.00100111.11111100
> > >
> > > so, your 157.54.0.0/15 rule is matching (rejecting) 157.55.39.252
> > >
> > > HTH,
> > > Travis
> > >
> > > On Wed, Feb 10, 2021 at 03:53:35PM -0700, syscon edm wrote:
> > > > I run apache-2.4.46 on linux
> > > >
> > > > In .htaccess file I have a long list of IP-subnets (over 500-subnets)
> > > > that I ban (mostly spammers).
> > > > But I've notices that my .htaccess prevent access to customers from IP
> > > > that are not on the ban list.
> > > >
> > > > In the .htaccess the IP's are listed in numerical order, eg.:
> > > > <Files history.txt>
> > > > Require all denied
> > > > </Files>
> > > >
> > > > <RequireAll>
> > > > Require all granted
> > > >
> > > > # block spammers:
> > > > ...
> > > > Require not ip 152.32.186.0/24
> > > > Require not ip 157.230.0.0/16
> > > > Require not ip 157.7.160.0/22
> > > > Require not ip 158.255.128.0/19
> > > > ...
> > > > </RequireAll>
> > > >
> > > > apache log:
> > > > 157.55.39.252 - - [09/Feb/2021:17:04:33 -0700] "GET /product_info.php
> > > > HTTP/1.1" 403 199
> > > >
> > > > The above user is from Microsoft Network
> > > > CIDR: 157.60.0.0/16, 157.54.0.0/15, 157.56.0.0/14
> > > > that does not appear on my list.
> > > >
> > > > So why my configuration is blocking that user?
> > > >
> > > > The apache .htaccess just blocked IP: 159.14.184.11
> > > > this is "Organization: The Children's Hospital of philadelphia"
> > > > CIDR: 159.14.0.0/16
> > > >
> > > > and that CIDR is not on my list, why apache is locking it?
> > > > Do these IP subnets need to be sorted in order for them to work correctly?
> > > >
> > > > I can post them here if somebody wants to test it, if it is OK. They
> > > > are just subdomains not an individual IP's.
> > > >
> > > > ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
> > > > For additional commands, e-mail: dev-help@community.apache.org
> > > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
> > > For additional commands, e-mail: dev-help@community.apache.org
> > >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
> > For additional commands, e-mail: dev-help@community.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
> For additional commands, e-mail: dev-help@community.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
For additional commands, e-mail: dev-help@community.apache.org
Re: Apache 2.4 - deny access to IP's that are not ban
Posted by Travis Rodman <tr...@apple.com.INVALID>.
Hi syscon edm,
So, I guess I am confused, first by mis-associating the CIDR values, and about this statement:
"In .htaccess file I have a long list of IP-subnets (over 500-subnets) that I ban (mostly spammers)."
So, I suppose I would need to see all the blocked subnets in your .htaccess to compare them.
If you want to post them, I don't mind looking at them a bit later (you can DM me, trodman@apple.com)
But, yes, given this snippet:
> Require not ip 152.32.186.0/24
> Require not ip 157.230.0.0/16
> Require not ip 157.7.160.0/22
> Require not ip 158.255.128.0/19
and this address:
157.55.39.252
I don't see the address being blocked in the .htaccess set you've shown.
If you send your list of blocks, I don't mind coding up an analysis of the addresses, it should only take a few minutes.
Regards,
Travis
On Wed, Feb 10, 2021 at 04:57:47PM -0700, syscon edm wrote:
> Thanks for the input Travis. Maybe I wasn't clear.
> I was blocking in .htaccess only:
> ....
> Require not ip 152.32.186.0/24
> Require not ip 157.230.0.0/16
> Require not ip 157.7.160.0/22
> Require not ip 158.255.128.0/19
> ....
>
> These CIDR: 157.60.0.0/16, 157.54.0.0/15, 157.56.0.0/14 (are not on
> my list in .htaccess)
> I just pull them up with "whois" to investigate.
>
> So how does IP apache blocked: "157.55.39.252" matches what I had in
> my .htaccess file?
>
> On Wed, Feb 10, 2021 at 4:25 PM Travis Rodman <tr...@apple.com.invalid> wrote:
> >
> > given this...
> > ---------------------------------------------------------------------
> > apache log:
> > 157.55.39.252 - - [09/Feb/2021:17:04:33 -0700] "GET /product_info.php
> > HTTP/1.1" 403 199
> >
> > The above user is from Microsoft Network
> > CIDR: 157.60.0.0/16, 157.54.0.0/15, 157.56.0.0/14
> > that does not appear on my list.
> >
> > So why my configuration is blocking that user?
> >
> > The apache .htaccess just blocked IP: 159.14.184.11
> > this is "Organization: The Children's Hospital of philadelphia"
> > CIDR: 159.14.0.0/16
> > ---------------------------------------------------------------------
> >
> > using this to calculate the binary and the masks...
> > echo "obase=2;$ip" | bc
> >
> > this:
> > echo "obase=2;157" | bc
> > echo "obase=2;54" | bc
> > echo "obase=2;56" | bc
> > echo "obase=2;60" | bc
> >
> > converts to this:
> > 157 10011101
> > 60 00111100
> > 54 00110110
> > 56 00111000
> >
> > 157 | 10011101
> > 55 | 00110111
> > 39 | 00100111
> > 252 | 11111100
> >
> > 10011101.00110111.00100111.11111100
> >
> > and doing the same with your CIDR masks against the input IP
> > 157 60 | 10011101.00111100|.00000000.00000000
> > 10011101.00110111|.00100111.11111100
> >
> > 157 54 | 10011101.0011011|0.00000000.00000000
> > 10011101.0011011|1.00100111.11111100
> >
> > 157 56 | 10011101.001110|00.00000000.00000000
> > 10011101.001101|11.00100111.11111100
> >
> > 157 | 10011101
> > 55 | 00110111
> > 39 | 00100111
> > 252 | 11111100
> >
> > 10011101.00110111.00100111.11111100
> >
> > shows this is the matching (rejecting) IP and mask
> > this is the matching subnet:
> > 157 54 | 10011101.0011011|0.00000000.00000000
> > 10011101.0011011|1.00100111.11111100
> >
> > so, your 157.54.0.0/15 rule is matching (rejecting) 157.55.39.252
> >
> > HTH,
> > Travis
> >
> > On Wed, Feb 10, 2021 at 03:53:35PM -0700, syscon edm wrote:
> > > I run apache-2.4.46 on linux
> > >
> > > In .htaccess file I have a long list of IP-subnets (over 500-subnets)
> > > that I ban (mostly spammers).
> > > But I've notices that my .htaccess prevent access to customers from IP
> > > that are not on the ban list.
> > >
> > > In the .htaccess the IP's are listed in numerical order, eg.:
> > > <Files history.txt>
> > > Require all denied
> > > </Files>
> > >
> > > <RequireAll>
> > > Require all granted
> > >
> > > # block spammers:
> > > ...
> > > Require not ip 152.32.186.0/24
> > > Require not ip 157.230.0.0/16
> > > Require not ip 157.7.160.0/22
> > > Require not ip 158.255.128.0/19
> > > ...
> > > </RequireAll>
> > >
> > > apache log:
> > > 157.55.39.252 - - [09/Feb/2021:17:04:33 -0700] "GET /product_info.php
> > > HTTP/1.1" 403 199
> > >
> > > The above user is from Microsoft Network
> > > CIDR: 157.60.0.0/16, 157.54.0.0/15, 157.56.0.0/14
> > > that does not appear on my list.
> > >
> > > So why my configuration is blocking that user?
> > >
> > > The apache .htaccess just blocked IP: 159.14.184.11
> > > this is "Organization: The Children's Hospital of philadelphia"
> > > CIDR: 159.14.0.0/16
> > >
> > > and that CIDR is not on my list, why apache is locking it?
> > > Do these IP subnets need to be sorted in order for them to work correctly?
> > >
> > > I can post them here if somebody wants to test it, if it is OK. They
> > > are just subdomains not an individual IP's.
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
> > > For additional commands, e-mail: dev-help@community.apache.org
> > >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
> > For additional commands, e-mail: dev-help@community.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
> For additional commands, e-mail: dev-help@community.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
For additional commands, e-mail: dev-help@community.apache.org
Re: Apache 2.4 - deny access to IP's that are not ban
Posted by syscon edm <sy...@gmail.com>.
Thanks for the input Travis. Maybe I wasn't clear.
I was blocking in .htaccess only:
....
Require not ip 152.32.186.0/24
Require not ip 157.230.0.0/16
Require not ip 157.7.160.0/22
Require not ip 158.255.128.0/19
....
These CIDR: 157.60.0.0/16, 157.54.0.0/15, 157.56.0.0/14 (are not on
my list in .htaccess)
I just pull them up with "whois" to investigate.
So how does IP apache blocked: "157.55.39.252" matches what I had in
my .htaccess file?
On Wed, Feb 10, 2021 at 4:25 PM Travis Rodman <tr...@apple.com.invalid> wrote:
>
> given this...
> ---------------------------------------------------------------------
> apache log:
> 157.55.39.252 - - [09/Feb/2021:17:04:33 -0700] "GET /product_info.php
> HTTP/1.1" 403 199
>
> The above user is from Microsoft Network
> CIDR: 157.60.0.0/16, 157.54.0.0/15, 157.56.0.0/14
> that does not appear on my list.
>
> So why my configuration is blocking that user?
>
> The apache .htaccess just blocked IP: 159.14.184.11
> this is "Organization: The Children's Hospital of philadelphia"
> CIDR: 159.14.0.0/16
> ---------------------------------------------------------------------
>
> using this to calculate the binary and the masks...
> echo "obase=2;$ip" | bc
>
> this:
> echo "obase=2;157" | bc
> echo "obase=2;54" | bc
> echo "obase=2;56" | bc
> echo "obase=2;60" | bc
>
> converts to this:
> 157 10011101
> 60 00111100
> 54 00110110
> 56 00111000
>
> 157 | 10011101
> 55 | 00110111
> 39 | 00100111
> 252 | 11111100
>
> 10011101.00110111.00100111.11111100
>
> and doing the same with your CIDR masks against the input IP
> 157 60 | 10011101.00111100|.00000000.00000000
> 10011101.00110111|.00100111.11111100
>
> 157 54 | 10011101.0011011|0.00000000.00000000
> 10011101.0011011|1.00100111.11111100
>
> 157 56 | 10011101.001110|00.00000000.00000000
> 10011101.001101|11.00100111.11111100
>
> 157 | 10011101
> 55 | 00110111
> 39 | 00100111
> 252 | 11111100
>
> 10011101.00110111.00100111.11111100
>
> shows this is the matching (rejecting) IP and mask
> this is the matching subnet:
> 157 54 | 10011101.0011011|0.00000000.00000000
> 10011101.0011011|1.00100111.11111100
>
> so, your 157.54.0.0/15 rule is matching (rejecting) 157.55.39.252
>
> HTH,
> Travis
>
> On Wed, Feb 10, 2021 at 03:53:35PM -0700, syscon edm wrote:
> > I run apache-2.4.46 on linux
> >
> > In .htaccess file I have a long list of IP-subnets (over 500-subnets)
> > that I ban (mostly spammers).
> > But I've notices that my .htaccess prevent access to customers from IP
> > that are not on the ban list.
> >
> > In the .htaccess the IP's are listed in numerical order, eg.:
> > <Files history.txt>
> > Require all denied
> > </Files>
> >
> > <RequireAll>
> > Require all granted
> >
> > # block spammers:
> > ...
> > Require not ip 152.32.186.0/24
> > Require not ip 157.230.0.0/16
> > Require not ip 157.7.160.0/22
> > Require not ip 158.255.128.0/19
> > ...
> > </RequireAll>
> >
> > apache log:
> > 157.55.39.252 - - [09/Feb/2021:17:04:33 -0700] "GET /product_info.php
> > HTTP/1.1" 403 199
> >
> > The above user is from Microsoft Network
> > CIDR: 157.60.0.0/16, 157.54.0.0/15, 157.56.0.0/14
> > that does not appear on my list.
> >
> > So why my configuration is blocking that user?
> >
> > The apache .htaccess just blocked IP: 159.14.184.11
> > this is "Organization: The Children's Hospital of philadelphia"
> > CIDR: 159.14.0.0/16
> >
> > and that CIDR is not on my list, why apache is locking it?
> > Do these IP subnets need to be sorted in order for them to work correctly?
> >
> > I can post them here if somebody wants to test it, if it is OK. They
> > are just subdomains not an individual IP's.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
> > For additional commands, e-mail: dev-help@community.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
> For additional commands, e-mail: dev-help@community.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
For additional commands, e-mail: dev-help@community.apache.org
Re: Apache 2.4 - deny access to IP's that are not ban
Posted by Travis Rodman <tr...@apple.com.INVALID>.
given this...
---------------------------------------------------------------------
apache log:
157.55.39.252 - - [09/Feb/2021:17:04:33 -0700] "GET /product_info.php
HTTP/1.1" 403 199
The above user is from Microsoft Network
CIDR: 157.60.0.0/16, 157.54.0.0/15, 157.56.0.0/14
that does not appear on my list.
So why my configuration is blocking that user?
The apache .htaccess just blocked IP: 159.14.184.11
this is "Organization: The Children's Hospital of philadelphia"
CIDR: 159.14.0.0/16
---------------------------------------------------------------------
using this to calculate the binary and the masks...
echo "obase=2;$ip" | bc
this:
echo "obase=2;157" | bc
echo "obase=2;54" | bc
echo "obase=2;56" | bc
echo "obase=2;60" | bc
converts to this:
157 10011101
60 00111100
54 00110110
56 00111000
157 | 10011101
55 | 00110111
39 | 00100111
252 | 11111100
10011101.00110111.00100111.11111100
and doing the same with your CIDR masks against the input IP
157 60 | 10011101.00111100|.00000000.00000000
10011101.00110111|.00100111.11111100
157 54 | 10011101.0011011|0.00000000.00000000
10011101.0011011|1.00100111.11111100
157 56 | 10011101.001110|00.00000000.00000000
10011101.001101|11.00100111.11111100
157 | 10011101
55 | 00110111
39 | 00100111
252 | 11111100
10011101.00110111.00100111.11111100
shows this is the matching (rejecting) IP and mask
this is the matching subnet:
157 54 | 10011101.0011011|0.00000000.00000000
10011101.0011011|1.00100111.11111100
so, your 157.54.0.0/15 rule is matching (rejecting) 157.55.39.252
HTH,
Travis
On Wed, Feb 10, 2021 at 03:53:35PM -0700, syscon edm wrote:
> I run apache-2.4.46 on linux
>
> In .htaccess file I have a long list of IP-subnets (over 500-subnets)
> that I ban (mostly spammers).
> But I've notices that my .htaccess prevent access to customers from IP
> that are not on the ban list.
>
> In the .htaccess the IP's are listed in numerical order, eg.:
> <Files history.txt>
> Require all denied
> </Files>
>
> <RequireAll>
> Require all granted
>
> # block spammers:
> ...
> Require not ip 152.32.186.0/24
> Require not ip 157.230.0.0/16
> Require not ip 157.7.160.0/22
> Require not ip 158.255.128.0/19
> ...
> </RequireAll>
>
> apache log:
> 157.55.39.252 - - [09/Feb/2021:17:04:33 -0700] "GET /product_info.php
> HTTP/1.1" 403 199
>
> The above user is from Microsoft Network
> CIDR: 157.60.0.0/16, 157.54.0.0/15, 157.56.0.0/14
> that does not appear on my list.
>
> So why my configuration is blocking that user?
>
> The apache .htaccess just blocked IP: 159.14.184.11
> this is "Organization: The Children's Hospital of philadelphia"
> CIDR: 159.14.0.0/16
>
> and that CIDR is not on my list, why apache is locking it?
> Do these IP subnets need to be sorted in order for them to work correctly?
>
> I can post them here if somebody wants to test it, if it is OK. They
> are just subdomains not an individual IP's.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
> For additional commands, e-mail: dev-help@community.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
For additional commands, e-mail: dev-help@community.apache.org