| 11:00 pm on Jan 29, 2013 (gmt 0)|
Only the last Limit will apply.
You'll need to combine the rules into one container.
| 12:26 am on Jan 30, 2013 (gmt 0)|
|There are 79 ARIN controlled IPv4 prefixes and 176 nonArin I wish to Deny. |
255 lines unmanageable!
Many thanks. I needed a good laugh today ;)
| 12:51 am on Jan 30, 2013 (gmt 0)|
One container: first one Limit Get, Put & second Limit Get, Head to make them different ?
If really one container, then one container on /home/user/.htaccess and the second more restrictive set on /home/user/public_html/.htaccess ? I may try that tonight ...
Deny From 178/8 # RIPE NCC
Allow From 216/8 # ARIN
-- 2nd container --
deny from 184.108.40.206# really bad Gogglebot spoofer
. . .
| 1:08 am on Jan 30, 2013 (gmt 0)|
|deny from 220.127.116.11# really bad Gogglebot spoofer |
1) This is total waste for two reason, NEVER (unless for temporary use) deny to the Class D, always dent to the provider larger range.
2) If you deny every fake Google or other major bot offending with fakes, you'll be adding these Class D IP's for all of eternity.
| 1:21 am on Jan 30, 2013 (gmt 0)|
Advice accepted. I denied about ten Class D's and then killed off Amazon AWS using their list on https://forums.aws.amazon.com/ann.jspa?annID=1701 They control a lot of addresses and host a lot of really bad actors, IMHO.
| 1:41 am on Jan 30, 2013 (gmt 0)|
See the active and very large Server Farm thread in the SSID forum [webmasterworld.com]
| 1:43 am on Jan 30, 2013 (gmt 0)|
|One container: first one Limit Get, Put & second Limit Get, Head to make them different ? |
No. It's not like CSS where <class = "widget foobar"> means it has to be both A and B or the rule won't apply.
When two rules in Apache contradict each other, you need to know exactly where you are. Not just physically where-- i.e. different directories at different levels-- but what module, if any.
Sometimes Apache grabs the first thing that applies. A simple example is the DirectoryIndex line: as soon as it finds a match it stops, without checking to see if there's also an index.jsp or a main.php in the same directory. Other times Apache uses the last thing it meets, discarding any others. Some people have been bitten by the <Location> envelope, which can override any previous Deny.
And still other times the whole thing grinds to a crashing 500-level halt.
In the case of PUT, I should think you'd want to block almost everyone. But you may not need to do it explicitly. Just the other day my logs turned up a slew of "PUT ... html" (and assorted other extensions) that got hit with a resounding 405 requiring no effort from my side at all. Didn't even show up in error logs.
| 2:04 am on Jan 30, 2013 (gmt 0)|
Apologies to all. I am getting educated fast. I thought deny from was like a firewall directive and executed immediately. [httpd.apache.org...] shows directives being merged and overridden. My being cute doesn't accomplish anything.
BTW, I used the PUT just to try and make it different (which won't make any difference) from the other section/container. I'm back to straightforward dealing with ip address. Wilderness showed me a sane way to merge ranges even tighter. => Many thanks to all of you who pointed me in a better direction!