homepage Welcome to WebmasterWorld Guest from 54.243.12.156
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Accredited PayPal World Seller

Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / Apache Web Server
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL & phranque

Apache Web Server Forum

    
I need to ban a country using htaccess
Some loser is abusing my formmail
martinibuster




msg:1511602
 6:01 am on Jan 30, 2003 (gmt 0)

What's the htaccess code for doing this?

 

Key_Master




msg:1511603
 6:33 am on Jan 30, 2003 (gmt 0)

Sounds like you are using formmail on your server (correct me if my wrong). Can you provide the visitor's IP and their User-agent (might be helpful)?

martinibuster




msg:1511604
 6:51 am on Jan 30, 2003 (gmt 0)

User agent is usually Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0. Sometimes different user agent though not often.

The ip address resolves to different ip addresses that belong to 3 or four different isp's. I basically want to ban the whole country.

Key_Master




msg:1511605
 7:07 am on Jan 30, 2003 (gmt 0)

Indian IP block list:
[apnic.net...]

You've got a big job ahead of you :). I'll start you off with the first IP block (using the SetEnvIf method).

SetEnvIf Remote_Addr ^61\.[0-3]\. ban

<Files ~ "^.*$">
order allow,deny
allow from all
deny from env=ban
</Files>

Then stick the .htaccess file in the root directory of your site.

amznVibe




msg:1511606
 8:48 am on Jan 30, 2003 (gmt 0)

You sure you have the newest formmail? The newer versions have alot better hack and spam protection.
There was a security update April 19, 2002 to upgrade any version from 1.91 and earlier.
[scriptarchive.com...]

or try the NMS version, v1.87 - May 24, 2002
[scriptarchive.com...]

anyone know of other replacements out there that are even more robust?

Natashka




msg:1511607
 9:03 am on Jan 30, 2003 (gmt 0)

I also want to ban Malaysia, Philippines and Indonesia from my site without blocking the entire APNIC, like Australia for example.

Key_Master, and what's next? What about other IP blocks? There are the whole bunch. :( Is there any easier method?

Also I would like to know how to ban just a small IP range. Lets say I want to ban 10.10.10.150 - 10.10.10.255. If I just put 10.10.10. it will ban the entire map, but I just want to ban only those starting from 150 and up to 255. Is there a way to do it without "SetEnvIf Remote_Addr" thing?

martinibuster




msg:1511608
 2:59 pm on Jan 30, 2003 (gmt 0)

It's not so much hacking. No one's hacking my formmail. I'm just receiving bogus form submissions from India.

Keymaster,
Looking at the first block, did you extrapolate the first numbers from this?
61.0.0.0-61.3.255.255

And, also, How would I proceed to the next block, should I duplicate all the file endings and closings, or put the next ip range beneath the previous?


SetEnvIf Remote_Addr ^61\.[0-3]\. ban
SetEnvIf Remote_Addr ^61\.11[0-127]\. ban
<Files ~ "^.*$">
order allow,deny
allow from all
deny from env=ban
</Files>

or

SetEnvIf Remote_Addr ^61\.[0-3]\. ban
<Files ~ "^.*$">
order allow,deny
allow from all
deny from env=ban
SetEnvIf Remote_Addr ^61\.11[0-127]\. ban
<Files ~ "^.*$">
order allow,deny
allow from all
deny from env=ban
</Files>

</Files>

[edited by: heini at 3:04 pm (utc) on Jan. 30, 2003]
[edit reason] fixed missing BBS code [/edit]

Key_Master




msg:1511609
 3:52 pm on Jan 30, 2003 (gmt 0)

Natashka, there really isn't an easier way to block an IP range.

martinibuster, you got the right idea with your first example. Except the block should look like:

SetEnvIf Remote_Addr ^61\.11\.([0-9][1-9][0-9]1[0-1][0-9]12[0-7])\. ban

The red portion bans numbers that fall between 0-9
The blue portion bans numbers that fall between 10-99
The green portion bans numbers that fall between 100-119.
The last blue portion bans numbers that fall between 120-127.

Remember, the broken pipe () needs to be replaced with a solid vertical pipe.

BjarneDM




msg:1511610
 6:58 am on Jan 31, 2003 (gmt 0)

In my experience in observing these scans for formmail, they are not based on an analysis of your website - they just try different IPs until they get a positive response when looking for [fF]orm[mM]ail.[cgi¦pl] in either cgibin or cgi-bin.

Thus, there are three very simple defenses against these scans:

1) use the latest version of formmail
2) rename the cgibin folder into something random like eftesfge
3) rename formail to something either random or descriptive like OrderMail

So, there's really no need to block any IPs
If you follow the above advice, the scanners will just get 404s

yours in happy hacking
Bjarne, Danmark

spock




msg:1511611
 4:21 pm on Feb 6, 2003 (gmt 0)

What's wrong with using the allow and deny directives to block IP ranges?

order allow,deny
allow from all
deny from 61.0.0.0/14
deny from 61.11.0.0/17
(etc)

But unless you block the whole world you'll only cut down a bit on the number of formmail scans. Like Bjarne suggests, a more reasonable solution for this is to make sure your scripts are safe, and to name them something other than formmail.

martinibuster




msg:1511612
 4:28 pm on Feb 6, 2003 (gmt 0)

It's not so much hacking. No one's hacking my formmail. I'm just receiving bogus form submissions from India.

As I mentioned in an earlier post, this is not about formmail scans. My formmail is secure.

This is some sissy in India who is acting like a little girl, and making phony submissions.

The little bugger is blocked now, though. Heh-heh.

toadhall




msg:1511613
 5:42 pm on Feb 6, 2003 (gmt 0)

...acting like a little girl, and making phony submissions.

So you ban an entire continent? Well, sub-continent, but none the less what's next? Oakland?

T

IanKelley




msg:1511614
 4:58 am on Feb 7, 2003 (gmt 0)

You don't want to do this with .htaccess.

In fact it would be undeniably stupid to do it that way ;-)

First off, why are you going to block entire countries? Why don't you just block the actual form submissions?

I mean unless you actually dislike traffic :-)

You need a script that will resolve the source country from the IP address and then dicard form submissions based on that data. You can either do this on the fly (will cause a minor slowdown) or perodically in the background.

This is easier to do in PHP than in Perl but either will work.

Lol... There is never a reason to ban an entire country! Filter all you want, but don't ban.

martinibuster




msg:1511615
 6:28 am on Feb 7, 2003 (gmt 0)

unless you actually dislike traffic :-)

India is undisputably one of the great countries of the world with one of the richest, most beautiful history and culture. I have a high regard for India and for it's people.

However, the web site is local to the U.S. It's exclusively a U.S. market. No skin off my b*tt to ban India.

IanKelley




msg:1511616
 11:24 am on Feb 7, 2003 (gmt 0)

Your annoying Indian friend can still get to your site through any of the dozens of free redirectors and open proxies on the internet. There is also software he can use to block his IP information. There is absolutely nothing you can do to stop this.

So what you have is some code that has to run every single time a request is made to your site (instead of just for form submissions)... and it doesn't really work in the first place ;-)

chrisd




msg:1511617
 4:07 am on Feb 8, 2003 (gmt 0)

I'm interested in this. I had the same thing happening
for weeks. I ended up tracking it to a link in a password
protected area in some sort of career training website (I couldn't view the actual page) and solved the problem by redirecting user requests from that domain (via .htaccess) to an MLM link farm that had about 50 popunders ready to greet visitors.

I was getting about 20 forms a day with stuff like:

"ho ho happy day. Good job is important"

It was driving me nuts...

I'd love to know what it was all about and what the motivation was.

martinibuster




msg:1511618
 7:04 am on Feb 8, 2003 (gmt 0)

what the motivation was.

Insecure little girl.

No MAN would do something like that.

Has to be a little girl.

:) Y

StopSpam




msg:1511619
 9:57 pm on Mar 9, 2003 (gmt 0)

SetEnvIf Remote_Addr ^61\.11\.([0-9]?[1-9][0-9]?1[0-1][0-9]?12[0-7])\. ban

The red portion bans numbers that fall between 0-9
The blue portion bans numbers that fall between 10-99
The green portion bans numbers that fall between 100-119.
The last blue portion bans numbers that fall between 120-127.

Remember, the broken pipe (?) needs to be replaced with a solid vertical pipe.

==== this is a reply on above code ==============

i want to banned certain ip adresses all coming from:
UserAgent: FAST-WebCrawler/3.6 (atw-crawler at fast dot no; [fast.no...]
IP address: 66.77.73.151

i get way to many visits from this spiderbot

There all coming from: 66.77.73.01 up to 66.77.73.251 or even higer
is there a sort wilcdard to block them all at once ...

i now try this:
SetEnvIf Remote_Addr ^66\.77\.73\.([0-9]¦[1-9][0-9]¦1[0-1][0-9]¦12[0-9]¦13[0-9]¦14[0-9]¦15[0-9]¦16[0-9]¦17[0-9]¦18[0-9]¦19[0-9])$ ban
but it only blocks thill 01 to 199 and its a long line ...
why is this not working?
SetEnvIf Remote_Addr ^66\.77\.73\.*$ ban * is often used as wildcard it would be a lot easyewr but it aint working ;-(

or can i write something like:
SetEnvIf Remote_Addr ^66\.77\.73\.([0-300])$ ban is this posible?

Key_Master




msg:1511620
 10:02 pm on Mar 9, 2003 (gmt 0)

The following will block the FAST spider.

SetEnvIf Remote_Addr ^66\.77\.73\. ban

StopSpam




msg:1511621
 10:24 pm on Mar 9, 2003 (gmt 0)

Thank you
Key_Master ...

i am kinda all new to this ...
but i know there had to be a shorter way to block them all coming from this provider ;-)

this forum rules...
i learn a lot from it

heini




msg:1511622
 10:41 pm on Mar 9, 2003 (gmt 0)

Just a quick and offtopic addition: you are about to block the spider of one of the few big worldwide search engines.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About
© Webmaster World 1996-2014 all rights reserved