homepage Welcome to WebmasterWorld Guest from 54.197.110.151
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL & phranque

Apache Web Server Forum

    
htaccess
Blocking foreign IP's
awjens

5+ Year Member



 
Msg#: 5468 posted 4:16 pm on Jan 31, 2006 (gmt 0)


I am trying to block all foreign traffic from a guestbook on my website. Is there any way to allow traffic to a directory by country code?

I am currently trying to block some ip's in Korea and china. I have reviewed my logs, and the hacker seems to be using some sort of proxy program to hide his real ip. Using ip's from Korea,China etc.

All ip's have been in the 220 to 223 range. I tried to block those ip in htaccess by adding deny from 220. deny from 221. deny from 222. deny from 223. but my log from this morning shows he was still able to login from ip's in those ranges. I added deny from 24. (my ip) and that worked, I could not acces the page.

 

jdMorgan

WebmasterWorld Senior Member jdmorgan us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 5468 posted 4:46 pm on Jan 31, 2006 (gmt 0)

awjens,

Welcome to WebmasterWorld!

There's probably a coding problem with your 220-block code, then. Either the code works or it doesn't, but there's no way anyone can 'tunnel' through your code by magic and get in.

Be aware that both .htaccess solutions to this problem are fairly inefficient;

If you block by remote_host, you force your server to do a reverse DNS lookup for every request to your server. This means your server must send a request to the DNS system, and then wait for a response before the client request can proceed. If a significant backlog of requests gets queued, your server can suffer long load times and dropped connections.

Blocking by IP address is also inefficient, in that IP addresses are not assigned by country, but rather are assigned in various-sized 'chunks' as requests are received from ISPs and hosting companies for additional IP address space. Therefore, if you block at the class A level (e.g. 220.*.*.*), then you may block parts of Australia, New Zealand, India, and many other countries as well. But if you add the needed 'exceptions' to allow some of those countries, the IP block list becomes large and difficult to maintain.

The best answer for .htaccess-based methods may be a blend of the two methods above. If the requesting IP is within an 'unwelcome' IP address range, then do a hostname lookup on it, and block it by country code. It would be best (if possible) to limit the scope of this hostname lookup to only a few pages, and to exclude requests for images and other included files from this checking. You really want to avoid doing a lot of hostname lookups if possible.

Jim

awjens

5+ Year Member



 
Msg#: 5468 posted 5:05 pm on Jan 31, 2006 (gmt 0)

Hello Jim,

Thanks for the input. I don't much care if I block a few US address in what I have here. this page is used to post snowmobile trail conditions in our area, by riders that have been here.

Here is my htaccess file

# */HEADER* */README* */_vti*
<Limit GET POST>
order allow,deny
allow from all
deny from 195.
deny from 218.
deny from 219.
deny from 220.
deny from 201.
deny from 221.
deny from 222.
deny from 202.
deny from 80.
deny from 223.
deny from 211.
deny from 60.
deny from 57.
deny from 58.
deny from 59.
deny from 60.
deny from 77.
deny from 78.
deny from 79.
deny from 80.
deny from 81.
</Limit>
<Limit POST PUT DELETE>
order deny,allow
deny from all
</Limit>
AuthName www.###########.com
AuthUserFile /web/u254/www#####/www/_vti_pvt/service.pwd
AuthGroupFile /web/u254/www#####/www/_vti_pvt/service.grp

It seems I have something wrong, because a few are still getting thru in it 220.#.#.# range.

This hacker has also managed to post from a few US addresses, these last three are bothering me.

131.***.225.138 I called on this one, it is a computer in a public library in Rhode Island at a university.

66-***-250-39.ubr02b.wchry01.nj.hfc.comcastbusiness.net

68-***-105-3.ded.ameritech.net

These last two I havent researched yet. Can you help me with this?

Art

[edited by: jdMorgan at 5:13 pm (utc) on Jan. 31, 2006]
[edit reason] Obscured IPs & hostnames per TOS. [/edit]

jdMorgan

WebmasterWorld Senior Member jdmorgan us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 5468 posted 5:25 pm on Jan 31, 2006 (gmt 0)

When one of these requests 'gets through,' what is the server response code? Can you post a relevant snippet from your raw access log file?

Note that the example given in the mod_access documentation [httpd.apache.org] do not include the trailing dot in partial-IP addresses. That is,

Deny from 220

is the correct form.

If you are using Frontpage extensions *and* mod_rewrite, then things can get a bit more complicated.

You need to be sure to replace the line

Options None

with

Options +FollowSymLinks

in every .htaccess file in every Web-accessible directory on your server, and you must check these after any update to that directory using Frontpage. See [webmasterworld.com...] - start at message 43. Again, this applies only if you're having trouble with mod_rewrite, and is unrelated to problems if you're only using mod_access.

You can look up info on IP addresses at arin.net, ripe.net, apnic.net, and at dnsstuff.com

Jim

awjens

5+ Year Member



 
Msg#: 5468 posted 5:58 pm on Jan 31, 2006 (gmt 0)

Hello Jim,

Although frontpage was used at one time, all updates to the pages are now done via FTP, not webpublish from Frontpage. So the htaccess file is not being overwritten. I have only modified the htaccess file in the directory where the cgi scripts for the guestbook are written. again testing blocking my ip this was sufficient.

I have modified it (### instead of ###.) In all instances. Testing my ip it worked either way, but I followed your advice.

I beleive the server response code was 200. Here is my log from one that got thru.

220.127.34.63 - - [31/Jan/2006:11:05:47 -0500] "POST /cgi-bin/guestbook.cgi HTTP/1.1" 200 290541 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"

I guess this hacker must be faily resourseful, as he is able to access my site thru valid US addresses.

jdMorgan

WebmasterWorld Senior Member jdmorgan us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 5468 posted 6:16 pm on Jan 31, 2006 (gmt 0)

Sorry, I missed this:

<Limit GET POST>
order allow,deny
allow from all
deny from 195.
...
deny from 81.
</Limit>
<Limit POST PUT DELETE>
order deny,allow
deny from all
</Limit>

You have two "order" statements, and the <LIMIT> containers overlap on the POST method. Try to re-code this so they don't conflict with each other, for example:

Order allow,deny
<Limit GET POST>
Allow from all
Deny from 195
...
Deny from 81
</Limit>
<LimitExcept GET POST>
Deny from all
</LimitExcept>

> I guess this hacker must be faily resourseful, as he is able to access my site thru valid US addresses.

He's probably using an open proxy -- you can safely block those IP addresses.

Jim

awjens

5+ Year Member



 
Msg#: 5468 posted 6:34 pm on Jan 31, 2006 (gmt 0)

Hello Jim,

Here is my new htaccess file.

# -FrontPage-
IndexIgnore .htaccess */.?* *~ *
# */HEADER* */README* */_vti*
<Limit GET POST>
order allow,deny
allow from all
deny from 195
deny from 218
deny from 219
deny from 220
deny from 201
deny from 221
deny from 222
deny from 202
deny from 80
deny from 223
deny from 211
deny from 60
deny from 202.129
deny from 210
deny from 57
deny from 58
deny from 59
deny from 60
deny from 77
deny from 78
deny from 79
deny from 80
deny from 81
</Limit>
<LimitExcept GET POST>
deny from all
</LimitExcept>
AuthName www.example.com
AuthUserFile /web/u254/www68171/www/_vti_pvt/service.pwd
AuthGroupFile /web/u254/www68171/www/_vti_pvt/service.grp

I have modified it per your example. When you say he is probably using an open proxy...what does this mean to me. Is there any way to stop attacks?

I surfed google and found programs that are supposed to hide my real ip address. Will those programs make it possible for someone to establish an open proxy on a US based server?

[edited by: jdMorgan at 7:03 pm (utc) on Jan. 31, 2006]
[edit reason] Obscured specifics per TOS, [/edit]

jdMorgan

WebmasterWorld Senior Member jdmorgan us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 5468 posted 7:10 pm on Jan 31, 2006 (gmt 0)

Open proxy: A server that allows anyone to connect to it and pass requests to other servers, 'hiding' the original requestor's IP address by replacing it with that of the proxy. Some of them make the original IP address available in the HTTP_X_FORWARDED_FOR header, but this is not usually logged in your access log file.

> I surfed google and found programs that are supposed to hide my real ip address. Will those programs make it possible for someone to establish an open proxy on a US based server?

No, but all of them are guaranteed to lighten your wallet...

The only reason that your code might not work is that it is not being executed for the requests that get through. All I can recommend in this case is that you make sure that the .htaccess file is located in the path between the server root and the file being requested. If your scripts are in a directory defined by a ScriptAlias directive, then you'll have to get access to httpd.conf to fix this, or ask your host to do it.

Jim

siteseo

10+ Year Member



 
Msg#: 5468 posted 11:00 pm on Jan 31, 2006 (gmt 0)

And make sure you don't have an "allow from all" rule that is occurring AFTER the "deny from" rules - as it will undo the "deny from" rules.

I have the same problem with people from China trying to join our aff program using fake information. We blocked by IP and it worked fantastic, cutting out hundreds of unwanted apps per month.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved