IP blocking via htaccess does not work.

Forum Moderators: phranque

Message Too Old, No Replies

IP blocking via htaccess does not work.

d40sithui

3:22 pm on Oct 16, 2007 (gmt 0)

Anyone know why this is so?
Here is the code from .htaccess

<Limit GET POST>
order allow,deny
deny from xx.xx.xx.xx
allow from all
</Limit>

[edited by: eelixduppy at 3:23 pm (utc) on Oct. 16, 2007]
[edit reason] removed IP [/edit]

wilderness

3:50 pm on Oct 16, 2007 (gmt 0)

what do your error logs say?

The deny does not stop the request from taking place and still shows in your visitor logs as a 403.

Denying short (or to the precise) Class D may prove fruitless as may bots used multiple Class D's.

d40sithui

5:15 pm on Oct 16, 2007 (gmt 0)

I do not have access to the server logs. I'm merely a php developer, not a UNIX admin. The thing is, i've tried to block myself from the website. I work for a company managing their website and i have a personal domain where i test all my stuff. the weird thing is it does work on my personal domain(so i can block people), but not on the company website. Are there some settings that could be doing this?

The Contractor

5:20 pm on Oct 16, 2007 (gmt 0)

I simply use the following in .htaccess to block by IP:

You could also use a RewriteCond and send them to a custom 403 page.

d40sithui

5:56 pm on Oct 16, 2007 (gmt 0)

i've also tried this. unfortunately does not work. =/

wilderness

5:59 pm on Oct 16, 2007 (gmt 0)

Are there some settings that could be doing this?

Works on your domain, unlimited access!
Fails on managed domain, restricted access?

Best you could do is contact either the netwwork administrator or whomever holds your service contract.

I've been using the same lines you provided (and much more) on hosted websites for nearly seven years.

jdMorgan

11:33 pm on Oct 16, 2007 (gmt 0)

Also, be sure to completely flush your browser cache after making any change to the server config code (including .htaccess) -- Otherwise, your browser will serve any previously-cached pages instead of fetching them from your server. And if the pages are not fetched from your server, then server-side code can have no effect.

It's possible that mod_access is not configured on your server, or that AllowOverride Limit is not configured in httpd.conf or conf.d.

Jim

d40sithui

11:22 am on Oct 17, 2007 (gmt 0)

Hey thanks for the replies guys,
Jim - Where would I find these files you mention?

PHP_Chimp

7:55 pm on Oct 17, 2007 (gmt 0)

Have you tried using -
RewriteCond %{REMOTE_ADDR} ^xx\.xx\.xx
RewriteRule .* - [F,L]

As I have a problem where on a few of the servers I work with I cant use the order/allow/deny paten. However on all of them mod_rewrite is there, so you can use that as opposed to mod_access.

You can also use phpinfo() to check what apache modules are loaded.

[edited by: PHP_Chimp at 7:58 pm (utc) on Oct. 17, 2007]

d40sithui

6:49 pm on Oct 18, 2007 (gmt 0)

Ok thanks for all replies. It wokrs now. I think. Or at least the guy is no longer nuking my site haha...that is until he gets behind a proxy...anyway my unix admin inserted following line in /etc/hosts.allow "ALL : 202.75.33.321/255.255.255.255 : DENY"