No, your Order [httpd.apache.org] directive is incorrect.

Jim

(I edited my original reply after doing more research)

Thanks Jim for your very prompt response. Is this the correct order directive?

<Files 403.shtml>
Order Allow,Deny
</Files>
Deny from 130.234.4.60
Deny from 138.245.181.1
Deny from 204.60.97.116
Allow from all

If this is the right way to handle htaccess, I'll make the changes immediately...

.........................

[edited by: Reno at 1:57 am (utc) on Jan. 30, 2008]

No, your Order directive [httpd.apache.org] is incorrect. Use

Order Deny,Allow

if you want your custom 403 error page to be accessible and avoid recursion.

Jim

Thank you -- I appreciate your expertise & feedback. I've been reading various tutorials since your first reply, and it's a little confusing to those of us who do not actually work with Apache. The one thing I do know is that htaccess is very powerful, so I don't want to screw it up. With that in mind, is this format correct?

<Files 403.shtml>
Order Deny,Allow
Allow from all
</Files>

Deny from 130.234.4.60
Deny from 138.245.181.1
Deny from 204.60.97.116

Or should "Allow from all" be moved to the bottom, as in:

<Files 403.shtml>
Order Deny,Allow
</Files>

Deny from 130.234.4.60
Deny from 138.245.181.1
Deny from 204.60.97.116
Allow from all

If either of them is right, then I'll get onto the fix...

........................

You can put the allows and denies in any order you like; It is only the Order directive that is important in determining whether Allows override Denys or vice-versa. As a result, either of your code snippets will work, since mod_access sees them as entirely equivalent.

Jim

Many thanks Jim for your help in straightening this out...

...........................

will the htaccess format below be reasonably effective? (though it may not be totally foolproof)

It's a good beginning until your able to allocate time to broader ranges.

You'll learn very quickly that denying to the precise Class D (zzz.zzz.zzz.000) will come back to haunt you almost everytime as users generally have multiple ranges in both the Class C and Class D ranges available.

Although NOT attempting to deny google, their available and active ranges across different Classes are a good example:
[iplists.com...]

Thanks wilderness for the resource -- I've bookmarked it. I understand your point about denying so specifically, but for now I'm hesitant to get too broad. Eventually that may be the way to go.

I checked my denied ip's against what they list for Google and all is well. I do wish they'd also had an up-to-date listing for MSN/LIVE (my own records mostly show the range of 207.46 and 65.55). But since Google is the thousand pound gorilla, that's the one where I'll need to keep the closest check.

............................

[edited by: Reno at 6:46 am (utc) on Jan. 30, 2008]

I do wish they'd also had an up-to-date listing for MSN/LIVE

Just go to the main page of the site to view other major bots.

I just used the google link to provide an example of variety in IP ranges within the same lower classes.

Prior to my last posting I had gone to their main page and got the list for Yahoo, but did not see MSN. I just now found them under "Misc IP List". I was thinking that they'd get their own primary link, like the older spiders Lycos, InfoSeek & Excite, so missed them the first time. Thanks again...

...................................