> we get a internal server error

What's in your server error log when you get this error?
(Cross-check the timestamp(s) from your server access log.)

Do you have other mod_rewrite code that works?
(If not, test with a simple 301 redirect first, to get mod_rewrite working.)

Here's the most common problem: If you use a custom 403 error document, as defined by an ErrorDocument directive in your .htaccess file, or set up by your "control panel," then that custom error document must be excluded from the 403-generating code above with a negative-match RewriteCond. For example:

RewriteCond %{REQUEST_URI} !^/path/from/web/root/to/your-custom-403-error-page.html

If this is not done, when the server enters the 403 error state as a result of your code above, it attempts to serve the custom error document. But since that page is also forbidden by your code (because it isn't explicitly excluded), this invokes yet another 403 error state. So the server again tries to serve the custom 403 error document, etc., etc. This continues until the server reaches its configured error limit, at which point it enters the 500-Server Error state, and the result is what you report seeing here...

Jim

Hello Jim and thank you for your reply.

Sadly, you went completely over my head. LOL!
The script that is currently in place does not toss an internal error but it also does not block.

To be honest, we are willing to pay a programmer to stop this traffic. We are in the audio world and only dabble in your world.

ps. Yes. We did make a new 403 and 404 that gives a little 'message' to those that we are banning via IP. For right now, it is all we can do. When they come to our site from the 'bad site', we ban the IP. This new 403 and 404 are not the cause of the block not working. It has not worked yet and the new 403 404 where put in yesterday.

Thank you again,
S

[edited by: Sara_Page at 3:27 pm (utc) on April 2, 2009]

Second Condition is missing [NC,OR] flags.

They must NOT appear on the last Condition.

EDIT:

Is this what you mean?

RewriteEngine on
# Options +FollowSymlinks
RewriteCond %{HTTP_REFERER} example123\.com [NC,OR]
RewriteCond %{HTTP_REFERER} example234\.com [NC,OR]
RewriteCond %{HTTP_REFERER} example345\.ru
RewriteRule .* - [F]

If so, no error but if I go to one of the bad sites listed in this code, I can go right back to ours. That should not be, right?

[edited by: Sara_Page at 3:46 pm (utc) on April 2, 2009]

[edited by: jdMorgan at 8:20 pm (utc) on April 2, 2009]
[edit reason] example.com [/edit]

> Write how the script should be written!

Please be aware that we don't normally do that here; This is a discussion forum, not a free repair service. Please review our forum charter.

Again, if you get a server error, your best bet is to look at the server error log. If you don't know where it is, ask your host. This is a critically-important thing to know, and a very-highly-useful resource to access.

What g1smd is saying is that your code is broken and cannot work, because it requires the referrer to be *both* the first OR second referrer *AND* the third one -- you are requiring the referrer to be two different domains at the same time, which is clearly impossible. So the code needs to be fixed:

Options +FollowSymlinks
RewriteEngine on
#
RewriteCond %{REQUEST_URI} !^/path-to-custom-403-document\.html
RewriteCond %{HTTP_REFERER} example123\.com [NC,[b]OR[/b]]
RewriteCond %{HTTP_REFERER} example234\.blogpot\.com [NC,[b]OR[/b]]
RewriteCond %{HTTP_REFERER} example345\.ru [NC]
RewriteRule .* - [F] 

Jim
[edit] Corrected literal period escaping as noted below. [/edit]

[edited by: jdMorgan at 8:17 pm (utc) on April 2, 2009]

Very sorry about breaking any rules. Very new here and at my wits end to get this fix for my boss. So use the code they way you just posted, Jim?

Again sorry and thank you all for your help and knowledge!

Yes, Jim's code should work as-is if the problem you described is exactly as you described it.

This stuff is very technical, and you are well advised to spend some time at apache.org, reading the manual. :)

Most of it is incomprehensible at first, but as you spend more time with it, you'll gradually understand more and more.

Do not be so worried about the scar that you feel you have no time to apply a tourniquet!

Test the code and see. Unfortunately, due to the many different ways in which servers can be configured, there is no "one right way" that is guaranteed to work in all cases. That said, this code is trivial, and it should be easy to get it working.

Completely flush your browser cache before testing any new code to avoid stale cached results confusing your test results.

Jim

Well, I posted in Jim's code to the htaccess file. I removed the 123 and used the real names. There is not a server error but "I" can go to a bad site and then go right back to ours. I guess that means something is still not working?

Grr! Ok so I am thinking of that song, "Stupid girl" LOL

PS. I did clear cache via firefox. I'll try with IE too.

EDIT: Still the same.

[edited by: Sara_Page at 4:08 pm (utc) on April 2, 2009]

Is it possible that your browser does not send referrer data, or that your Internet Security package strips them off the data that you send to the site?

That's why using referrer data is unreliable at best.

Check your server access logs to see if the referrer data is there or not.

Go to the bad site. Completely flush your browser cache. Then click on the link (or whatever) that points back to your own site.

The order of operations is important.

Jim

Not sure of the question but we use VisiStat scripting software any we see everything that is going on our site.

There is a file on our saver in the logs folder that says our site name.com. It's 3 MB file that wants to open in DOS.

"using referrer data is unreliable at best."

is there another way to block them?

You'll be able to block all those that do send referrer data -- and that is likely most of them.

I was just letting you know that it isn't fool-proof.

OMG IT WORKED!

I went to the bad site and then clicked on the link they provide and I was not allowed to our site!

OMG! THANK YOU SOOOOOOOO MUCH!

Last question: How do I add more sites to jims code?

Just add another line exactly like those that end with [NC,OR].

Add one for each site.

Make sure that you write the dot in the name as

\.

for each and every dot in the name.

I have a custom 403 my I'm not getting that. Any thoughts?
You guys rock!

Also, there is one site that has our software but they do not link back - they just have the url posted. So if it is not an actual link to click on - this wont work?

FYI. I got the custom 403 to work. Thank you again so much.

How would this be typed?

example456.com.br/

It has .com and .br
Im not sure how to do the [NC,OR] line.

Thank you

[edited by: jdMorgan at 8:20 pm (utc) on April 2, 2009]
[edit reason] example.com [/edit]

Look very carefully at the code I posted. Every RewriteCond that refers to the HTTP Referer has [NC,OR] at the end, except for the very last one. If you maintain the code to comply with this description, then your code will work. And if not, then it won't work.

It says, "block referers that match this, or that, or this, or that. Note how the last 'that' word in this sentence does not have an 'or' after it... same thing in the code.

Simply add more RewriteConds, and escape all literal periods by preceding them with a "\". I was not utterly consistent in doing that in my initial posting, and need to go correct that.

RewriteCond %{HTTP_REFERER} example456\.com\.br [NC,OR]

will do.

Jim

[edited by: jdMorgan at 8:21 pm (utc) on April 2, 2009]

Thank you Jim. Yes everything you showed me is working ;-)

Hi everyone,

If I may, I have one last question. Is there any way to ban a site that is attacking ours but they are coming in by typing the url. It's no longer a linked url. We see the full url from where they are coming from via our web stats but cannot htacess ban the user because they are not clicking on a posted link back to us.

Best and TGIF!

[edited by: Sara_Page at 12:51 pm (utc) on April 3, 2009]

Sure,

Add another RewriteCond at the top of your list of ORed referrers:

RewriteCond %{REMOTE_ADDR} ^192\.168\.0\.10$ [OR]

Here, 192.168.0.10 should be replaced by the attacker's actual IP address.

Remember, all the things you want to block should be ORed, except the final one. [NC] is not used in this RewriteCond because we are looking at numbers, and there's no such thing as an uppercase or lowercase number.

Jim

[edited by: jdMorgan at 1:30 pm (utc) on April 3, 2009]

Good morning, Jim!

But wouldn't I need the IP address of all the people coming form the bad site? Or - are you saying just use the IP of the bad site and that stops all visitors from? I already traced the sites IP and banned that but via IP deny of our control panel, we are still getting hit with all their traffic.

[edited by: Sara_Page at 1:36 pm (utc) on April 3, 2009]

Ops! I thought I did. I just banned the following via our control panel. Note. I made fake names for the post.

NS.'''''.NET xx ip xx
NS2.'''''.NET xx ip xx
NS3.'''''.NET xx ip xx

Geo Information
IP Address xx ip xx

Well adding the IPs via control panel ban and via the script did not work. There are still coming in :-(

We see the full url from where they are coming from via our web stats but cannot htacess ban the user because they are not clicking on a posted link back to us.

Sorry, I interpreted this to mean that you saw the unwelcome visitors' IP addresses, but no referring URL.

If you *are* seeing a Referer header in the logs, then I don't know what you mean when you say you think you can't block them using a referrer-based block. There's no magic here: As long as the logged referrer matches one of your RewriteCond patterns, and as long as this mod_rewrite rule executes before any other mechanism transfers control to a content-handler, the request will be denied. However, if the unwelcome visitor's client (e.g. his browser or application program) does not send a referrer header, or if that header gets blocked or dropped by 'security software', a firewall, or caching proxy at his ISP, then there's nothing you can do other than to block that specific visitor's IP address; As pointed out at the start, the HTTP Referer header is not always present, and therefore, referrer-based access control will never be a 100%-reliable method.

I also suggest you look at your server access and error logs instead of relying on 'stats'. The scripts that analyze your raw server logs to produce 'stats' make pretty reports, but they often omit data which is important when analyzing server abuse.

Jim

I have the bad site typed in the htaccess as you have showed me and they can still get into our site. We sniffed out this location and they are telling each other, "Don't click the link or you will get the forbidden message. Copy and paste it and you can get in". Our stats show a unique visitor from the bad site with a different IP each time and it's non stop.

I guess my question is - even if the site is blocked via htaccess as you have shown me, can't they just type in our site and go? Then again, why do we see where they are coming from? It's always the same url. I'd post it here if I was allowed.

[edited by: Sara_Page at 6:34 pm (utc) on April 3, 2009]