IP Range Clarification - Apache Web Server forum at WebmasterWorld - WebmasterWorld

Forum Moderators: phranque

Message Too Old, No Replies

IP Range Clarification

Hoping an apache expert will set this clear once and for all

procommerce

8:40 pm on Jan 10, 2011 (gmt 0)

10+ Year Member

Hi, for what I have read, jdMorgan really knows his htaccess coding... So I have a little issue, the thing is that we are actually banning accesses from entire countries, specifically from Turkey, guess this guys are on the hunt for several oscommerce exploits, that we have managed to update and secure, but we just dont want them to mess around.

We have the htaccess file with the proper

# Country: TURKEY
# ISO Code: TR
# Total Networks: 355
# Total Subnets: 11,764,160
deny from 46.2.0.0/16
deny from 46.17.128.0/21
deny from 46.20.0.0/20

that we obtained from [countryipblocks.net ], but as you might guess, this info has to be updated constantly...

So, yesterday we found that 95.8.165.107 and 78.176.140.157 (both from tr) were trying to hack us, so we wanto to ban their entire nets (surely a diaup...) we got to dnsstuff and found that the ranges are:
95.0.0.0 to 95.15.255.255
78.160.0.0 to 78.191.255.255

What would be the correct deny from string?
Would it be the same to ban from domain? like:
deny from ttnet.net.tr
deny from ns-pri.ripe.net

What if we write "Deny From .tr"?

Thanks in advance!

wilderness

9:45 pm on Jan 10, 2011 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

So, yesterday we found that 95.8.165.107 and 78.176.140.157 (both from tr) were trying to hack us, so we wanto to ban their entire nets (surely a diaup...) we got to dnsstuff and found that the ranges are:
95.0.0.0 to 95.15.255.255
78.160.0.0 to 78.191.255.255

#using CIDR method (there numbers are included about 7/8's down the RIPE results
deny from 95.0.0.0/17
deny from 78.160.0.0/11

A better and more efficient method of denial (as opposed to the many lines required by mod_access), is to combine the lines in mod_rewrite, although the later is a different understanding of IP ranges.
EX:
RewriteCond %{REMOTE_ADDR} ^78\.1([678][0-9]|9[01])\.

What would be the correct deny from string?
Would it be the same to ban from domain? like:
deny from ttnet.net.tr
deny from ns-pri.ripe.net

What if we write "Deny From .tr"?

These types of denys are too server intensive and require each request to be verified and compared via same intensive request.

procommerce

2:49 am on Jan 11, 2011 (gmt 0)

10+ Year Member

Thanks for your quick answer....
Could you tell me this:

...there numbers are included about 7/8's down the RIPE results

in other words?

Will investigate on changing my mod_access denial method, Do you think that is worth the effort? Will a change in the method of denial improve the time it takes for a visitor to load the site?

wilderness

2:58 am on Jan 11, 2011 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

in other words?

It wasn't clear to me whether you were aware of that as source for CDIR's

Will investigate on changing my mod_access denial method, Do you think that is worth the effort? Will a change in the method of denial improve the time it takes for a visitor to load the site?

Not any noticeable speed difference, however mod_Rewrite allows you to join lines together in a method that reduces the overall size of your htaccess file.

BTW, are you just denying Turkey or other countries as well?
Is your "allow" limited to some region (possibly North America)?

If your including multiple RIPE (or even other Regions) countries in your denials?
Than it's certainly worth the effort of merging all the numbers together and creating lines on the merged IP ranges.
Your lines would be many less than 300-400 per country and added together.

procommerce

3:45 am on Jan 11, 2011 (gmt 0)

10+ Year Member

Yes Im aware, but in a learning phase... still dont get the number of bits that must match... sorry...

Well my htaccess is 300kb.... Im denying turkey, china, vietman, russia, korea and two or three more... while the allow is not limited..

Nevertheless i just found that while i already have a line blocking the 78.160.0.0 /11, the 78.176.140.157 got trough?

What do you think about that?

The other line i have is "deny from 95.0.0.0/12" will change it to "/17" and see what happens with these hackers.

Thanks for the advice, i will try to implement that mod_Rewrite, will not be easy for me...

wilderness

3:57 am on Jan 11, 2011 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Nevertheless i just found that while i already have a line blocking the 78.160.0.0 /11, the 78.176.140.157 got trough?

What do you think about that?

All it takes is one simple syntax error to make the entire file either not function at all, function weirdly, or function crippled.

After just a few minutes of looking at these numbers, your eyes begin to get buggy and blurry.

I had an htaccess in place (for nearly ten years) that denied most every country (with only a few exceptions) outside of North America.
With 2,300 lines many of which were not focused primarily upon IP ranges and my file size was 114kb.

procommerce

5:06 am on Jan 11, 2011 (gmt 0)

10+ Year Member

Will check on that! thanks!

jdMorgan

4:15 pm on Jan 14, 2011 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

 deny from 95.0.0.0/17
deny from 78.160.0.0/11

Can also be written as a space-delimited list to save space:


Deny from 78.160.0.0/11 95.0.0.0/17

Blocking 78.160.0.0 /11, the 78.176.140.157 got through.

The space character between "78.160.0.0" and "/11" is a problem. It is likely that you blocked exactly "78.160.0.0" and also "0.0.0.0" through "0.191.255.255" with this erroneous line.

Blocking 78.160.0.0/11 blocks IP addresses from 78.160.0.0 through 78.191.255.255 inclusive.

Jim

procommerce

4:54 pm on Jan 14, 2011 (gmt 0)

10+ Year Member

jdMorgan, you are an expert, many many thanks.

wilderness

5:06 pm on Jan 14, 2011 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

All it takes is one simple syntax error to make the entire file either not function at all, function weirdly, or function crippled.

Will check on that! thanks!

Apparently not ;)

The space character between "78.160.0.0" and "/11" is a problem.

i. e., Syntax error.

procommerce

5:53 pm on Jan 14, 2011 (gmt 0)

10+ Year Member

Dear Wilderness and JdMorgan, thank you very much for the mutual advice... sorry to tell you that neither of the things proposed really solved my thing...

The fact is that in my htaccess, the line is properly spelled, without the space...
i have
78.160.0.0/11
still 78.176.140.157 comes trough....

If i write "78.176.140." then the access gets denied....

Any suggetions?

wilderness

6:17 pm on Jan 14, 2011 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Any suggetions?

Than you have another syntax error that is preventing the deny.

IP Entered = ..................: 78.176.128.0
CIDR = ........................: /11
Netmask = .....................: 255.224.0.0
Wildcard Bits = ...............: 0.31.255.255
------------------------------------------------
Network Address = .............: 78.160.0.0
Broadcast Address = ...........: 78.191.255.255
Usable IP Addresses = .........: 2097150
First Usable IP Address = .....: 78.160.0.1
Last Usable IP Address = ......: 78.191.255.254

You have the correct CIDR specified an the fact that it does not function as intended points to another cause.

Consider the quantity of lines that your htaccess contains and how they are organized/disorganized and/or separated by country?

You'll be required to sift through ALL the countries and look for syntax errors of ALL types (not just related to this IP range), which may cause your entire htaccess to act in an unpredictable manner.

COPY and pasting these lines from another website (even this one) and without comprehending the interpretation of the IP ranges (and/or any syntax) is exactly the perils of which this forum was created to apprehend (i. e., the ability to provide a forum were users are REQUIRED to learn these skills, as opposed to copy and paste solutions.)

procommerce

7:03 pm on Jan 14, 2011 (gmt 0)

10+ Year Member

Hi, thanks for your time... i carefully put the information together, for clarification purposes, tryed to leave the line 78.160.0.0/11 for a few hours alone, whith no other ipbaning info... the hacker got in.... then, added the 78.176.140. only then, the ip gets denied.....

jdMorgan

4:15 pm on Jan 16, 2011 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

As with any problem that "does not make sense," the cause is likely elsewhere in the configuration code.

You could also try the network/netmask method, as hinted-at in Wilderness' post above:

Deny from 78.160.0.0/255.224.0.0

If that works as well as "Deny from 78.176.140", but "Deny from 78.160.0.0/11" does not work, then you may have a bad Apache mod_access installation. Otherwise, I'd still be looking for syntax errors -- Do be sure that you're using a plain-text editor to create and edit the .htaccess file.

Another possibility is that your .htaccess filesize is being artifically-limited by your host. If not already done, try moving the various Deny from lines for the Turkish address closer to the start of your .htaccess file.

Very strange behaviour, this...

Jim

procommerce

7:47 pm on Jan 16, 2011 (gmt 0)

10+ Year Member

Will try all the mentioned... and keep you guys posted

Thanks again, both of you, for your time, effort and understanding... I really appreciate it.