Forum Moderators: open
Thanks!
Scott
ARIN returns a net range of 63.148.99.224 - 63.148.99.255... How do I block that with .htaccess?
Don't forget the 65.118.41.192-223 range...
RewriteCond %{REMOTE_ADDR} ^63\.148\.99\.2(2[4-9]¦[34][0-9]¦5[0-5])$ [OR]
RewriteCond %{REMOTE_ADDR} ^65\.118\.41\.(19[2-9]¦2[01][0-9]¦22[0-3])$
RewriteRule .* - [F]
Also, do you think you could explain for us htaccess newbys, what you typed there and how it works?
Thanks Mucho!
Scott
RewriteCond %{REMOTE_ADDR} ^63\.148\.99\.2(2[4-9]¦[34][0-9]¦5[0-5])$ [OR]
RewriteCond %{REMOTE_ADDR} ^65\.118\.41\.(19[2-9]¦2[01][0-9]¦22[0-3])$
RewriteRule .* - [F]
Before going any farther it is imperative that you keep in mind the neccessity of coverting how the forum server display the straight up-down line above the back slash key as "¦" incorrectly.
the ip range 63\.148.99.2(2[4-9]¦[34][0-9]¦5[0-5])$ [OR]
denies the following ranges:
63.148.99.224-229
63.148.99.230 & 249
63.148.99.250-255
The $ character is only used when all four classes are present.
In this instance the first 2 after 99. is used to apply to in front of all ranges enclosed in parethenses.
Multiple Bracket statements are enclosed in parethenses.
Addition ranges outside of a particular bracket are separated my the wrongly forum translated "¦¦
RewriteCond %{REMOTE_ADDR} ^65\.118\.41\.(19[2-9]¦2[01][0-9]¦22[0-3])$
65.118.41.192-199
65.118.41.201-219
The OR is used if there are multiple lines and is NOT used on either a solitary line or the closing line.
The last line
RewriteRule .* - [F] denies access and returns a 403
As wilderness points out, you must hand-edit the above code to replace the broken vertical pipe "¦" characters with the solid vertical pipe characters from your keyboard. The forum modifies them on posting, and mod_rewrite will not accept the broken pipe characters.
If you have no other mod_rewrite rules in your .htaccess file, you will need to preface the code above with these two lines:
Options +FollowSymLinks
RewriteEngine on
Jim
Scott
Found this news:bd28o7$l2m$1@news.spamcop.net in spamcop:
-= BEGIN forwarded message =-
Subject: Re: Cyveillance being sneaky once again
From: "Merlyn" <Merlyn@Spamcop.net>
Newsgroups: spamcop
Reply-To: "Merlyn" <Merlyn@Spamcop.net>
Organization: The Cave
"Godwin Stewart" <gstewart.YOUR_KNICKERS@sgms-centre.com> wrote in message
news:20030621105205.5aaa02ff.gstewart.YOUR_KNICKERS@sgms-centre.com...
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> And Thus Spake "Kev" <nobody@spamcop.net> (on Sat, 21 Jun 2003 09:22:23
>> +0100):
>>
>
>>> > Mmmmmmmm....... I just found exactly the same in my logs (it won't get
>>> > there again ;-) ) - anyone got an up to date list of Cyveillance IP's
>>> > please?
>
>>
>> Don't know if it's up to date but I block this at the firewall level:
>>
>> 63.148.99.224/27
>> 65.118.41.192/27
>>
You might also want to check these as they scan from some of them also.....
63.148.99.224-63.148.99.255
65.118.41.192-65.118.41.223
128.121.217.0-128.121.217.255 (not sure on block size)
207.87.178.0-207.87.178.255 (not sure on block size)
63.100.73.? (not sure on blocksize)
63.100.163.122 (not sure on blocksize)
pop.imaphost.com resolves to 63.100.163.122
207.87.178.68 has dubious reverse DNS of pop.imaphost.com - which is a valid
hostname, but not one that resolves to 207.87.178.68
I am also looking into imagelock.com seems as if they are tied somehow
-- Regards, Merlyn A Spamcop advocate All replies will be made specifically to the newsgroup
-= END forwarded message =-
I did have this from Telecom the other day:
209.49.118.24 - - [16/Jul/2003:21:56:50 -0700] "GET / HTTP/1.0" 403 - "-" "WebGo IS - 2612"
The denial came from a common SetEnvIf I use to condense lines.
