Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Blocking an IP in Apache 2

Status
Not open for further replies.
bigdlj

bigdlj

Technical User
Jun 21, 2002
2
US
My /var/log/httpd/error.log shows many IP's trying various probes of my web site. I want to set Apache to block access from these IP's.

In /etc/httpd/httpd.conf I set:


<Directory &quot;/Library/WebServer/Documents&quot;>
...
AllowOverride All
...
</Directory>

and created /Library/WebServer/Documents/.htaccess containing:

Order allow,deny
Allow from all
# Deny all IP's which have tried to probe my site.
Deny from \
1.2.3.4 \
2.3.4.5 \
etc.

This did not block access. I also tried &quot;Order deny,allow&quot; which did not appear to work either. Where am I going wrong.

Dennis


(This copy of apache is running on Mac OS X 10.1.5)

Dennis
dl4_jones@yahoo.com
 
Sort by date Sort by votes
Order deny,allow
# Deny all IP's which have tried to probe my site.
Deny from 1.2.3.4 2.3.4.5 \
Allow from all

Tried it this way around? cu, Sascha
 
Upvote 0 Downvote
Hi guys,

The correct syntax is as follows.

I dont know why you both are using a slash at the end of the IP but all you are doing is making Apache look for that slash in the IP of the user, because that is not found, they dont get blocked.

Order deny,allow
Allow from all
deny from 111.111.111
deny from 222.222.222
deny from 333.333.333
and so on..

Hope this helps Wullie

 
Upvote 0 Downvote
Wullie

Thanks for the help.

I thought the back slash (\) was the continuation character for Apache. I was trying to put a list of IP's after the Deny From.

From your reply do I understand that Deny from and Allow from only accept one paramater and not a list?

Thanks again

Dennis
 
Upvote 0 Downvote
The &quot;\&quot; char is used differently in this context. It is saying you are using an ip/netmask pair. i.e. 192.168.0.1/255.255.255.0 . You may find that this list will get very long in a short time. If you check your logs you will see that more and more of these show up every day. I think it may have something to do with the nimda virus looking to exploit an NT server.
 
Upvote 0 Downvote
Rather than blocking all the IP addresses of those running the nimba worm - you may want to follow the advice from Richard Lowe
Basically if you see a bunch of entries in your logs trying to run &quot;cmd.exe&quot; or &quot;root.exe&quot; then you can Redirect these attacks to a non-existent URL and save your server some processing time and your logs won't fill up as fast.

Good luck. Einstein47
(How come we never see the headline, &quot;Psychic Wins Lottery&quot;?)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

AbidingDude
  • Locked
  • Question
Newbie Apache Cache Question
Replies
5
Views
401
AbidingDude
AbidingDude
donald lepariku
  • Locked
  • Question
Error: 694, Severity: 24, State: 10 An attempt was made to read logical page '153', virtpage '616' f 1
Replies
3
Views
346
spamjim
spamjim
malpa
  • Locked
  • Question
block incoming snmp traps from ip
Replies
1
Views
272
malpa
malpa
daniel.warner
  • Locked
  • Question
Desperately need help setting up wildcard certs on Apache/Tomcat
Replies
2
Views
264
daniel.warner
daniel.warner
hobbytech
  • Locked
  • Question
Internet not connecting
Replies
5
Views
352
Stephen_Hawk
Stephen_Hawk

Part and Inventory Search

Sponsor

Back
Top