httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nilesh Govindarajan <li...@itech7.com>
Subject Re: [users@httpd] trying to ban IPs using htaccess - not working
Date Mon, 26 Jul 2010 05:32:54 GMT
On Sat, Jul 24, 2010 at 5:40 AM, Bennett Haselton <bennett@peacefire.org> wrote:
> I'm trying to ban certain IPs from visiting my site, so that they instead
> see a message saying "Your IP has been banned, email me if you think this is
> an error."  I've *almost* got it working -- when people visit URLs like
> http://209.160.28.154/index.html
> or
> http://209.160.28.154/foo-does-not-exist
> they see the "banned IP" message.  However, the problem is that if you try
> to access the front page:
> http://209.160.28.154/
> from a banned IP address, you see the "Apache Test Page for CentOS" page,
> instead of seeing the "banned IP" message.  Anybody recognize this problem
> or have an idea of what could be causing it?
>
> In my httpd.conf file, I changed "AllowOverride None" to "AllowOverride All"
> in both the default <Directory /> tag and inside the <Directory
> "/var/www/html"> tag -- I placed a modified copy of httpd.conf at:
> http://209.160.28.154/httpd.conf
> and in /var/www/html I placed a .htaccess file containing these lines:
>>>>
> ErrorDocument 403 /banned_ip.php
> order deny,allow
> deny from 71.112.32.149
>>>>
> and restarted the server.  (The page http://209.160.28.154/banned_ip.php
> shows the message you're supposed to see when connecting from a banned IP.
>  71.112.32.149 is my home machine IP which I've "banned" for testing
> purposes.)
>
> So like I said, that almost works, where http://209.160.28.154/index.html
> gives the right error message, but http://209.160.28.154/ does not.  Any
> idea how to change is to that all URLs under http://209.160.28.154/ will
> give the "banned IP" message if connecting from a banned IP?
>
>        -Bennett
>

If you want to block the IPs on all services you could use iptables
along with ipset.
You could also put them directly in iptables as chain rules, but as
the number of IPs increases, it increases the CPU usage like hell.
ipset is viable solution in that case.
You just need kernel headers and (probably, I don't remember)
netfilter source to compile iptables.

-- 
Regards,
Nilesh Govindarajan
Facebook: http://www.facebook.com/nilesh.gr
Twitter: http://twitter.com/nileshgr
Website: http://www.itech7.com
VPS Hosting: http://www.itech7.com/a/vps

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message