Return-Path: X-Original-To: apmail-httpd-users-archive@www.apache.org Delivered-To: apmail-httpd-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 325961070D for ; Wed, 12 Jun 2013 16:16:43 +0000 (UTC) Received: (qmail 65674 invoked by uid 500); 12 Jun 2013 16:16:40 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 65474 invoked by uid 500); 12 Jun 2013 16:16:40 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 65466 invoked by uid 99); 12 Jun 2013 16:16:39 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 12 Jun 2013 16:16:39 +0000 X-ASF-Spam-Status: No, hits=2.5 required=5.0 tests=FREEMAIL_REPLY,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of motty.cruz@gmail.com designates 209.85.223.175 as permitted sender) Received: from [209.85.223.175] (HELO mail-ie0-f175.google.com) (209.85.223.175) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 12 Jun 2013 16:16:32 +0000 Received: by mail-ie0-f175.google.com with SMTP id a13so10773273iee.34 for ; Wed, 12 Jun 2013 09:16:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=zN0WzRNnmxEWJxK6zQUy9LjsM7pl3cYJr6K9sgToly4=; b=UIfTBxLFk/iYDUrL1NaYrefmCFLxmk25ju6kAqfxOJ/BY5ouU8QfD3XeycHUG1PFZA HDA9A73ksD9VdvbCVRinOEsPsqy2YR320SLuxCvHUsMXvFF38xQSH8/xcFKMdjHmLFZ2 zNaKmkqNcvQSrP3QcfpEfz2bFTas7mn6fSiu3C/jK7wu5FN3apujA0bkzkcBKtycrq4g w/wflghxwoN7vnc4f8XNmWU8Be4bq/b9vhjsuyjF9eLapa9Z3OjLA1sM69gcpabjsMPh JzwQtJ/gNEHFtLlRSiPk7z83njwQBdVgwGC15KlD5VBWY7FlP+xDfVB+4FlOTl0GH31z BRtA== MIME-Version: 1.0 X-Received: by 10.50.112.69 with SMTP id io5mr1276576igb.27.1371053770756; Wed, 12 Jun 2013 09:16:10 -0700 (PDT) Received: by 10.50.7.193 with HTTP; Wed, 12 Jun 2013 09:16:10 -0700 (PDT) In-Reply-To: References: Date: Wed, 12 Jun 2013 09:16:10 -0700 Message-ID: From: motty cruz To: users@httpd.apache.org Content-Type: multipart/alternative; boundary=047d7b4140f4f95abf04def754ce X-Virus-Checked: Checked by ClamAV on apache.org Subject: Re: [users@httpd] block directories using Apache22 --047d7b4140f4f95abf04def754ce Content-Type: text/plain; charset=ISO-8859-1 I am not using virtual host, I'm adding to .htaccess in the root directory of web site. but after adding this to my httpd.conf file it worked perfectly fine. Thank you very much David for your help, -Motty On Wed, Jun 12, 2013 at 9:09 AM, David Guerra wrote: > Yes, it should work just fine. Are you putting this in the virtual host? > > > On Wed, Jun 12, 2013 at 12:08 PM, motty cruz wrote: > >> Thanks for your help David, >> >> can this be accomplish in httpd.conf? >> >> Thanks, >> >> >> On Wed, Jun 12, 2013 at 9:07 AM, motty cruz wrote: >> >>> 192.168.9.43 - - [12/Jun/2013:09:05:23 -0700] "GET /wp-login.php >>> HTTP/1.1" 200 1085 >>> >>> I am still able to get access from a different IP than the one allow in >>> .htaccess >>> as you suggest: >>> >>> order deny,allow >>> Deny from all >>> allow from 192.168.8.4 >>> >>> >>> >>> >>> On Wed, Jun 12, 2013 at 9:01 AM, David Guerra wrote: >>> >>>> Try this format: >>>> >>>> >>>> order deny,allow >>>> Deny from all >>>> allow from xx.xxx.xx.xx >>>> allow from xx.xxx.xx.xx >>>> >>>> >>>> >>>> >>>> On Wed, Jun 12, 2013 at 11:52 AM, motty cruz wrote: >>>> >>>>> Hello David, >>>>> >>>>> this is the content on .htaccess >>>>> # BEGIN WordPress >>>>> >>>>> RewriteEngine On >>>>> RewriteCond %{REQUEST_METHOD} POST >>>>> RewriteCond %{HTTP_REFERER} !^http://(.*)?mydomain\.com [NC] >>>>> RewriteCond %{REQUEST_URI} ^/(.*)?wp-login\.php(.*)$ [OR] >>>>> RewriteCond %{REQUEST_URI} ^/(.*)?wp-admin$ >>>>> RewriteRule ^(.*)$ - [R=403,L] >>>>> RewriteBase / >>>>> RewriteRule ^index\.php$ - [L] >>>>> RewriteCond %{REQUEST_FILENAME} !-f >>>>> RewriteCond %{REQUEST_FILENAME} !-d >>>>> RewriteRule . /index.php [L] >>>>> >>>>> >>>>> >>>>> Order Deny,Allow >>>>> Deny from all >>>>> Allow from 192.169.8.4 >>>>> >>>>> >>>>> # END WordPress >>>>> >>>>> but no success! >>>>> >>>>> >>>>> >>>>> On Wed, Jun 12, 2013 at 8:43 AM, David Guerra >>>> > wrote: >>>>> >>>>>> Flop Allow and Deny so that your IP is whitelisted after the Deny >>>>>> from all. >>>>>> >>>>>> >>>>>> >>>>>> On Wed, Jun 12, 2013 at 11:20 AM, motty cruz wrote: >>>>>> >>>>>>> Hello, >>>>>>> I am trying to block a directory from being access except my IP but >>>>>>> I had being unsuccessful in doing so, please help: First I place this in >>>>>>> httpd.conf >>>>>>> >>>>>>> >>>>>>> Options Indexes FollowSymLinks >>>>>>> Options ALL -Indexes >>>>>>> IndexIgnore * >>>>>>> AllowOverride None >>>>>>> Order allow,deny >>>>>>> Allow from all >>>>>>> RewriteEngine On >>>>>>> RewriteBase / >>>>>>> RewriteCond %{REQUEST_METHOD} POST >>>>>>> RewriteCond %{HTTP_REFERER} !^http://(.*)?mydomain\.com [NC] >>>>>>> RewriteCond %{REQUEST_URI} ^/(.*)?wp-login\.php(.*)$ [OR] >>>>>>> RewriteCond %{REQUEST_URI} ^/(.*)?wp-admin$ >>>>>>> RewriteRule ^(.*)$ - [R=403,L] >>>>>>> RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR] >>>>>>> RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] >>>>>>> RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR] >>>>>>> RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] >>>>>>> RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) >>>>>>> RewriteRule ^(.*)$ index_error.php [F,L] >>>>>>> RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) >>>>>>> RewriteRule .* - [F] >>>>>>> RewriteRule ^my-admin$ wp-login.php [L,NC,QSA] >>>>>>> RewriteCond %{REQUEST_FILENAME} !-f >>>>>>> RewriteCond %{REQUEST_FILENAME} !-d >>>>>>> RewriteRule . /index.php [L] >>>>>>> >>>>>>> >>>>>>> I also tried this : on the / directory .htaccess >>>>>>> >>>>>>> Order Allow,Deny >>>>>>> Allow from 192.168.8.4 >>>>>>> Deny from all >>>>>>> >>>>>>> >>>>>>> Is the wp-admin or wp-login.php script that I'm trying to protect >>>>>>> from brute force attacks, >>>>>>> >>>>>>> Thanks, >>>>>>> Motty >>>>>>> >>>>>> >>>>>> >>>>> >>>> >>> >> > --047d7b4140f4f95abf04def754ce Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
I am not using virtual host, I'm adding to .htaccess i= n the root directory of web site.=A0

but after add= ing this to my httpd.conf file it worked perfectly fine.=A0

Thank you very much David for your help,=A0

-Motty

On Wed, Jun 12, 2013 at 9:09 AM, David Guerra <= span dir=3D"ltr"><imdavidguerra@gmail.com> wrote:
Yes, it should work just fi= ne. =A0Are you putting this in the virtual host?


On Wed, Jun 1= 2, 2013 at 12:08 PM, motty cruz <motty.cruz@gmail.com> wr= ote:
Thanks for your help David,= =A0

can this be accomplish in httpd.conf?=A0
<= br>
Thanks,=A0


On Wed, Jun 12, 2013 at 9:07 AM, motty cruz <motty.cruz@gmail.com= > wrote:
192.168.9.43 - - [12/Jun/2013:09:05:23 -0700] "GET /w= p-login.php HTTP/1.1" 200 1085

I am still able = to get access from a different IP than the one allow in .htaccess
as you suggest:=A0
<Files wp-login.php>=A0
order deny,allow
Deny from all
allow fro= m 192.168.8.4
</Files>



On Wed, Jun 12, 2013 at 9:01 AM, David G= uerra <imdavidguerra@gmail.com> wrote:
Try this format:

<Files wp-logi= n.php>
order deny,allow
Deny from all
<= div>allow from xx.xxx.xx.xx
allow from xx.xxx.xx.xx
</Files>



On Wed, Jun 12, 2013 at 11:= 52 AM, motty cruz <motty.cruz@gmail.com> wrote:
Hello David,=A0

this is the content on .htaccess
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_REFERER} !^http://(.*)?mydomain\.com [NC]
RewriteCond %{REQUEST_URI} ^/(.*)?wp-login\.php(.*)$ [OR]
Rewrit= eCond %{REQUEST_URI} ^/(.*)?wp-admin$
RewriteRule ^(.*)$ - [R=3D4= 03,L]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_F= ILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

<FilesMatch wp-login.php>
Order Deny,Al= low
Deny from all
Allow from 192.169.8.4
<= /FilesMatch>

# END WordPress

but no success!=A0



On Wed, Jun 12, = 2013 at 8:43 AM, David Guerra <imdavidguerra@gmail.com> wrote:
Flop Allow and Deny so that= your IP is whitelisted after the Deny from all.



On Wed, = Jun 12, 2013 at 11:20 AM, motty cruz <motty.cruz@gmail.com> wrote:
Hello,=A0
I am trying t= o block a directory from being access except my IP but I had being unsucces= sful in doing so, please help: First I place this in httpd.conf

<Directory "/usr/local/www/apache22/data">
=A0 =A0 Options Indexes FollowSymLinks
=A0 =A0 Options ALL -= Indexes
=A0 =A0 IndexIgnore *
=A0 =A0 AllowOverride Non= e
=A0 =A0 Order allow,deny
=A0 =A0 Allow from all
=
=A0 =A0 RewriteEngine On
=A0 =A0 RewriteBase /
=A0 =A0 RewriteCond %{REQUEST_METHOD} = POST
=A0 =A0 RewriteCond %{HTTP_REFERER} !^http://(.*)?mydomain\.= com [NC]
=A0 =A0 RewriteCond %{REQUEST_URI} ^/(.*)?wp-login\.php(= .*)$ [OR]
=A0 =A0 RewriteCond %{REQUEST_URI} ^/(.*)?wp-admin$
=A0 =A0 = RewriteRule ^(.*)$ - [R=3D403,L]
=A0 =A0 RewriteCond %{QUERY_STRI= NG} base64_encode.*\(.*\) [OR]
=A0 =A0 RewriteCond %{QUERY_STRING= } (\<|%3C).*script.*(\>|%3E) [NC,OR]
=A0 =A0 RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [= NC,OR]
=A0 =A0 RewriteCond %{QUERY_STRING} GLOBALS(=3D|\[|\%[0-9A= -Z]{0,2}) [OR]
=A0 =A0 RewriteCond %{QUERY_STRING} _REQUEST(=3D|\= [|\%[0-9A-Z]{0,2})
=A0 =A0 RewriteRule ^(.*)$ index_error.php [F,L]
=A0 =A0 Rew= riteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
=A0 =A0 RewriteRule .* = - [F]
=A0 =A0 RewriteRule ^my-admin$ wp-login.php [L,NC,QSA]
=A0 =A0 RewriteCond %{REQUEST_FILENAME} !-f
=A0 =A0 RewriteCond %{REQUEST_FILENAME} !-d
=A0 =A0 RewriteR= ule . /index.php [L]
</Directory>

= I also tried this : on the / directory .htaccess
<FilesMa= tch wp-login.php>
Order Allow,Deny
Allow from 192.168.8.4
Deny from = all
</FilesMatch>

Is the wp-= admin or wp-login.php script that I'm trying to protect from brute forc= e attacks,=A0

Thanks,=A0
Motty







--047d7b4140f4f95abf04def754ce--