httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Igor Cicimov <icici...@gmail.com>
Subject Re: [users@httpd] ESTABLISHED connections
Date Sat, 14 Mar 2015 04:20:26 GMT
On 14/03/2015 2:21 PM, "el kalin" <kalin@el.net> wrote:
>
> i don't see it in package ports…
>
> On Fri, Mar 13, 2015 at 7:59 PM, Jim Albert <jim@netrition.com> wrote:
>>
>> On 3/13/2015 7:54 PM, el kalin wrote:
>>>
>>>
>>>
>>> On Fri, Mar 13, 2015 at 7:36 PM, Jim Albert <jim@netrition.com
>>> <mailto:jim@netrition.com>> wrote:
>>>
>>>     On 3/13/2015 7:17 PM, el kalin wrote:
>>>
>>>
>>>         if i have this in the
>>>
>>>         <Directory "/server/doc/root">
>>>
>>>                   Order allow,deny
>>>                   Allow from all
>>>                   deny from 111.10.250.188
>>>         </Directory>
>>>         ESTABLISHED
>>>         tcp        0      0  ip-10-102-190-93.http
111.10.250.188.inovapo
>>>         ESTABLISHED
>>>
>>>
>>>         this is growing with every netstat i do.  any ideas???
>>>
>>>         thanks…
>>>
>>>
>>>     I believe your Order allow, deny is correct.
>>>
>>>
>>> i believe so too...
>>>
>>>     You are controlling what can be served by Apache, but not the actual
>>>     network connection to your Apache server, hence the continued
>>>     entries in your connection table. I would assume your Apache error
>>>     log is spewing lots of access denied or such errors indicating your
>>>     deny is working.
>>>
>>>
>>>     If you really want to keep a given an IP address completely out of
>>>     Apache, block it in iptables or better yet the firewall behind which
>>>     your Apache server sits, but iptables will do it.
>>>
>>>
>>> i'm aware. the problem is that this is an netbsd ec2 (amazon instance)
>>> and the only "firewall" right now is the security groups that service
>>> offers. those are not meant to block individual ips. they are rather all
>>> exclusive. so my only other option was pf. which i'm used to but it
>>> appears that the whole dynamic kernel module loading is screwed up
>>> because of the kernel build to fit xen…   and so on…
>>
>>
>> iptables?
>>
>>
>> --
>> Jim Albert
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>
Thought I would mention another option just for the record. If you compile
apache yourself you can compile it with libwrap support and use tcp
wrappers to deny host. Put the host in /etc/hosts.deny and you are done.

httpd: 111.10.250.188/32

or

apache2: 111.10.250.188/32

depends on the name of your binary.

Mime
View raw message