Return-Path: X-Original-To: apmail-httpd-users-archive@www.apache.org Delivered-To: apmail-httpd-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 780BC175C2 for ; Sat, 14 Mar 2015 04:20:54 +0000 (UTC) Received: (qmail 23243 invoked by uid 500); 14 Mar 2015 04:20:51 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 23206 invoked by uid 500); 14 Mar 2015 04:20:51 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 23194 invoked by uid 99); 14 Mar 2015 04:20:51 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 14 Mar 2015 04:20:51 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,NORMAL_HTTP_TO_IP,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of icicimov@gmail.com designates 209.85.212.174 as permitted sender) Received: from [209.85.212.174] (HELO mail-wi0-f174.google.com) (209.85.212.174) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 14 Mar 2015 04:20:47 +0000 Received: by wifj2 with SMTP id j2so1830699wif.1 for ; Fri, 13 Mar 2015 21:20:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=oi6uZi3bTpCrcQtDIuLbiSlkyJqFvHPnma5CwKwgjcw=; b=h6m2bFSzyI6atN333B4qGzho0Llp8ifKRev8RGEwh/mzjgAP4f6j1Nl5CC5BTjHzsw Rsl4tfSLbUE/R++cJy5g0MK7iYydF42z7pwncP5WOLCwlutMdIWcgmEJJ40Kzhs0KUZI MSukGradb5DUUi1h7iFu5XHDGSGgHzGtaJako4mWnn4GDb9+XLDBakTPHNnXBce4uJ2F dZxQ/geMBumGv0oSujIO/EhZpbzTKIdYD751qCGzqy0YdPX4C2Dk4Yp0rNVB3Grq0yT+ 2L8GaqTYv6X3Jf4QRJRyxUt3xY/vWIVK0HqO2UQYcbSHf+CqS1+tCYsWKZ8Dd9XKHtk1 tgxg== MIME-Version: 1.0 X-Received: by 10.180.77.110 with SMTP id r14mr81124628wiw.89.1426306826295; Fri, 13 Mar 2015 21:20:26 -0700 (PDT) Received: by 10.28.96.212 with HTTP; Fri, 13 Mar 2015 21:20:26 -0700 (PDT) Received: by 10.28.96.212 with HTTP; Fri, 13 Mar 2015 21:20:26 -0700 (PDT) In-Reply-To: References: <55037475.3000406@netrition.com> <550379E2.7040005@netrition.com> Date: Sat, 14 Mar 2015 15:20:26 +1100 Message-ID: From: Igor Cicimov To: users Content-Type: multipart/alternative; boundary=f46d04389051b8dd19051137ef80 X-Virus-Checked: Checked by ClamAV on apache.org Subject: Re: [users@httpd] ESTABLISHED connections --f46d04389051b8dd19051137ef80 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 14/03/2015 2:21 PM, "el kalin" wrote: > > i don't see it in package ports=E2=80=A6 > > On Fri, Mar 13, 2015 at 7:59 PM, Jim Albert wrote: >> >> On 3/13/2015 7:54 PM, el kalin wrote: >>> >>> >>> >>> On Fri, Mar 13, 2015 at 7:36 PM, Jim Albert >> > wrote: >>> >>> On 3/13/2015 7:17 PM, el kalin wrote: >>> >>> >>> if i have this in the >>> >>> >>> >>> Order allow,deny >>> Allow from all >>> deny from 111.10.250.188 >>> >>> ESTABLISHED >>> tcp 0 0 ip-10-102-190-93.http 111.10.250.188.inovapo >>> ESTABLISHED >>> >>> >>> this is growing with every netstat i do. any ideas??? >>> >>> thanks=E2=80=A6 >>> >>> >>> I believe your Order allow, deny is correct. >>> >>> >>> i believe so too... >>> >>> You are controlling what can be served by Apache, but not the actua= l >>> network connection to your Apache server, hence the continued >>> entries in your connection table. I would assume your Apache error >>> log is spewing lots of access denied or such errors indicating your >>> deny is working. >>> >>> >>> If you really want to keep a given an IP address completely out of >>> Apache, block it in iptables or better yet the firewall behind whic= h >>> your Apache server sits, but iptables will do it. >>> >>> >>> i'm aware. the problem is that this is an netbsd ec2 (amazon instance) >>> and the only "firewall" right now is the security groups that service >>> offers. those are not meant to block individual ips. they are rather al= l >>> exclusive. so my only other option was pf. which i'm used to but it >>> appears that the whole dynamic kernel module loading is screwed up >>> because of the kernel build to fit xen=E2=80=A6 and so on=E2=80=A6 >> >> >> iptables? >> >> >> -- >> Jim Albert >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org >> For additional commands, e-mail: users-help@httpd.apache.org >> > Thought I would mention another option just for the record. If you compile apache yourself you can compile it with libwrap support and use tcp wrappers to deny host. Put the host in /etc/hosts.deny and you are done. httpd: 111.10.250.188/32 or apache2: 111.10.250.188/32 depends on the name of your binary. --f46d04389051b8dd19051137ef80 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable


On 14/03/2015 2:21 PM, "el kalin" <kalin@el.net> wrote:
>
> i don't see it in package ports=E2=80=A6=C2=A0
>
> On Fri, Mar 13, 2015 at 7:59 PM, Jim Albert <jim@netrition.com> wrote:
>>
>> On 3/13/2015 7:54 PM, el kalin wrote:
>>>
>>>
>>>
>>> On Fri, Mar 13, 2015 at 7:36 PM, Jim Albert <jim@netrition.com
>>> <mailto:jim@netrition.= com>> wrote:
>>>
>>> =C2=A0 =C2=A0 On 3/13/2015 7:17 PM, el kalin wrote:
>>>
>>>
>>> =C2=A0 =C2=A0 =C2=A0 =C2=A0 if i have this in the
>>>
>>> =C2=A0 =C2=A0 =C2=A0 =C2=A0 <Directory "/server/doc/ro= ot">
>>>
>>> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= Order allow,deny
>>> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= Allow from all
>>> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0= deny from 111.10.250.188
>>> =C2=A0 =C2=A0 =C2=A0 =C2=A0 </Directory>
>>> =C2=A0 =C2=A0 =C2=A0 =C2=A0 ESTABLISHED
>>> =C2=A0 =C2=A0 =C2=A0 =C2=A0 tcp=C2=A0 =C2=A0 =C2=A0 =C2=A0 0= =C2=A0 =C2=A0 =C2=A0 0=C2=A0 ip-10-102-190-93.http=C2=A0 111.10.250.188.ino= vapo
>>> =C2=A0 =C2=A0 =C2=A0 =C2=A0 ESTABLISHED
>>>
>>>
>>> =C2=A0 =C2=A0 =C2=A0 =C2=A0 this is growing with every netstat= i do.=C2=A0 any ideas???
>>>
>>> =C2=A0 =C2=A0 =C2=A0 =C2=A0 thanks=E2=80=A6
>>>
>>>
>>> =C2=A0 =C2=A0 I believe your Order allow, deny is correct.
>>>
>>>
>>> i believe so too...
>>>
>>> =C2=A0 =C2=A0 You are controlling what can be served by Apache= , but not the actual
>>> =C2=A0 =C2=A0 network connection to your Apache server, hence = the continued
>>> =C2=A0 =C2=A0 entries in your connection table. I would assume= your Apache error
>>> =C2=A0 =C2=A0 log is spewing lots of access denied or such err= ors indicating your
>>> =C2=A0 =C2=A0 deny is working.
>>>
>>>
>>> =C2=A0 =C2=A0 If you really want to keep a given an IP address= completely out of
>>> =C2=A0 =C2=A0 Apache, block it in iptables or better yet the f= irewall behind which
>>> =C2=A0 =C2=A0 your Apache server sits, but iptables will do it= .
>>>
>>>
>>> i'm aware. the problem is that this is an netbsd ec2 (amaz= on instance)
>>> and the only "firewall" right now is the security gr= oups that service
>>> offers. those are not meant to block individual ips. they are = rather all
>>> exclusive. so my only other option was pf. which i'm used = to but it
>>> appears that the whole dynamic kernel module loading is screwe= d up
>>> because of the kernel build to fit xen=E2=80=A6=C2=A0 =C2=A0an= d so on=E2=80=A6
>>
>>
>> iptables?
>>
>>
>> --
>> Jim Albert
>>
>>
>> ------------------------------------------------------------------= ---
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>
Thought I would mention another option just for the record. If you compile = apache yourself you can compile it with libwrap support and use tcp wrapper= s to deny host. Put the host in /etc/hosts.deny and you are done.

httpd: 111.10.250.188/3= 2

or

apache2: 111.10.250.188= /32

depends on the name of your binary.

--f46d04389051b8dd19051137ef80--