configuring httpd.conf for ip filtering

[PowerYoga]

I'm trying to configure some IP blocking on my server and I have some questions about the syntax. I would like to deny a whole IP range of 1.2.3.*, where * is 1-255 since there's been some spambot activity coming from a specific set of addresses.

Under the Directory tag I have:

<Directory /sitename>

stuff

Deny from 1.2.3.1/24
Deny from 4.5.6.7
Deny from etcetcetc

stuff

</Directory>

Is this the right syntax?

 

[dave_the_nerd]

Wouldn't it be better to do this in the firewall? Httpd can block it, but then any other services on the system (SSH, etc.) are still accessible.

 

[PowerYoga]

this is actually on a hosted solution and I don't have access to the firewall configurations unfortunately.

 

[tomt4535]

Do you have access to the software firewall(iptables) on the server? The application can block it fine, but it may be better to block it at a lower level before the traffic even gets to the application.

 

[dave_the_nerd]

this is actually on a hosted solution and I don't have access to the firewall configurations unfortunately.

harrumph.

Well, here's the man page. It's got syntax examples:

http://httpd.apache.org/docs/2.2/howto/access.html

 

[PowerYoga]

Do you have access to the software firewall(iptables) on the server? The application can block it fine, but it may be better to block it at a lower level before the traffic even gets to the application.

I actually don't. The hosted solution doesn't give us access to the software firewall since there are often multiple sites hosted on the VPS owned by different users.

I'm looking at the man page and I have tried already tested (and failed) those, but noticed the comment below:

123.231 // this WON'T work
123.231. //this WILL work

I mentioned previously I'm attempting to block an IP range using this syntax:

Deny from 1.2.3.1/24

Is this not the right way to block 1.2.3.*?

 

[dave_the_nerd]

https://community.webfaction.com/questions/14368/block-ip-in-httpdconf

Did you

add setenvif_module and authz_host_module to your modules in httpd.conf, if you've not done so already:

?

Otherwise, it's probably an issue with the "Order Allow,Deny" or "Order Deny,Allow" declaration earlier on.

Order of allow/deny statements matters too.

 

[PowerYoga]

I have both of those modules declared.

I actually don't have an order allow,deny statement or order deny, allow declaration. I just have the Deny From statements.

The site is being routed through a proxy and load balancer if that matters.

 

[JM Aggie08]

Why not use IP Tables?

 

[PowerYoga]

not available for my hosted solution, or I'd be using it already. They've also requested that we don't install additional firewall solutions as other people share the VPS.

 

[Red Squirrel]

Yeah I think you did it right.

You need to put order deny,allow though, or order allow,deny. I forget 100% what the difference is, you'll want to read up on it to make sure you put the right one. I think it has to do with priority, so if an IP matches for both allow and deny one takes precedence.

I would also look at maybe putting it in a separate .htaccess or include file just to make it cleaner. It also allows you to dynamically move/add IPs to it easily on the fly since if you put it in httpd.conf it requires a restart

 

[KillerBee]

I actually don't. The hosted solution doesn't give us access to the software firewall since there are often multiple sites hosted on the VPS owned by different users.

I'm looking at the man page and I have tried already tested (and failed) those, but noticed the comment below:



I mentioned previously I'm attempting to block an IP range using this syntax:

Deny from 1.2.3.1/24

Is this not the right way to block 1.2.3.*?

Deny from 1.2.3.0/24