LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   "Deny from" IP address using http.conf (Apache 2) not blocking the IP address (https://www.linuxquestions.org/questions/linux-security-4/deny-from-ip-address-using-http-conf-apache-2-not-blocking-the-ip-address-622879/)

griffey 02-21-2008 04:22 PM

"Deny from" IP address using http.conf (Apache 2) not blocking the IP address
 
Hi Folks.

I have a goof that keeps passing bogus POST data to a form on one of my web sites about every half hour.

I have the IP address.

I thought all I needed to do was modify httpd.conf and restart.

<Directory "/web">
Options FollowSymLinks Includes
AllOverride None
Order allow,deny
Allow from all
Deny from xxx.xxx.0.0/16
Deny from xx.xx.xxx.xxx
</Directory>

The last "Deny from" is what I added today. I presume that the original xxx.xxx.0.0/16 is working because addresses in that range no longer show up in my log files.

However, the one I added today, xx.xx.xxx.xxx isn't being blocked.

I tried xx.xx.xxx.xxx/32 as well.

I went back through Apache documentation and it looks like what I'm doing is correct.

Am I missing something?

Thanks in advance for any replies, especially in the next 8 minutes before my half-hourly scheduled visit from this person. :)

G.--

jeenam 02-21-2008 05:17 PM

Try this:

<Directory "/web">
Options FollowSymLinks Includes
AllOverride None
Order deny,allow
Deny from xxx.xxx.0.0/16
Deny from xx.xx.xxx.xxx
Allow from all
</Directory>

griffey 02-22-2008 09:32 AM

Hmm. Unfortunately that didn't work (I think "Allow from all" at the end overrides all the "deny" lines, even if the order is deny,allow). Thank you for replying, however.

When I do it the original way I listed it, and use my own IP address, it "works." That is, if I try to request a web page from my server I get the Red Hat Linux Test Apache page and an error gets written to the error-log for the web site.

However, when I replace my address with the one of the goon in Russia that keeps POSTing to one of my pages, the lines still appear in the normal access-log, not the error-log, which is what is confusing me (and obviously I can't see what displays on their browser...).

No matter.

Code:

-A RH-Firewall-1-INPUT -s xx.xx.xxx.xxx -m state --state NEW -m tcp -p tcp --dport 80 -j DROP
And that takes care of that. :)

G.--


All times are GMT -5. The time now is 10:17 PM.