LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-21-2008, 03:22 PM   #1
griffey
Member
 
Registered: Jan 2004
Location: East Central Illinois
Distribution: RHEL 4/5/6 and Fedora
Posts: 81

Rep: Reputation: 15
"Deny from" IP address using http.conf (Apache 2) not blocking the IP address


Hi Folks.

I have a goof that keeps passing bogus POST data to a form on one of my web sites about every half hour.

I have the IP address.

I thought all I needed to do was modify httpd.conf and restart.

<Directory "/web">
Options FollowSymLinks Includes
AllOverride None
Order allow,deny
Allow from all
Deny from xxx.xxx.0.0/16
Deny from xx.xx.xxx.xxx
</Directory>

The last "Deny from" is what I added today. I presume that the original xxx.xxx.0.0/16 is working because addresses in that range no longer show up in my log files.

However, the one I added today, xx.xx.xxx.xxx isn't being blocked.

I tried xx.xx.xxx.xxx/32 as well.

I went back through Apache documentation and it looks like what I'm doing is correct.

Am I missing something?

Thanks in advance for any replies, especially in the next 8 minutes before my half-hourly scheduled visit from this person.

G.--
 
Old 02-21-2008, 04:17 PM   #2
jeenam
Member
 
Registered: Dec 2006
Distribution: Slackware 11
Posts: 144

Rep: Reputation: 15
Try this:

<Directory "/web">
Options FollowSymLinks Includes
AllOverride None
Order deny,allow
Deny from xxx.xxx.0.0/16
Deny from xx.xx.xxx.xxx
Allow from all
</Directory>
 
Old 02-22-2008, 08:32 AM   #3
griffey
Member
 
Registered: Jan 2004
Location: East Central Illinois
Distribution: RHEL 4/5/6 and Fedora
Posts: 81

Original Poster
Rep: Reputation: 15
Hmm. Unfortunately that didn't work (I think "Allow from all" at the end overrides all the "deny" lines, even if the order is deny,allow). Thank you for replying, however.

When I do it the original way I listed it, and use my own IP address, it "works." That is, if I try to request a web page from my server I get the Red Hat Linux Test Apache page and an error gets written to the error-log for the web site.

However, when I replace my address with the one of the goon in Russia that keeps POSTing to one of my pages, the lines still appear in the normal access-log, not the error-log, which is what is confusing me (and obviously I can't see what displays on their browser...).

No matter.

Code:
-A RH-Firewall-1-INPUT -s xx.xx.xxx.xxx -m state --state NEW -m tcp -p tcp --dport 80 -j DROP
And that takes care of that.

G.--
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
"sbin/route" blocking ip address Hondro Linux - Networking 1 02-14-2008 05:57 AM
dhcpd.conf "range" spanning address classes? michaelsanford Linux - Networking 2 04-08-2005 05:19 PM
difference between "Web server local URL" and "IPv4 address"? kpachopoulos Linux - General 2 09-17-2004 01:30 PM
Blocking IP Address ranges in dhcpd.conf pmcdaid Linux - Networking 4 06-09-2004 09:18 AM
"host" ok, but "ping" can't find ip address hardigunawan Linux - Networking 2 05-16-2002 05:41 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:38 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration