Blocking apache access by host

Blocking apache access by host

If your web server is under attack, but you don’t have access to a
firewall (perhaps you are hosting your site on someone else’s box), you can deny access by
host.  Here’s how.

.htaccess is your friend

The .htacess file can be used to deny and allow access. 
Here is a typical configuration:

<Limit GET POST>
   order deny,allow
   deny from all
   allow from all
</Limit>

For more detail on this, please see the following Apache documentation:

What I did was change the order directive to be mutual-failure.  Which, according
to the documentation,  "those hosts which appear on the allow list and do not
appear on the deny list are granted access".  Which is what I want.

So here is what you can do:

<Limit GET POST>
   order mutual-failure
   deny from aa.bb.cc.dd  ff.gg.hh.0/24
   allow from all
</Limit>

This will deny access from the IP address aa.bb.cc.dd and the ff.gg.hh.0/24 subnet.

Be careful with those addresses!

If you are blocking subnets, be sure to use ff.gg.hh.0/24 and not
ff.gg.hh.ii/24.  In order words, the non specified parts of the address must be zero.
  I like being able to specify the IP address and then the mask, mostly because it
reminds me of the IP address which caused the problem in the first place.

Leave a Comment

Scroll to Top