Jan 272000

Blocking apache access by host

If your web server is under attack, but you don’t have access to a firewall (perhaps you are hosting your site on someone else’s box), you can deny access by host.  Here’s how.

.htaccess is your friend

The .htacess file can be used to deny and allow access.  Here is a typical configuration:
<Limit GET POST>
   order deny,allow
   deny from all
   allow from all

For more detail on this, please see the following Apache documentation:

What I did was change the order directive to be mutual-failure.  Which, according to the documentation,  "those hosts which appear on the allow list and do not appear on the deny list are granted access".  Which is what I want.

So here is what you can do:

<Limit GET POST>
   order mutual-failure
   deny from aa.bb.cc.dd  ff.gg.hh.0/24
   allow from all

This will deny access from the IP address aa.bb.cc.dd and the ff.gg.hh.0/24 subnet.

Be careful with those addresses!

If you are blocking subnets, be sure to use ff.gg.hh.0/24 and not ff.gg.hh.ii/24.  In order words, the non specified parts of the address must be zero.   I like being able to specify the IP address and then the mask, mostly because it reminds me of the IP address which caused the problem in the first place.