.htaccess Help

[freddy333]

 

# allow all except those indicated here

<Files *>

order allow,deny

allow from all

deny from xxx.xxx.xxx.xxx xxx.xxx.xxx

deny from xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx

</Files>

 

Anyone know why my .htaccess has stopped blocking IP addresses?

 

I have been using the same .htaccess on my BSD/Apache web server for many years & I have always been able to block unwanted IP addresses using it. But, recently, although nothing has changed on the server (no hacker break ins), denied IP addresses are getting through. I have tried blocking entire ranges, which has also previously worked, but neither is working now.

 

Can anyone familiar with Unix Apache web servers tell me if they see what might be causing the problem?

[markiemark]

Try removing <files> tags.

order allow,deny

deny from 192.168.

deny from 10.0.0.1

allow from all

First one is range, second one is single ip. Also 1 ip per line.

[freddy333]

I have had hundreds of IPs/ranges per line for the past 15+ years & it worked fine.

I will try removing the files tags & see how that goes.

[markiemark]

Is it your own server?

If not maybe your hosting provider updated Apache version...

[freddy333]

My server. Nothing has changed on it between the time the .htaccess was actively blocking whatever IPs/ranges I added & now.

[tomhorn]

I'm not sure why you are doing on the deny side of things as it appears you have two IP addresses on the same line. I'm not terribly familiar with htaccess, but I thought you had to put one IP (or range) per line.

 

order allow,deny
deny from xxx.xxx.xxx.xxx #specify a specific address
deny from xxx.xxx.xxx.xxx/xx #specify a subnet range
deny from xxx.xxx.* #specify an IP address wildcard
allow from all

[Valty]

Your server ? Linux ? Don't bother with this .htaccess crap

 

And look at :

 

iptables -h

 

Having a *true* firewall is always better

 

Depending of your distribution (Debian for example), you may need to add a file to init the iptables at each restart of the computer

 

--

 

Out of subject, but if you want to stay with the .htaccess, try to :

 

1- check the permissions of the file

2- check apache2 error log and/or syslog (depending of your configuration) after reaching a file protected by the .htaccess

3- check apache2 configuration to see if the .htaccess is still used :

 

<Directory /your/directory>

AllowOverride All

...

</Directory>

 

Don't forget to restart apache2 after config modification

[freddy333]

Your server ? Linux ? Don't bother with this .htaccess crap

Don't forget to restart apache2 after config modification

No, BSD & until just recently, .htaccess has been 100% effective in blocking any IP or range added. Either I added something incorrectly (typo) that caused it to stop working or there is some new hack (I am not aware of) that allows people to bypass it.

[Valty]

No, there is no "hacks" possible

 

But to be quite honest, IP ban are ineffective -- a simple VPN / proxy do the trick. Only IP white-list worth the hassle to edit a list

 

I don't know much about BSD, except if you're using Mac OS X, but you should check the default software firewall provided

 

Do you checked the permissions of the .htaccess file ?

 

You edit the file on your computer, you upload it as root, and if the perms are 771, apache2 is now unable to read your file (just for example)

 

If there is bad characters, you will have some errors in your apache logs. Just check this. Activate logs for errors if it's not the case

 

It's your best chance to find out what's wrong

 

R.

Also, restart this apache2 bullshit is not a bad idea (yeah, I don't like apache at all…)

[freddy333]

If a banned IP re-enters via a proxy or vpn, the originally banned IP should not show up again. But that is what is happening, so I do not think they are using a proxy/vpn. Somehow, our .htaccess has stopped working. So, if there isn't a hack way around it, we must have entered something (an incorrectly formed IP) that is causing the .htaccess file to be non-functional.

[Valty]

Somehow, our .htaccess has stopped working

 

Did you check your apache2 error log file ?

Your answer is here in this case

[freddy333]

We're running apache1 and there is this entry in the error_log for 1 of the IPs (I have replaced a portion of the IP with xxx since this is posted publicly) that are supposed to be blocked -

 

[sat Jul 26 00:00:01 2014] [notice] Apache/1.3.33 configured -- resuming normal operations
[sat Jul 26 00:00:01 2014] [notice] Accept mutex: flock (Default: flock)
[sat Jul 26 00:01:03 2014] [error] [client 193.150.xxx.xx] client denied by server configuration: /usr/home/triumphpc/public_html/footer.shtml
[sat Jul 26 00:01:03 2014] [error] [client 193.150.xxx.xx] unable to include "../footer.shtml" in parsed file /usr/home/triumphpc/public_html/exam/exam.shtml
[sat Jul 26 00:01:04 2014] [error] [client 193.150.xxx.xx] client denied by server configuration: /usr/home/triumphpc/public_html/footer.shtml
[sat Jul 26 00:01:04 2014] [error] [client 193.150.xxx.xx] unable to include "../footer.shtml" in parsed file /usr/home/triumphpc/public_html/exam/exam.shtml
[sat Jul 26 00:01:05 2014] [error] [client 193.150.xxx.xx] client denied by server configuration: /usr/home/triumphpc/public_html/footer.shtml
[sat Jul 26 00:01:05 2014] [error] [client 193.150.xxx.xx] unable to include "../footer.shtml" in parsed file /usr/home/triumphpc/public_html/exam/exam.shtml
 

Both the IP (193.150.xxx.xx) and the range (193.150.xxx) are on one of the deny lines in our .htaccess, yet they keep getting in.

Any ideas?

[Mike on a bike]

Good luck freddy way out of my league, will have my son familiarize me with it tomorrow.

[fraggle42]

As has been said, change it to one IP address per deny line (and possibly change specific IPs to blocks if you need too).

Personally I would put these in the main apache config file if you can, it's far easier to manage if they're all in one file (or a few included files if they're big)

I also add a deny line with the local static IP address of a test machine on my LAN, watch the log files and then test it to make sure what I'm trying to do is working, before turning on the deny lines for the big bad world - nothing more frustrating than finding out you've blocked the whole of your website to everyone through an error in a config file!

[Valty]

freddy333,

 

Sounds like your current configuration is working, even if I don't see why apache qualify this as an "error"

 

Why do you think your .htaccess is not working ? Did you tried on your own IP ?

 

However, apache in version 1 is a very very old software. Can't imagine it's still used You seriously should think about using a more recent and maintained web-server (nginx for example)

[fraggle42]

Ah, I see you're using SSI. That complicates these rules a lot.

Are you using virtual hosts in the main apache2.conf? (I.e. Does /etc/apache2 have a sites-enabled directory?)

If so, cd to there and edit the 000-default file.

In there it specifies the main root of the WWW directory tree, on mine it's DocumentRoot /var/www/

Below that there is a directive section that has the default 'Order allow,deny' section in it.

I would copy your deny lines (one ip per line) and paste them into that section immediately below the 'allow from all'.

Remove them from the .htaccess file, then stop and start Apache and see if that works.

As to why it's stopped working, you may find that it's done an upgrade and put some of the configuration files back to the default versions. If it does this it renames the old, modified config file and IIRC appends '.old' to the end or something like that.

[fraggle42]

If it's apache v1, almost the same applies, but forget about virtual sites and copy the deny lines into the main Apache.conf file below the allow from all line.

[freddy333]

Sounds like your current configuration is working, even if I don't see why apache qualify this as an "error"

It is not the errors that I am asking about. I just want to figure out why some (not all) IPs are able to access our web server after they have been added to the .htaccess deny lines?

Why do you think your .htaccess is not working ? Did you tried on your own IP?

As of this morning, the problem is continuing with the same range of Ukrainian IPs (193.201.224). Based on what they are doing, it appears to be the same person, but they are being logged with last part of their IP being different.

However, apache in version 1 is a very very old software. Can't imagine it's still used You seriously should think about using a more recent and maintained web-server (nginx for example)

Unfortunately, I have not kept up on my Unix administration skills & the guy who was handling this left. If I had enough current experience or the money to pay someone, we would definitely upgrade both the OS and hardware (both are several years old). But, other than this very recent .htaccess issue with these Ukrainian IPs, both servers are running well & neither has experienced an access problem in the nearly 20 years of operation. But the continuing accesses by these Ukrainian IPs are very concerning.

[Valty]

I suppose your .htaccess file is located here ? :

 

/usr/home/triumphpc/public_html/.htaccess

 

I'm assuming you already have something like  :

 

deny from 193.201.224.*

 

In your config ?

 

I'm also assuming you don't have an allow all rule before any deny rule ?

 

Would you mind to share your current .htaccess file ? If apache is reporting he is reading your current .htaccess, your problem must be inside the file

 

Apart your current problem,

 

The problem running old hardware, old softwares, and old content in general is it's now difficult to find someone who can manage this stuff.

 

Keeping all the knowledge on the recent things is almost impossible to do, so you can imagine what happen about the old stuff...

 

Old things works… until it doesn't work anymore. And you don't like this day

 

Take a look to current VPS providers like linode. Starting at $10/month with very good performances. Also, running something like Debian 7 is clearly easier than any BSD (who seriously use this anymore in the web hosting ?).

 

With the correct tips, you can install a new web server with all the softwares needed in less than 10 minutes. I can share my knowledge with pleasure

 

Just curiosity, but is your website using databases ? If it's only static files, or shtml (ssi), it worth taking a look to the "new stuff" must be simple to migrate this to a new hosting.

 

If you're using databases, it might be another story

[freddy333]

I suppose your .htaccess file is located here ? :

/usr/home/triumphpc/public_html/.htaccess

I'm assuming you already have something like:

deny from&nbsp;193.201.224.*

In your config ?

I have both 193.201.224 and 193.201.224. (with & without the tailing .)

I'm also assuming you don't have an allow all rule before any denyrule?

Correct. The allow from all is located after all the deny lines.

Would you mind to share your current .htaccess file?

Because it is 50k in size & contains thousands of blocked IPs, I do not want to post it online.

If apache is reporting he is reading your current .htaccess, your problem must be inside the file

Yes, exactly.

Apart your current problem,

The problem running old hardware, old softwares, and old content in general is it's now difficult to find someone who can manage this stuff.

Keeping all the knowledge on the recent things is almost impossible to do, so you can imagine what happen about the old stuff...

Old things works… until it doesn't work anymore. And you don't like this day

Take a look to current VPS providers like linode. Starting at $10/month with very good performances. Also, running something like Debian 7 is clearly easier than any BSD (who seriously use this anymore in the web hosting ?).

With the correct tips, you can install a new web server with all the softwares needed in less than 10 minutes. I can share my knowledge with pleasure

Just curiosity, but is your website using databases ? If it's only static files, or shtml (ssi), it worth taking a look to the "new stuff" must be simple to migrate this to a new hosting.

If you're using databases, it might be another story

If I could afford to upgrade everything, I would. But I cannot. We are using a database, but there are a number of scripts we need & these usually cause problems after upgrades, which causes me to spend many days working to get them going again. I do not have the time now to commit days to fixing everything after upgrading, which is why we are running old hardware/software....it works.

[fraggle42]

The physical ordering of the allow and deny lines has no influence on their interpretation. It is the 'order' line that decides which ones are checked first.

Also an IP will try to be matched to multiple rules, not just the first one.

So in the config fragment you have given, the order is allow (and the allow line is allow all, so all IPs are allowed at first), and then the specific ones are denied.

You should not just provide the first three parts of the IP address, you should give all four.

If you want to block a block of IPs use the following format:-

Deny 123.234.34.0/24

That will block all IPs from 123.234.34.0 thru 123.234.34.255, the 24 means 'take notice of the first 24 bits of this IP number (the first three numbers) and anything can match for the last 8 bits (the last number)

If you have remote access to this web server feel free to get in touch by PM and I'll have a look at it for you. Been running apache servers for 25+ years.