Blocking IP's with Apache

Networking/Security Forums -> UNIX // GNU/Linux

Author: Mikefc626Location: here PostPosted: Thu Apr 14, 2005 12:56 am    Post subject: Blocking IP's with Apache
I posted a few days ago about some security probs I have been having with Apache, and have since solved them for the most part. I am now experimenting with blocking specific IP's from ppl from places like China, Japan, Germany, etc (I only run a file server for myself and some friends, none of which I know in other countries so I figured it would be alright to filter out the spammers based on their respective IP's/ countries). I also figured out how to block full subnets. The command to enter into the http.conf file for such is something along the lines of "Deny from 123.456.789.0/24", but I don't understand what the 24 at the end is or what is stands for, and I don't understand why when I change it to 25 it still blocks me just the same. I'd like to block higher up the ladder -- something like "Deny from 123.456.0.0" where it would block more nets, so I didn't have to enter in so many different networks. Does anyone know how to do this? "Deny from 123.456.0.0/24" doesn't work.

Also, in my testing, I blocked myself out, and got a forbidden screen, but I don't possess the know how to try to punch my way into my server, so I was wondering if the ppl I'm trying to keep out will only be forbidden from seeing my files in their browser like I was, or are they unable to get ANYTHING back from the server in any way, shape, or form?

Author: capiLocation: Portugal PostPosted: Thu Apr 14, 2005 1:19 am    Post subject:
Regarding the subnets and what the /24 stands for, I suggest you read the following post by Ants for a good explanation:

I would explain it here but why repeat what's already been said Smile

Author: ElToro PostPosted: Thu Apr 14, 2005 1:24 am    Post subject:
The /24 is CIDR notation for a subnet mask. Each Octet in an IP address is made up of 8 bits. This number is the number of bits to mask. /24 is the equivalent of which is normally a class C network. If you want to describe a class B network then use /16 which is the same as

Using IP addresses as a means of screening is usually not very effective. Anyone using a proxy can easily bypass this screening. At a minimum, I would use the .htaccess file to create a password at the root document directory. That way anything accessed on the site will require this password. Also, you would be better off blocking the IPs before the packets get to Apache using either a firewall on the webserver machine and/or your gateway device. That would give you multiple layers of defense in case some exploit was found in Apache or the OS.

If you provide the OS on the webserver and the name of your gateway device I can provide some more detailed help.

Author: Mikefc626Location: here PostPosted: Thu Apr 14, 2005 5:47 am    Post subject:
Hey thanks guys you're great. Deciphering.... Deciphering... Hey I think I got it Razz So the app is reading each bit, from left to right, correct? So to block, maybe, a whole continent or something, or I guess probably a whole ISP, like one from China, it would be something more along the lines of, where it's only reading the first byte, correct? If that does actually apply to such a large example, and I guess in other words the allow command can be replicated as simply 123.456.789.101/32? I know that would be dumb to do, but am I right?

I am running Apache 2.0.53, Windows 2003 server SP1, and a 2wire dsl modem (which I think is one of the greatest modems I have ever set up/ used, but that's a debate 4 another day Wink )

Of course, now that I have more info to play around my server with, my modem would quit allowing all access from the net................

Author: capiLocation: Portugal PostPosted: Thu Apr 14, 2005 6:44 pm    Post subject:
mpkn3rd wrote:
For instance 123.456.789.0/31 has a host range of 123.456.789.1 to 123.456.789.2. With a broadcast address of 123.456.789.3.

Not to disagree with what you said, but regarding the specific example of a /31 mask, wouldn't it in fact be invalid (at least in IPv4), as it has no valid hosts?

If you only have 1 bit (32 - 31) for the host, you in effect have no valid hosts, as the only two possible host values are 0 (network address) and 1 (broadcast address)...

Perhaps you meant /30? Or am I missing something?

Author: monkranterLocation: Texas, USA PostPosted: Thu Apr 14, 2005 7:13 pm    Post subject:
Way to keep mpkn3rd on his toes, capi. Smile

Author: capiLocation: Portugal PostPosted: Thu Apr 14, 2005 7:24 pm    Post subject:
Not at all, it was clearly a minor typing mistake; I just thought I'd note it, to avoid potential confusion for Mikefc626, or anyone not familiar with subnetting who happened to read this thread.

Networking/Security Forums -> UNIX // GNU/Linux

output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group