I have read and re-read as many of the threads addressing this problem as well as spoke to tech support on the phone and cannot accomplish what I'm trying to do.

I am trying to block specific ip addresses from accessing anything on my website. I have a virtual server running plesk 7.5.4. I use FrontPage 2000 to create my site so frontpage extensions are enabled. I have read sometimes messing with the .htaccess file can affect the FrontPage extensions but usually only when trying to re-direct. (not sure if this is true as there is so much conflicting info out there) Here is my original .htaccess file which I can access and edit from the file manager on my domain administration page:


# -FrontPage-

IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*


order deny,allow
deny from all
allow from all


order deny,allow
deny from all

AuthName xxxxxx.com
AuthUserFile /home/httpd/vhosts/xxxxxx.com/httpdocs/_vti_pvt/service.pwd
AuthGroupFile /home/httpd/vhosts/xxxxxx.com/httpdocs/_vti_pvt/service.grp


Below is how I changed it after reading other posts on this forum and google searches:

# -FrontPage-

IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*


order deny,allow
deny from xx.xxx.xxx.xx
deny from xx.xx.xx.xxx
deny from xxx.xx
deny from mail.xxxxx.com
allow from all


order deny,allow
deny from all

AuthName xxxxxx.com
AuthUserFile /home/httpd/vhosts/xxxxxx.com/httpdocs/_vti_pvt/service.pwd
AuthGroupFile /home/httpd/vhosts/xxxxxx.com/httpdocs/_vti_pvt/service.grp

This has not accomplished a thing. I tested the change myself from a friends computer, even trying to block his isp's domain name as well as just entering the first 5 numbers of the range of ip addresses his isp has registered.

As I said, I made the changes on the file manager on my domain admin page. I have not republished my site to the server so not to have frontpage republish a new .htaccess file if in fact it does that each time.
I talked to 3 different support people and they weren't able to help at all.

If I change the .htaccess file from my domain administration page does it take effect immediately? Does the server have to be re-set? Is what I'm trying to do even possible? New to this stuff so I appologize in advance!!

:confused: Help! :confused:

Do I win a prize for stumping the forum? I have to assume I can't do this with a virtual server using Frontpage. Thanks anyway.

order allow,deny
deny from 123.123.123.123
allow from all


deny from 123.123.123.123 - Blockes access to this IP only

This is what I have used in the past to keep unwanted visitors away.

.htaccess changes occur immediately --- no need for a restart. But, let's illustrate this so you can see what you need to do.

Here's your original:As you had it, GET & POST will be allowed from all, and PUT DELETE will be denied from all.

Here's where it got messed up:GET & POST will be allowed from all, and PUT & DELETE will still be denied from all. Why? Because you've ordered "deny first, allow second." Deny from those blocks, but ignore all that and allow them from everwhere.

So maybe try:This should fix that ... GET & POST Order is allow, then deny --- allow from all, then deny from those specific IP's & ranges (it takes CIDR format, so it's easy to make sweeping changes). PUT & DELETE Order is deny too all, then allow from 123.123.123.123. You can pull out the allow --- it's just to illustrate a point.

It's all in how you order it. Some things you want to leave open always... other things you don't. So now you have two examples of how to switch them. Have fun!

Is it possible to change the Limit directives above on Ensim Pro 4.0.3-22.rhel.3ES with Apache 2 to effect all sites on the server ?

Where could i make the changes ?

How about just blocking at the firewall? If you use apf just do "apf -d IP" and they can no longer access the server. You can do some blocking via apache but I am not sure if you can do something for every virtualhost.

You could always add a file, `/etc/httpd/conf.d/limit.conf` and put your directives in there --- although, I'm not willing to put money on it working outside of a VirtualHost or Directory container. ;-)

Thanks for your replies.
Cataylst-I will try that and post if it works...

eth00-I have been using apf to block IP's but it seems the only way i can block a country is by using the below...

With the below directives in the .htaccess file anyone from Country ZA appears to get a 403 error..

I've tried putting that within a Directory block but then i get a internal server error...


order allow,deny
allow from all
SetEnvIf GEOIP_COUNTRY_CODE ZA BlockCountry
Deny from env=BlockCountry


please let me know if you might have any other suggestion looking at this..
thanks

Catalyst -
I tried that but i get:
Starting httpd: Syntax error on line 2 of /etc/httpd/conf.d/limit.conf:
order not allowed here.

I guess that settles that. It won't work outside a VirtualHost or Directory container.

If you wanna go and experiment on that, you, you could maybe put or around it so that's it's inside a container. Just know that's it ... theoretical. ;-)

Thanks-I'll try that..but i seem to have issues whenever i add a container in the .htaccess file...
i.e.
Would you know why the below directives would give me an internal server error when placed in the .htaccess file at :
/home/virtual/site3/fst/var/www/html/.htaccess

I've tried placing it within a and

order allow,deny
allow from all
SetEnvIf GEOIP_COUNTRY_CODE ZA BlockCountry
Deny from env=BlockCountry

I dont get why this would only work within a container.

I was not sure about that but I sure thought that was the case which is why I did not suggest it in the first place

As far as how to get it to work, I guess would have to put in each individual virtualhost. It does not work simply because that option is only meant to be within a specific directory for virtualhost.

I don't know of another way of blocking an entire country using the geo-ip stuff. APF would work fine to block them, maybe you can search around the net and find all the ip ranges belonging to whomever you want to block.

Here's the Korea and China blocks for you if that's what you require Gatuku - I've not tried them but this landed in my inbox today ....

http://www.okean.com/thegoods.html

HTH

Lessee ... mod_setenvif & mod_geoip have to be loaded in httpd.conf, and you need:at the top.

*nod* One of those things --- it's not mentioned that it has to be there in the Apache 2.0 docs, but it seems like I've tried some funky things like that before. *sigh* back to the drawing board. ;-)

Hi.


I have the ip ranges for the countries i want to block and apf works very well..The issue is that it takes a lot of time to compile the list of ip for 20-30 countires and keeping up with the changes...
I've ended up with a huge list that is becoming a issue to maintain...

I'm looking at http://people.netfilter.org/peejix/geoip/h...eoip-HOWTO.html as a possible solution...but i have no idea if this would effect apf if i try to install it..and these 3 steps concern me..

o recompile iptables;

o enable geoip into your kernel config;

o recompile your kernel or compile geoip as a module;

Do you think looking at the above link and: http://www.mail-archive.com/gentoo-securit...g/msg00257.html

I could get this to work with the current apf config ?



I've already got GeoIP working..
It works well with the below rewrite directive.


Its not an ideal solution.but it works because of the number of countries i want to block...

I guess placing the below in each virtualhost would be a solution till i figure out if i can get it to work with iptables.





Thank you for taking the time to reply..i'll try the Limit block for each virtuahost.

Okay, my last theoretical ... after thinking about this, why not create /etc/httpd/conf/geoip.conf, then run a script:This way, it's inside a virtualhost container. You could even add something like this to the /etc/appliance/customization/virtDomain.sh:and have it created automagically for all the new sites you create...

Would that still be within the Limit container i.e



I tried that and I get


I tried wrapping that within a directory container and can restart httpd but it does not seem to have have any effect on the sites...i.e. doesnt block them like i would want...

Doing it that way, it would be inside a VirtualHost container (all files in those directories are included by /etc/httpd/conf/virtual/sitex), so you shouldn't need any Limits or Directories.

Hey Catalyst - Thanks again for your reply. truly appreciate your help.

I tried that but i get:



In the /etc/httpd/conf/virtual/sitex i edited


to


I figured that if i then add the SetEnvIf GEOIP_COUNTRY_CODE ZA BlockCountry to the /etc/httpd/conf/geoip.conf
file it might work --but it doesnt..

perhaps the SetEnvIf directive is loaded at the end after the Directory container..assuming it doesnt need to be within the directory container in the first place.

I thought this way i could perhaps change the directory lines to the above and add all the envif directives to the geoip.conf file

That might have been an easier solution.

Re: my post above.

Adding the SetEnvIf GEOIP_COUNTRY_CODE ZA BlockCountry to the /etc/httpd/conf/geoip.conf doesnt work..

It needs to be within the directory container..