george on 7 Dec 2017 08:24:11 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] My domain's .htaccess file is giving me fits

Hello Fellow Linux Users -

Ever since the Russians started their attacks, I have been keeping
track of the IP addresses and servers that are making HEAD / HTTP
requests. They started in September 2016, peaked in November 2016,
and have continued to the present day. This they do through other
(mostly Russian or Ukrainian) domain URL's, probably to exploit
Windows vulnerabilities, judging from the Client Agent entries.

On November 25th, my cPanel Raw Access data suddenly switched from
reporting the originating IP addresses to just their canonical names.
That's OK for honest IP's, but not for IP's that are using generic
names like,, or, from which the IP addresses cannot be retrieved
with nslookup or whois. This has the effect of obfuscating the IP
addresses and server identities of the Bad Guys. I have been blocking
all those Russian servers successfully since I started this task last
May, but they motor on with their HEAD / HTTP requests anyway.

My ISP disavows any ability to change the situation; Apache doesn't
care either, and I'm waiting for a reponse from the cPanel forum.

I must be causing the problem myself ... most probably with the
configuration of my domain's .htaccess file.

The problem may be related to another problem, that a number of
users are making unattributed links to images on my domain, a
copyright violation, so I have been blocking access from those
domains with entries like these in my .htaccess file:

RewriteEngine on
RewriteCond %{HTTP_REFERER} ^http://(www\.)resizing\.info/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://resizeme\.club/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^https://essayservicewriting\.org/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://free-stock-illustration\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://resizeandsave\.online/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://imagecollectiononline\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://reasonghostwriterks\.cf/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)[redacted]\.info/ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule \.(jpeg|jpg|JPG|JPEG|bmp|BMP)$ - [F]

Following are a lot of "deny from directives" including the IP
addresses and server address ranges of the above-listed domains,
added out of my frustration that many of the above domains are still
successfully linking to my images anyway. There are lots of other
server address ranges and IP addresses as well, mostly Russian,
Ukranian, Chinese, and miscellaneous characters looking for WordPress
vulnerabilities. I may have to convert _all_ of those IP addresses to
their canonical names ...

My reading of the Apache 2.4 pages leads me to suspect that Hostname
Lookup is an either/or thing: If there are directives that use domain
names, the HostnameLookup must be |on|, causing all the IP addresses
and server IP ranges to resolve to their canonical names. Until the
25th of November, I was getting away with having both in my .htaccess
file, but not since. The problem that some domains were getting past
the image-limiting directives following the RewriteRule has existed
from the first times that I used it. For some domains, I could get
a 403 response instantly after adding the domain to my .htaccess
file and uploading the .htaccess file to my domain. Others, not so much.
Some domains produce a 403 response from my .htaccess file when anyone
but me tries to see it, but not me - I cannot get that 403 response.

Apache tells me that HostnameLookup is set to |on| by default in
Apache 2.4, which doesn't make sense, because it slows down the
server response. It also doesn't make sense because it hides the
IP addresses of the Bad Guys. Maybe I can fix it with the following
.htaccess directive for Apache 2.4:

<Limit HEAD>
Require all denied
Require ip [redactedpersonal_IP_address]

or should I use this syntax, used by earlier versions of Apache ?

<Limit HEAD>
order deny,allow
deny from all
allow from [redactedpersonal_IP_address]

I'm running a Lenovo T420 with OS.


George Langford
Philadelphia Linux Users Group         --
Announcements -
General Discussion  --