|george on 7 Dec 2017 15:09:00 -0800|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|Re: [PLUG] My domain's .htaccess file is giving me fits|
Charlie Li chimed in -
On 07/12/2017 11:23, email@example.com wrote:
Apache tells me that HostnameLookup is set to |on| by default in Apache 2.4, which doesn't make sense, because it slows down the server response. It also doesn't make sense because it hides the IP addresses of the Bad Guys. Maybe I can fix it with the following .htaccess directive for Apache 2.4:
HostnameLookups is Off by default. http://httpd.apache.org/docs/2.4/mod/core.html#hostnamelookups
A quick check confirms that Charlie is correct - that simplifies my work with the modification of my domain's htaccess file.
<Limit HEAD> Require all denied Require ip [redactedpersonal_IP_address] </Limit>
You could put a whole bunch of Require not ip 198.51.100.0/24 directives, replacing the IP/range with the actual ones to block.
The list of servers for just one Bad Guy (AS48347) is very long (https://www.dnsdigger.com/as/AS48347) About ten of those servers were doing their "thing" in November 2017. If I shut off the HEAD requesters, only AmazonAWS and a few uptime checkers will be in the crossfire.
IPdeny has lists of IP blocks by country that you can use in your configuration directives: http://www.ipdeny.com/ipblocks/
My ISP tried installing their "block Russia" version of .htaccess, which was four times as large as mine. Mine includes many Cyrillic- alphabet sites hosted in the USA which were picked as intermediary domains by the Bad Guys; no one else is using such intermediaries, so I'm forced to pick them off one at a time.from my Raw Access logs. The HEAD / HTTP requests don't appear in my Recent Visitors logs, so I'm having to wait for the monthly .GZ files.
or should I use this syntax, used by earlier versions of Apache ?
Don't use that older syntax; it's deprecated unless you load the module that sounds like auth_compat, and even that's practically deprecated.
I haven't used cPanel's IP blocker application for a while ... it very well may have been updated also. My domain is on a shared server, so I don't have the "luxury" of messing with the Apache settings. Gotta solve the puzzle with the .htaccess file; you've been a big help by steering me away from the Apache server. The Apache server's only "offense" was to be upgraded shortly before Hostname lookup got activated, probably by my use of Hostname lookup right in my .htaccess file, which gets in the way of the long list of "deny from [IPaddress]" that comes right after all those rewrite rules, which depend on getting the hostnames from the IP addresses. My best bet, now that I know what actually is the default setting for Hostname lookup, is to convert the rewrites to just plain deny from directives, using the updated Apache 2.4 syntax. There is a domain name redirect in that .htaccess file right now, which may throw a wrench into my efforts. On the other hand, the server already knows the second domain name from the GET request, so there's no Hostname lookup needed ... We'll see. Best regards, George Langford ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug