Re: [PLUG] My domain's .htaccess file is giving me fits

[george@georgesbasement.com]

Charlie Li chimed in -

> On 07/12/2017 11:23, george@georgesbasement.com wrote:

    Apache tells me that HostnameLookup is set to |on| by default in
    Apache 2.4, which doesn't make sense, because it slows down the
    server response. It also doesn't make sense because it hides the
    IP addresses of the Bad Guys. Maybe I can fix it with the following
    .htaccess directive for Apache 2.4:

> > HostnameLookups is Off by default.
> > http://httpd.apache.org/docs/2.4/mod/core.html#hostnamelookups

A quick check confirms that Charlie is correct - that simplifies my
work with the modification of my domain's htaccess file.

>    <Limit HEAD>
>     Require all denied
>     Require ip [redactedpersonal_IP_address]
>    </Limit>

> > You could put a whole bunch of Require not ip 198.51.100.0/24
> > directives, replacing the IP/range with the actual ones to block.

The list of servers for just one Bad Guy (AS48347) is very long
(https://www.dnsdigger.com/as/AS48347) About ten of those servers
were doing their "thing" in November 2017. If I shut off the HEAD
requesters, only AmazonAWS and a few uptime checkers will be in the
crossfire.

> IPdeny has lists of IP blocks by country that you can use in your
> configuration directives: http://www.ipdeny.com/ipblocks/

My ISP tried installing their "block Russia" version of .htaccess,
which was four times as large as mine. Mine includes many Cyrillic-
alphabet sites hosted in the USA which were picked as intermediary
domains by the Bad Guys; no one else is using such intermediaries,
so I'm forced to pick them off one at a time.from my Raw Access logs.
The HEAD / HTTP requests don't appear in my Recent Visitors logs,
so I'm having to wait for the monthly .GZ files.

>    or should I use this syntax, used by earlier versions of Apache ?

> > Don't use that older syntax; it's deprecated unless you load the
> > module that sounds like auth_compat, and even that's practically
> > deprecated.

I haven't used cPanel's IP blocker application for a while ... it very
well may have been updated also.

My domain is on a shared server, so I don't have the "luxury" of
messing with the Apache settings. Gotta solve the puzzle with the
.htaccess file; you've been a big help by steering me away from the
Apache server. The Apache server's only "offense" was to be upgraded
shortly before Hostname lookup got activated, probably by my use of
Hostname lookup right in my .htaccess file, which gets in the way of
the long list of "deny from [IPaddress]" that comes right after all
those rewrite rules, which depend on getting the hostnames from the
IP addresses.

My best bet, now that I know what actually is the default setting
for Hostname lookup, is to convert the rewrites to just plain deny
from directives, using the updated Apache 2.4 syntax. There is a
domain name redirect in that .htaccess file right now, which may
throw a wrench into my efforts. On the other hand, the server already
knows the second domain name from the GET request, so there's no
Hostname lookup needed ... We'll see.

Best regards,

George Langford
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug