Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - Other
Author Message
Tizwit
Involved
Involved


Joined: Aug 29, 2004
Posts: 324
Location: New Mexico

PostPosted: Thu Aug 17, 2006 4:06 am Reply with quote

I am looking for help with .htaccess

I have been getting a lot of SPAM requests on my support site and I was looking into Banning blocks of IP addresses using htaccess.

I have found several sites that help with this and have had mixed results.

This site:
Only registered users can see links on this board! Get registered or login!

states the following for this IP address 72.30.101.209 (just a yahoo):

command for htaccess: deny all from 72.30.96.0/20 to block all access from this netblock.

but when I put in this code:
deny all from 72.30.96.0/20

it blocks me (so I assume it blocks everyone)

when I take out the "all"

I think it works because I added my IP CIDR (?) code and I was blocked but recently had someone from a blocked code make it to my site.

I have also seen some people use:

deny from 72.30.96.0/72.30.96.255

but when I tried this nothing happened.

Any Ideas?

_________________
Brian Only registered users can see links on this board! Get registered or login!
Helping the Children in the NM Children's Hospital 
View user's profile Send private message Visit poster's website
hitwalker
Sells PC To Pay For Divorce


Joined:
Posts: 5661

PostPosted: Thu Aug 17, 2006 4:43 am Reply with quote

hi tiz..
best and most common way is to use deny from 72.30.96.0/20
 
View user's profile Send private message
Tizwit
PostPosted: Thu Aug 17, 2006 4:51 am Reply with quote

hitwalker wrote:
hi tiz..
best and most common way is to use deny from 72.30.96.0/20


I have several of those on my .htaccess file

one of which is:

deny from 200.88.192/18

just got a hit from this IP address:

200.88.223.98 which is in the above IP block. why is it getting through?
 
hitwalker
PostPosted: Thu Aug 17, 2006 5:00 am Reply with quote

well if they used fake / spoofed addresses then its tough to block it....

try deny from 200.88.0.0/16
 
Tizwit
PostPosted: Thu Aug 17, 2006 5:13 am Reply with quote

Added..

I am getting the IPs from the server side. Not sure how easy it is to spoof an IP address.
 
hitwalker
PostPosted: Thu Aug 17, 2006 5:16 am Reply with quote

Quote:
I am getting the IPs from the server side.

What you mean ?
 
Tizwit
PostPosted: Thu Aug 17, 2006 5:18 am Reply with quote

I am getting it in my cpanel and can see their tracking as well as if they were referred or connected directly to which page.

I also have access to raw logs..

also I am not sure any of the above means anything if spoofing the IP is easy
 
hitwalker
PostPosted: Thu Aug 17, 2006 5:21 am Reply with quote

in your cpanel?
check your error log there....
do you see that ip in there as in.....access denied by server configuration...?
 
Tizwit
PostPosted: Thu Aug 17, 2006 5:30 am Reply with quote

I get a lot of this:

[Thu Aug 17 00:58:43 2006] [error] [client 200.88.223.98] File does not exist: /home/support/public_html/403.shtml
[Thu Aug 17 00:58:43 2006] [error] [client 200.88.223.98] client denied by server configuration: /home/support/public_html/michellebook


the file he is trying to access is no longer on my server.
 
Tizwit
PostPosted: Thu Aug 17, 2006 5:31 am Reply with quote

does this mean he is blocked? if so why does it show him as a recent visitor and not just in the blocked area?
 
hitwalker
PostPosted: Thu Aug 17, 2006 5:33 am Reply with quote

yes hes blocked... Twisted Evil
you see it cause its on server level...
and why he keeps doing this is because its an idiot and uses idiot scripts...
so he's history....
have a nice day tiz..
 
Tizwit
PostPosted: Thu Aug 17, 2006 5:36 am Reply with quote

ah ok thank you.. I am now hooking some others up to if they try to hit that non-existent file they will be forwarded to an abuse script. lol
 
hitwalker
PostPosted: Thu Aug 17, 2006 5:39 am Reply with quote

better not....
you never know whats real or not...
 
Tizwit
PostPosted: Thu Aug 17, 2006 5:42 am Reply with quote

what would it do?

how would I know if its real or not? if they hit that page they will be forwarded.. when I see that in my log I can ban them correct?
 
hitwalker
PostPosted: Thu Aug 17, 2006 5:44 am Reply with quote

so your using a standard 404 redirect now?
 
Tizwit
PostPosted: Thu Aug 17, 2006 5:47 am Reply with quote

the redirect that is in Cpanel. If someone try to access a certain page they are redirected to the new one here is what it says in the log:

Host: 218.75.22.142 /michellebook/abuse/abuse.html
Http Code: 404 Date: Aug 17 02:35:42 Http Version: HTTP/1.1 Size in Bytes: -
Referer: -
Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.2a) Gecko/20020910

|
|
|
/michellebook/addentry.php
Http Code: 403 Date: Aug 17 05:35:06 Http Version: HTTP/1.1 Size in Bytes: -
Referer: -
Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0rc1) Gecko/20020417




So I know he should be banned since that page has not been available for a long time and not to mention he goes straight to the add entry page.
 
Tizwit
PostPosted: Thu Aug 17, 2006 5:48 am Reply with quote

I just added Korea to my banned section since that was where most of the spam to my OSticket system was coming from..
 
hitwalker
PostPosted: Thu Aug 17, 2006 5:52 am Reply with quote

yeah but i mean if someone picks up a nice link from google and doesnt wanna do harm to your site he gets his ass kicked...
thats what i mean...
if you see entries to something weird like the addsign pages ,then check the ip here Only registered users can see links on this board! Get registered or login!

on the right you see...

Country Lookup
Country or 2 digit Code

put in ip and hit button..
then in top list it will show whole ranges...
then block its whole cidr
 
Tizwit
PostPosted: Thu Aug 17, 2006 5:57 am Reply with quote

good point..

I did add Korea with the site you listed. (found it not long ago)

I just added "deny from" before each of the following:

Code:
58.65.64.0/18

58.72.0.0/13
58.102.0.0/15
58.120.0.0/13
58.138.192.0/18
58.140.0.0/14
58.145.0.0/17
58.148.0.0/14
58.181.0.0/18
58.180.0.0/16
58.184.0.0/16
58.224.0.0/12
59.0.0.0/11
59.86.192.0/18
59.150.0.0/16
59.186.0.0/15
60.196.0.0/15
61.4.192.0/18
61.5.160.0/19
61.32.0.0/13
61.40.0.0/14
61.47.192.0/18
61.72.0.0/13
61.80.0.0/14
61.84.0.0/15
61.96.0.0/12
61.247.64.0/18
61.247.128.0/19
61.248.0.0/13
121.0.64.0/18
121.0.128.0/17
121.1.64.0/18
121.50.64.0/18
121.53.0.0/16
121.54.192.0/18
121.55.64.0/18
121.55.128.0/18
121.64.0.0/14
121.78.0.0/16
121.88.0.0/16
121.100.64.0/18
121.124.0.0/15
121.126.0.0/16
121.127.64.0/18
121.127.128.0/18
121.128.0.0/11
121.200.64.0/18
121.254.0.0/18
121.254.128.0/17
122.32.0.0/12
122.49.64.0/18
122.99.128.0/17
122.101.0.0/16
122.199.64.0/18
122.199.128.0/17
122.254.128.0/17
123.99.64.0/18
123.254.128.0/17
124.0.0.0/15
124.2.0.0/16
124.5.0.0/16
124.28.0.0/17
124.28.128.0/18
124.46.0.0/16
124.48.0.0/12
124.80.0.0/16
124.111.0.0/16
124.136.0.0/14
124.146.0.0/18
124.194.0.0/16
124.197.128.0/18
124.197.192.0/19
124.198.0.0/17
124.199.0.0/18
124.199.128.0/17
124.216.0.0/16
124.243.0.0/17
124.254.128.0/17
125.7.128.0/17
125.31.128.0/18
125.57.0.0/16
125.60.0.0/17
125.61.0.0/17
125.128.0.0/11
125.176.0.0/12
125.208.64.0/18
125.209.0.0/18
125.252.0.0/18
125.240.0.0/13
125.248.0.0/14
128.134.0.0/16
129.254.0.0/16
134.75.0.0/16
137.68.0.0/16
141.223.0.0/16
143.248.0.0/16
147.6.0.0/16
147.43.0.0/16
147.46.0.0/15
150.150.0.0/16
150.183.0.0/16
150.197.0.0/16
152.99.0.0/16
152.149.0.0/16
154.10.0.0/16
155.230.0.0/16
156.147.0.0/16
157.197.0.0/16
158.44.0.0/16
161.122.0.0/16
163.152.0.0/16
163.180.0.0/16
163.239.0.0/16
164.124.0.0/15
165.132.0.0/15
165.141.0.0/16
165.186.0.0/16
165.194.0.0/16
165.213.0.0/16
165.229.0.0/16
165.243.0.0/16
165.244.0.0/16
165.246.0.0/16
166.79.0.0/16
166.103.0.0/16
166.104.0.0/16
166.125.0.0/16
168.78.0.0/16
168.115.0.0/16
168.126.0.0/16
168.131.0.0/16
168.154.0.0/16
168.188.0.0/16
168.219.0.0/16
168.248.0.0/15
169.140.0.0/16
192.5.90.0/24
192.100.2.0/24
192.104.15.0/24
192.132.15.0/24
192.132.247.0/24
192.132.248.0/22
192.195.39.0/24
192.195.40.0/24
192.203.138.0/23
192.203.140.0/22
192.203.144.0/23
192.203.146.0/24
192.245.249.0/24
192.245.250.0/23
192.249.16.0/20
202.6.95.0/24
202.14.103.0/24
202.14.165.0/24
202.20.82.0/23
202.20.84.0/23
202.20.86.0/24
202.20.99.0/24
202.20.119.0/24
202.20.128.0/17
202.21.0.0/21
202.22.32.0/19
202.30.0.0/15
202.68.224.0/19
202.73.132.0/22
202.86.8.0/21
202.89.248.0/22
202.126.112.0/21
202.133.16.0/20
202.136.112.0/20
202.136.128.0/19
202.150.176.0/20
202.158.144.0/20
202.163.128.0/19
202.167.208.0/20
202.179.176.0/21
202.189.128.0/20
203.77.176.0/24
203.81.128.0/19
203.82.240.0/21
203.83.128.0/19
203.84.240.0/20
203.90.32.0/19
203.100.160.0/19
203.109.0.0/19
203.123.192.0/19
203.128.160.0/19
203.128.192.0/19
203.130.64.0/18
203.132.160.0/19
203.133.160.0/19
203.142.160.0/19
203.152.160.0/19
203.153.144.0/20
203.170.96.0/19
203.171.160.0/19
203.173.96.0/19
203.175.32.0/19
203.207.16.0/20
203.210.16.0/20
203.210.32.0/19
203.212.96.0/19
203.212.160.0/19
203.215.192.0/19
203.216.160.0/19
203.217.192.0/18
203.223.96.0/19
203.224.0.0/11
206.219.0.0/18
210.0.32.0/19
210.2.32.0/19
210.16.192.0/18
210.57.224.0/19
210.80.96.0/19
210.87.192.0/19
210.89.160.0/19
210.90.0.0/15
210.92.0.0/14
210.96.0.0/11
210.178.0.0/15
210.180.0.0/14
210.192.64.0/19
210.204.0.0/14
210.210.192.0/18
210.216.0.0/13
211.32.0.0/11
211.104.0.0/13
211.112.0.0/13
211.168.0.0/13
211.176.0.0/12
211.192.0.0/10
218.36.0.0/14
218.48.0.0/13
218.101.128.0/17
218.144.0.0/12
218.209.0.0/16
218.232.0.0/13
219.240.0.0/15
219.248.0.0/13
220.64.0.0/11
220.103.0.0/16
220.116.0.0/14
220.120.0.0/13
220.149.0.0/16
220.230.0.0/16
221.132.64.0/19
221.133.48.0/20
221.133.128.0/18
221.138.0.0/15
221.140.0.0/14
221.144.0.0/12
221.160.0.0/13
221.168.0.0/16
222.96.0.0/12
222.112.0.0/13
222.120.0.0/15
222.122.0.0/16
222.231.0.0/18
222.232.0.0/13
222.251.128.0/17
 
hitwalker
PostPosted: Thu Aug 17, 2006 5:59 am Reply with quote

well im finshing my new setup site i hope today...
then visit and ill publish full banned countries ranges....
 
Tizwit
PostPosted: Thu Aug 17, 2006 6:02 am Reply with quote

sure will.. well I need to get some sleep.. I have been up way to long


Thank you for the help again
 
hitwalker
PostPosted: Thu Aug 17, 2006 6:04 am Reply with quote

Smile goodnight..
 
Tizwit
PostPosted: Fri Aug 18, 2006 2:53 am Reply with quote

If anyone is interested I have a lot of deny ranges for China, Korea, Inda, Vietnam, Dominican Republic, Russia, Turkey, and a few others.

I have saved some as Word docs but the others are in my .htaccess file.

If anyone wants it I will make it available.

all are in the "deny from" format.
 
evaders99
Former Moderator in Good Standing


Joined: Apr 30, 2004
Posts: 3221

PostPosted: Sat Aug 19, 2006 2:27 am Reply with quote

Does Sentinel with the IP2Countries table do that already?

_________________
- Only registered users can see links on this board! Get registered or login! -

Need help? Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
Tizwit
PostPosted: Sat Aug 19, 2006 8:27 am Reply with quote

yes but the program they are using to Spam me is not through Sentinel so no luck there.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - Other

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©