Thu, 2010-02-18 14:12
Have we got any A patchy gurus around?
The Order directive!
It's more confusing than one thinks? Or is it just me?
Order Deny,Allow
Deny from 192.168.0.1
Allow from All
As I understood it I have just blocked that IP but allowed all others, however the Manual seems to suggest otherwise saying that the deny rule is read first if matched then IP blocked UNLESS it also matches an Allow directive.
Do I then take it that I have gone on to 'Allow All' so countermanding the first rule? 
surely not!
I have changed the order to Allow,Deny so I allow All then check if a specific IP and block it as the logic seemed to make more sense?
Question arises as I'm finding it impossible to kick some IPs of the server and can't figure why, and yes the AllowOveride is set as All and I know the .htaccess file is functioning as there is a heap of mod_rewriting occurring
Thu, 2010-02-18 17:16
#1
If the address matches both
If the address matches both the allow and deny directives, the last controls. By using order deny,allow you're saying, "if this is 192.168.0.1, deny it first, then allow it". It's like css; equal weight, the last rule overrules the previous rules.
The correct order is "allow,deny".
cheers,
gary
Thu, 2010-02-18 17:46
#2
Thanks Gary, just needed
Thanks Gary, just needed someone to confirm that. So having set the reverse, in now running Allow All then specifying the Deny clause is the correct approach as I thought.
Irony is that I'm attempting to block your home state Texas, and more specifically Houston 
sorry about that, don't mean any offence but have you any idea the massive splogging base that town is?
Thu, 2010-02-18 21:33
#3
I don't know that you can
I don't know that you can block geographically like that. I.P. address blocks are are assigned to ISPs. The best you can do is block, say, AT&T, or Roadrunner at their local or regional router farms with a partial IP address. I'd hate for you to block Verizon's addy block; how would I spam your sites, then?
cheers,
gary
Fri, 2010-02-19 07:45
#4
I know that I can't block by
I know that I can't block by region, and yes blocks are assigned to ISPs so I'm effectively blocking any number of legit users.
Blocking is not really something one ought to be doing, but what does one do? the registration with WPMU has seemingly been messed up by the BuddyPress own registration. A captcha placed on the form is utterly ineffective, there is little else I can think of short of adding hidden inputs but that will likely not work, might add a check on referrer or IP address on the registration page, if IP range 174.*.*.* redirect to a honey trap style page apologising if users are legit and providing an alternate signup page or link back to registration page and allow past the initial IP check if the referrer page is my honeytrap one. That might sort bots out but it's not only bots, I notice Curl hits to the registration page so how do I deal with the page being downloaded and filled in and run from remote machines?
On a sidenote was interested in
If you block an IP address in any of the following ranges, you are required to immediately notify the Wikimedia Foundation Communications Committee. These ranges are allocated to major governmental organizations and blocks of these organizations have political and public relations implications that must be managed by the Foundation's press relations team. Avoid long blocks of these addresses and be especially careful in formulating your block messages because your block message will be seen and commented on by the press.
Going on to list a series of sensitive Gov IP ranges from US Homeland Security to Quatar Gov to UK parliament.
Fri, 2010-02-19 10:04
#5
Unless you're being spammed
Unless you're being spammed by infected machines, your logs ought to be a source of IP addys that might let you sort out some class c subnets that will block the spambots without hurting too many innocents.
cheers,
gary
Fri, 2010-02-19 12:14
#6
Back to original question.
Back to original question. There are two possible setups
; Deny,Allow permits by default ; Allow directives are used to allow access to subsets of Deny directives Order Deny,Allow Deny from 192.168.0.1
; Allow,Deny denies by default ; Allow from all is needed to permit general access Order Allow,Deny Deny from 192.168.0.1 Allow from All
The page at apache.org should be pretty clear, especially the table with all the possibilities.
Using Allow from All (or Deny from All) restricts the usefulness of the directives - but I guess does make things clearer for people who are unfamiliar with the syntax. If you don't use "* from all" you can set access for a range and then set the opposite access for subsets of that range. E.g.
; deny from everywhere, permit local IPs in 192.168.*.* range but deny 192.168.0.1
Order Allow,Deny
Allow from 192.168.0.0/16
Deny from 192.168.0.1
; allow from everywhere, deny bad ISP, allow people caught by ban, but who have complained (and we believe are safe)
Order Deny,Allow
Deny 12.34.56.0/24
Allow 12.34.56.78
Allow 12.34.56.123
Fri, 2010-02-19 17:30
#7
Thanks Chris, Yes one thing I
Thanks Chris,
Yes one thing I had figured was that in many ways All is a somewhat defeating instruction given to being mis-applied; thinking it through the allow directive is or should be used to set specifics.
By and large I think the use of the Order directive too problematical for the use I want to put it to, although I have denied one IP that was fixed and a habitual nuisance, the sploggers are playing an altogether cleverer game and I think a different approach called for along my earlier musings.
Fri, 2010-02-19 17:54
#8
What's the problem with the
What's the problem with the CAPTCHA?
IP ranges, although they sound really big, probably don't catch many people - unless your audience is groups like students where several could belong to the one campus.
Fri, 2010-02-19 19:03
#9
Not sure what the issue is
Not sure what the issue is with the CAPTCHA is In reality I think it catches/prevents a few but it's interesting how clever these splogers are and it's not just myself having the issue it's discussed on the WPMU Buddypress forums as a subject that no one has found a real answer to.
I understand that IP ranges are not necessarily going to catch many people but I am watching real time server hits and one particular IP range is the root cause most of the time although checking the IP reports different location that the plugin does.
I'm going to try my honey trap to see how many hits that page gets just for interests sake.
Fri, 2010-02-19 19:06
#10
I think you should go with
I think you should go with the blue one.
First basic few steps in building a webpage
1. Gather and collect content.
2. Organize the content into meaningful semantic valid HTML
3. Design the prototype
4. Style using CSS
Fri, 2010-02-19 19:15
#11
Yeah life was simple when all
Yeah life was simple when all I had to worry about was background:blue;
Maintaining Servers / sites 
you can keep it, more hassle than it's worth 
although been glad to start grubbing around properly with LAMP via shell