Ordering Order Allow,Deny

If the address matches both the allow and deny directives, the last controls. By using order deny,allow you're saying, "if this is 192.168.0.1, deny it first, then allow it". It's like css; equal weight, the last rule overrules the previous rules.

The correct order is "allow,deny".

cheers,

gary

Thanks Gary, just needed someone to confirm that. So having set the reverse, in now running Allow All then specifying the Deny clause is the correct approach as I thought.

Irony is that I'm attempting to block your home state Texas, and more specifically Houston sorry about that, don't mean any offence but have you any idea the massive splogging base that town is?

I don't know that you can block geographically like that. I.P. address blocks are are assigned to ISPs. The best you can do is block, say, AT&T, or Roadrunner at their local or regional router farms with a partial IP address. I'd hate for you to block Verizon's addy block; how would I spam your sites, then?

cheers,

gary

I know that I can't block by region, and yes blocks are assigned to ISPs so I'm effectively blocking any number of legit users.

Blocking is not really something one ought to be doing, but what does one do? the registration with WPMU has seemingly been messed up by the BuddyPress own registration. A captcha placed on the form is utterly ineffective, there is little else I can think of short of adding hidden inputs but that will likely not work, might add a check on referrer or IP address on the registration page, if IP range 174.*.*.* redirect to a honey trap style page apologising if users are legit and providing an alternate signup page or link back to registration page and allow past the initial IP check if the referrer page is my honeytrap one. That might sort bots out but it's not only bots, I notice Curl hits to the registration page so how do I deal with the page being downloaded and filled in and run from remote machines?

On a sidenote was interested in

Going on to list a series of sensitive Gov IP ranges from US Homeland Security to Quatar Gov to UK parliament.

Unless you're being spammed by infected machines, your logs ought to be a source of IP addys that might let you sort out some class c subnets that will block the spambots without hurting too many innocents.

cheers,

gary

Back to original question. There are two possible setups

; Deny,Allow permits by default
; Allow directives are used to allow access to subsets of Deny directives
Order Deny,Allow
Deny from 192.168.0.1

; Allow,Deny denies by default
; Allow from all is needed to permit general access
Order Allow,Deny
Deny from 192.168.0.1
Allow from All

The page at apache.org should be pretty clear, especially the table with all the possibilities.

Using Allow from All (or Deny from All) restricts the usefulness of the directives - but I guess does make things clearer for people who are unfamiliar with the syntax. If you don't use "* from all" you can set access for a range and then set the opposite access for subsets of that range. E.g.

; deny from everywhere, permit local IPs in 192.168.*.* range but deny 192.168.0.1
Order Allow,Deny
Allow from 192.168.0.0/16
Deny from 192.168.0.1

; allow from everywhere, deny bad ISP, allow people caught by ban, but who have complained (and we believe are safe)
Order Deny,Allow
Deny 12.34.56.0/24
Allow 12.34.56.78
Allow 12.34.56.123

Thanks Chris,

Yes one thing I had figured was that in many ways All is a somewhat defeating instruction given to being mis-applied; thinking it through the allow directive is or should be used to set specifics.

By and large I think the use of the Order directive too problematical for the use I want to put it to, although I have denied one IP that was fixed and a habitual nuisance, the sploggers are playing an altogether cleverer game and I think a different approach called for along my earlier musings.

What's the problem with the CAPTCHA?

IP ranges, although they sound really big, probably don't catch many people - unless your audience is groups like students where several could belong to the one campus.

Not sure what the issue is with the CAPTCHA is In reality I think it catches/prevents a few but it's interesting how clever these splogers are and it's not just myself having the issue it's discussed on the WPMU Buddypress forums as a subject that no one has found a real answer to.

I understand that IP ranges are not necessarily going to catch many people but I am watching real time server hits and one particular IP range is the root cause most of the time although checking the IP reports different location that the plugin does.

I'm going to try my honey trap to see how many hits that page gets just for interests sake.

I think you should go with the blue one.

Yeah life was simple when all I had to worry about was background:blue;

Maintaining Servers / sites you can keep it, more hassle than it's worth although been glad to start grubbing around properly with LAMP via shell