11 replies [Last post]
Hugo
Hugo's picture
Offline
Moderator
London
Last seen: 7 years 30 weeks ago
London
Joined: 2004-06-06
Posts: 15668
Points: 2806

Have we got any A patchy gurus around?

The Order directive!

It's more confusing than one thinks? Or is it just me?

Order Deny,Allow
Deny from 192.168.0.1
Allow from All

As I understood it I have just blocked that IP but allowed all others, however the Manual seems to suggest otherwise saying that the deny rule is read first if matched then IP blocked UNLESS it also matches an Allow directive.

Do I then take it that I have gone on to 'Allow All' so countermanding the first rule? Puzzled surely not!

I have changed the order to Allow,Deny so I allow All then check if a specific IP and block it as the logic seemed to make more sense?

Question arises as I'm finding it impossible to kick some IPs of the server and can't figure why, and yes the AllowOveride is set as All and I know the .htaccess file is functioning as there is a heap of mod_rewriting occurring

Before you make your first post it is vital that you READ THE POSTING GUIDELINES!
----------------------------------------------------------------
Please post ALL your code - both CSS & HTML - in [code] tags
Please validate and ensure you have included a full Doctype before posting.
Why validate? Read Me

Tags:
gary.turner
gary.turner's picture
Offline
Moderator
Dallas
Last seen: 1 year 22 weeks ago
Dallas
Timezone: GMT-6
Joined: 2004-06-25
Posts: 9776
Points: 3858

If the address matches both

If the address matches both the allow and deny directives, the last controls. By using order deny,allow you're saying, "if this is 192.168.0.1, deny it first, then allow it". It's like css; equal weight, the last rule overrules the previous rules.

The correct order is "allow,deny".

cheers,

gary

If your web page is as clever as you can make it, it's probably too clever for you to debug or maintain.

Hugo
Hugo's picture
Offline
Moderator
London
Last seen: 7 years 30 weeks ago
London
Joined: 2004-06-06
Posts: 15668
Points: 2806

Thanks Gary, just needed

Thanks Gary, just needed someone to confirm that. So having set the reverse, in now running Allow All then specifying the Deny clause is the correct approach as I thought.

Irony is that I'm attempting to block your home state Texas, and more specifically Houston Big smile sorry about that, don't mean any offence but have you any idea the massive splogging base that town is?

Before you make your first post it is vital that you READ THE POSTING GUIDELINES!
----------------------------------------------------------------
Please post ALL your code - both CSS & HTML - in [code] tags
Please validate and ensure you have included a full Doctype before posting.
Why validate? Read Me

gary.turner
gary.turner's picture
Offline
Moderator
Dallas
Last seen: 1 year 22 weeks ago
Dallas
Timezone: GMT-6
Joined: 2004-06-25
Posts: 9776
Points: 3858

I don't know that you can

I don't know that you can block geographically like that. I.P. address blocks are are assigned to ISPs. The best you can do is block, say, AT&T, or Roadrunner at their local or regional router farms with a partial IP address. I'd hate for you to block Verizon's addy block; how would I spam your sites, then?

cheers,

gary

If your web page is as clever as you can make it, it's probably too clever for you to debug or maintain.

Hugo
Hugo's picture
Offline
Moderator
London
Last seen: 7 years 30 weeks ago
London
Joined: 2004-06-06
Posts: 15668
Points: 2806

I know that I can't block by

I know that I can't block by region, and yes blocks are assigned to ISPs so I'm effectively blocking any number of legit users.

Blocking is not really something one ought to be doing, but what does one do? the registration with WPMU has seemingly been messed up by the BuddyPress own registration. A captcha placed on the form is utterly ineffective, there is little else I can think of short of adding hidden inputs but that will likely not work, might add a check on referrer or IP address on the registration page, if IP range 174.*.*.* redirect to a honey trap style page apologising if users are legit and providing an alternate signup page or link back to registration page and allow past the initial IP check if the referrer page is my honeytrap one. That might sort bots out but it's not only bots, I notice Curl hits to the registration page so how do I deal with the page being downloaded and filled in and run from remote machines?

On a sidenote was interested in

Wikipedia wrote:

If you block an IP address in any of the following ranges, you are required to immediately notify the Wikimedia Foundation Communications Committee. These ranges are allocated to major governmental organizations and blocks of these organizations have political and public relations implications that must be managed by the Foundation's press relations team. Avoid long blocks of these addresses and be especially careful in formulating your block messages because your block message will be seen and commented on by the press.

Going on to list a series of sensitive Gov IP ranges from US Homeland Security to Quatar Gov to UK parliament.

Before you make your first post it is vital that you READ THE POSTING GUIDELINES!
----------------------------------------------------------------
Please post ALL your code - both CSS & HTML - in [code] tags
Please validate and ensure you have included a full Doctype before posting.
Why validate? Read Me

gary.turner
gary.turner's picture
Offline
Moderator
Dallas
Last seen: 1 year 22 weeks ago
Dallas
Timezone: GMT-6
Joined: 2004-06-25
Posts: 9776
Points: 3858

Unless you're being spammed

Unless you're being spammed by infected machines, your logs ought to be a source of IP addys that might let you sort out some class c subnets that will block the spambots without hurting too many innocents.

cheers,

gary

If your web page is as clever as you can make it, it's probably too clever for you to debug or maintain.

Chris..S
Chris..S's picture
Offline
Moderator
Last seen: 9 years 46 weeks ago
Timezone: GMT+1
Joined: 2005-02-22
Posts: 6078
Points: 173

Back to original question.

Back to original question. There are two possible setups

; Deny,Allow permits by default
; Allow directives are used to allow access to subsets of Deny directives
Order Deny,Allow
Deny from 192.168.0.1

; Allow,Deny denies by default
; Allow from all is needed to permit general access
Order Allow,Deny
Deny from 192.168.0.1
Allow from All

The page at apache.org should be pretty clear, especially the table with all the possibilities.

Using Allow from All (or Deny from All) restricts the usefulness of the directives - but I guess does make things clearer for people who are unfamiliar with the syntax. If you don't use "* from all" you can set access for a range and then set the opposite access for subsets of that range. E.g.

; deny from everywhere, permit local IPs in 192.168.*.* range but deny 192.168.0.1
Order Allow,Deny
Allow from 192.168.0.0/16
Deny from 192.168.0.1

; allow from everywhere, deny bad ISP, allow people caught by ban, but who have complained (and we believe are safe)
Order Deny,Allow
Deny 12.34.56.0/24
Allow 12.34.56.78
Allow 12.34.56.123

Hugo
Hugo's picture
Offline
Moderator
London
Last seen: 7 years 30 weeks ago
London
Joined: 2004-06-06
Posts: 15668
Points: 2806

Thanks Chris, Yes one thing I

Thanks Chris,

Yes one thing I had figured was that in many ways All is a somewhat defeating instruction given to being mis-applied; thinking it through the allow directive is or should be used to set specifics.

By and large I think the use of the Order directive too problematical for the use I want to put it to, although I have denied one IP that was fixed and a habitual nuisance, the sploggers are playing an altogether cleverer game and I think a different approach called for along my earlier musings.

Before you make your first post it is vital that you READ THE POSTING GUIDELINES!
----------------------------------------------------------------
Please post ALL your code - both CSS & HTML - in [code] tags
Please validate and ensure you have included a full Doctype before posting.
Why validate? Read Me

Chris..S
Chris..S's picture
Offline
Moderator
Last seen: 9 years 46 weeks ago
Timezone: GMT+1
Joined: 2005-02-22
Posts: 6078
Points: 173

What's the problem with the

What's the problem with the CAPTCHA?

IP ranges, although they sound really big, probably don't catch many people - unless your audience is groups like students where several could belong to the one campus.

Hugo
Hugo's picture
Offline
Moderator
London
Last seen: 7 years 30 weeks ago
London
Joined: 2004-06-06
Posts: 15668
Points: 2806

Not sure what the issue is

Not sure what the issue is with the CAPTCHA is In reality I think it catches/prevents a few but it's interesting how clever these splogers are and it's not just myself having the issue it's discussed on the WPMU Buddypress forums as a subject that no one has found a real answer to.

I understand that IP ranges are not necessarily going to catch many people but I am watching real time server hits and one particular IP range is the root cause most of the time although checking the IP reports different location that the plugin does.

I'm going to try my honey trap to see how many hits that page gets just for interests sake.

Before you make your first post it is vital that you READ THE POSTING GUIDELINES!
----------------------------------------------------------------
Please post ALL your code - both CSS & HTML - in [code] tags
Please validate and ensure you have included a full Doctype before posting.
Why validate? Read Me

CupidsToejam
CupidsToejam's picture
Offline
Guru
Florida
Last seen: 6 years 47 weeks ago
Florida
Timezone: GMT-4
Joined: 2008-08-15
Posts: 2637
Points: 1556

I think you should go with

I think you should go with the blue one.
Party

Hugo
Hugo's picture
Offline
Moderator
London
Last seen: 7 years 30 weeks ago
London
Joined: 2004-06-06
Posts: 15668
Points: 2806

Yeah life was simple when all

Yeah life was simple when all I had to worry about was background:blue;

Maintaining Servers / sites Angry you can keep it, more hassle than it's worth Smile although been glad to start grubbing around properly with LAMP via shell

Before you make your first post it is vital that you READ THE POSTING GUIDELINES!
----------------------------------------------------------------
Please post ALL your code - both CSS & HTML - in [code] tags
Please validate and ensure you have included a full Doctype before posting.
Why validate? Read Me