Help with IP denial


#1

I hope someone can help unravel this mystery.

In my .htaccess file I am denying the following IP blocks:
order allow,deny
#deny from 78.0.0.0 to 78.255.255.255
deny from 78.0.0.0/8
#deny from 88.0.0.0 to 88.255.255.255
deny from 88.0.0.0/8
allow from all

Here are recent access log entries:

88.198.112.187 - - [12/Jan/2009:02:30:42 -0800] “GET / HTTP/1.1” 301 568 “http://spellsbook.com/freescripts/mydomain.com/” “Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.16) Gecko/20080702 Firefox/2.0.0.16”

78.47.30.13 - - [09/Jan/2009:03:29:29 -0800] “GET / HTTP/1.1” 301 568 “http://jollysailors.com/bestof/mydomain.com/” “Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.16) Gecko/20080702 Firefox/2.0.0.16”

While I’m not an expert, I have been denying IPs with .htaccess for years. I know this .htaccess file works as I’ve tested using my own IP with no problem. Yet the above IPs have successfully accessed the site. How can that be?

TIA,
Hope


#2

You don’t need the mask if you want to deny from all of 78 and/or 88:

deny from 78
deny from 88

All you need is the first octet. Some users add a trailing dot so it’s 78. or 88. but it’s supposed to be fine without it.

-Scott


#3

Thanks Scott. I’m sure I have a lot to learn but for now I’m concerned with why those IPs were able to access at all. It doesn’t make sense to me!

Edited to add: You weren’t saying that the format I’ve used is incorrect and that’s why they could access, were you?

Thanks.


#4

The /8 mask isn’t going to block everything in that Class A block. Rather than sit here and figure out what the /8 encompasses, I’d say just drop it and block the entire Class A.

-Scott


#5

So you’re saying 88.0.0.0/8 does not include the range 88.0.0.0 to 88.255.255.255? I’m shocked. From what I’ve read on the internet, 88.198.112.187 should fall within that block. I’m happy to take your advice, I’m just a little taken aback. Because if what you’re saying is true, I have a lot of work to do revising all my .htaccess files.

Edited to add: I use an online calculator to determine the range. That’s why I’m so surprised.
http://www.ipaddresslocation.org/subnet-mask-calculator.php?ip1=88.0.0.0&ip2=88.255.255.255


#6

I’m just saying that you don’t need the /8 because it’s redundant.

-Scott


#7

I see. I thought you were saying the line I used didn’t cover the IP in that range.

Back to my original question - does anyone else have any thoughts on why these IPs are not being blocked?


#8

Ok, duh, I think…Your “allow,deny” tells mod_access in which order to evaluate your statements. It hits that “allow all” statement and then lets everybody in. If you go “deny,allow” it’ll look at the deny statements and see you’ve denied that IP address and block it and then stop evaluating your statements.

-Scott


#9

Thanks but I don’t understand why some IPs would be denied and those two are not? I mean, if I have incorrectly entered the “allow,deny” line as you’ve implied, then why would it work at all?


#10

Are you saying that some IP addresses in that range are being allowed?

The mechanism I use looks like this for an internal use only site:

Order deny,allow
Deny from all
Allow from nnn.nnn.nnn # Work network
Allow from nn.nn.nn.nn # Boss’ house
Allow from nn.nn.nn.nn # My house

And it works. I have the deny/allow in proper order, and no subnet mask for work’s IP address range.

For yours, I’d make it look exactly like:
order deny,allow
deny from 78
deny from 88
allow from all

-Scott


#11

Yes, that was the initial problem.

Thanks for you help Scott. I’m still not sure what could be causing it but I’ll post here if I find out.


#12

Sorry, I asked that question backwards. I meant “Are you saying that some IP addresses in that range are being blocked?” Reading back, you posted two entries from that range.

What I see in those entries is a 301, which is a redirect. To where, I don’t know. Do you have something in htaccess that performs a redirect?

-Scott


#13

I haven’t seen other IPs from those 2 blocks yet. I do know I am blocking IPs successfully that are listed below those blocks (in the list/order).

The 301 I’ve since removed. I’ve also cleaned up the file a bit and though the things I’ve modified don’t have anything to do with the allow,deny section, perhaps it will make a difference.


#14

It’s a three step process…

Allow,Deny:

  1. Allow directives evaluated - at least one must match, or the request is denied.

  2. All Deny directives evaluated - if any match the request is denied.

  3. Any requests which do not match an Allow or a Deny directive are rejected.

Deny,Allow:

  1. Deny directives evaluated - if any match, the request is denied unless it also matches an Allow directive.

  2. Allow directives evaluated - if any match, the request is allowed.

  3. Any requests which do not match any Allow or Deny directives are permitted.

More here: http://httpd.apache.org/docs/1.3/mod/mod_access.html

Maximum Cash Discount on any plan with MAXCASH

How To Install PHP.INI / ionCube on DreamHost


#15

In both cases, if one line says “allow from all” or “deny from all” you’ll get a match and you won’t hit step 3. But it’s nice to know what happens when there’s no match in either case.

-Scott


#16

I think a Deny,Allow in OP’s case will let those IPs through due to the Allow From All.

I have no clue as to why the OP’s original Allow,Deny didn’t work as it looks sane to me * :s

  • Disclaimer: Although it is 40 degrees celsius in the shade here and I has beer!

Maximum Cash Discount on any plan with MAXCASH

How To Install PHP.INI / ionCube on DreamHost


#17

That sounds backwards. If you say Deny first, won’t it check the Deny statements first, get a match, and then stop parsing?

Is 40C hot? I was in 50F today (in full sun!) and that felt chilly.

-Scott


#18

Yeah it looks backward, but I think that Allow From All will override the initial IP Deny on the second pass - the third pass being irrelevant.

40C is about a hundred F in the shade (thus the beers!).

Maximum Cash Discount on any plan with MAXCASH

How To Install PHP.INI / ionCube on DreamHost