How can I deny access to stats by IP address?

My .htaccess works great for my main domain, but denied IPs still get a 401 - Authentication Required when they try to access stats (instead of a 403 - Forbidden).

How can I fix this? I know it has something to do with the fact that /stats is not a real directory under my domain.


I added this to my .htaccess file - but it creates a 500 error:

<Directory /home/USERNAME/logs/DOMAINNAME/http/html>
Order Allow,Deny
Deny from 150.70.
Deny from 216.104.15.
Allow from all

… with the correct username and domain name.

What am I doing wrong?

is invalid in .htaccess files. They always apply to the directory they’re found in, not to other directories.

Yeah - I discovered that the hard way. Substituting with the directive doesn’t produce an error, but it doesn’t work, either. Guess .htaccess is only valid for the current and child directories, and only works in httpd.conf.

Unless Dreamhost configures something for me, there is probably no workaround.

I’m not sure exactly what you are trying to do… You want to make your stats report available to the world except two IP addresses?

Stats is not available without a username/password. However, if someone knows where they are, the files are just sitting there like a challenge. Turns out that the IPs concerned are Trend Micro.

… and I am not the only one dissatisfied with TM:

The mere fact that TM is trying to access the pages means that someone running TM is attempting to get in (as I understand the process).

I just don’t want people snooping around and potentially getting in to my stats info. Then they have access to things like user names and locations of files that they have no business seeing.

I want those specific IPs to get a ‘403 Forbidden’ error instead of ‘401 Authentication Required’ - and everyone else to get the 401. However, it seems that there is no way to do that via .htaccess, since the files do not exist as a subdirectory of the main domain. I have no problem with .htaccess syntax, just figuring out how to protect a virtual directory.

i see. Fair enough. Contact support and I bet they can do it for you. I feel the same way about phpmyadmin ‘just sitting there’ for anyone and everyone to try a few passwords on. Same with webFTP. I had support turn off both features for all of my domains since I do everything over SSH and didn’t want potential breaches due to some unforeseen security flaw.

Another option is to disable stats reporting and use a different method such as Google Analytics or piwik.

I can run Analog for stats locally if I have to … I may investigate turning off webFTP, since I use SFTP/SSH as well. Too bad we have to worry about hackers.

as far as i understand, the stats program just parses the log files once per day. there’s indeed no reason why you can’t turn off stats in the panel and set up your own cron job to parse the logs and put the results in a directory which you have more control over.

I recommended to support making webFTP and phpMyAdmin services which can be turned on and off via the panel, but I don’t think they took my idea very seriously. I think it’s fine if they want to offer it, but it shouldn’t be on by default, or at the very least, there should be a way to disable it.

I wasn’t aware that phpMyAdmin was accessible. ???

add /dh_phpmyadmin to the end of most DH-hosted domains and change the subdomain to mysql and you’ll be asked to log in to phpMyAdmin via Basic http authentication (i.e. not encrypted).

For example, if you know that is hosted at DH, then usually you can try to get into their database at:

:frowning: Another thing to watch for in my raw log files.

i see driveby scans all the time looking for /mysql/setup.php and the like, which is why I had them disable it. All I need is for someone to discover a flaw in the version DH has running and then drive by everyone hosting at DH dumping databases.