How can i ban/restrict an IP address/subnet from accessing websites hosted on my server? I understand if you make entry into hosts.deny it would only restrict the IP from accessing inetd services like shell, ftp, pop but it doesn't restrict the IP from accessing port 80.

Heres a little something for banning IPs.

Put this is your htaccess file... Replace ###.###.###.### with the IPs you want to ban.


<Limit GET POST>
order allow,deny
allow from all
deny from ###.###.###.###
</Limit>


Hope this helps a little...

why dont you just deny them from the firewall?

MGCJerry thanks for the code, but i want to ban an ip completely from accessing any virtual domains, davidb i do not know how i can deny the ip fron the firewall, pls detail.

You need to be running a firewall in the first place and just add the IP to the blacklisted section (as in most popular firewall configs - depends which one that you use)

Do a search for rc.firewall on google if you need one...

If you are you running IPChains or IPTables add the IP there.

Originally posted by MGCJerry
Heres a little something for banning IPs.

Put this is your htaccess file... Replace ###.###.###.### with the IPs you want to ban.


<Limit GET POST>
order allow,deny
allow from all
deny from ###.###.###.###
</Limit>


Hope this helps a little...

Just for the record, you shouldn't limit only GET and POST. Don't specifically add those, just deny all methods by default with <Limit> only. <Limit GET POST> is inherently flawed.

2host is correct, if you are going the apache way (which still doesnt stop many other things) dont allow anything.

okay i have ipchains imstalled on my server, how do i chk whether it's running or not?
Will it affect/degrade any of my other services considering i am a webhost?
Is there anything else which need to configured in ipchains if it affects functioning of any other daemons or affects any users?

Originally posted by hostchamp
okay i have ipchains imstalled on my server, how do i chk whether it's running or not?
Will it affect/degrade any of my other services considering i am a webhost?
Is there anything else which need to configured in ipchains if it affects functioning of any other daemons or affects any users?

You can check chkconfig to see if it's enabled and turn it on there (for boot). You can check to see if there's anything in it by listing any rules

/path/to/ipchains -L -n

You can add an IP to block (from all ports in this case):

/sbin/ipchains -A input -s ip.address.here/255.255.255.255 -d 0.0.0.0/0.0.0.0 -j DENY -l

The final '-l' (that's ELLE, not ONE), will enable logging. If you don't want to log any attempted accesses by the blocked IP, then just leave the -l out.

How you do it is a matter of personal preference and what you want or need to do, so the above rule might not make as much sense to you as a more simplified or alternative rule. You can also block the classes:

/sbin/ipchains -A input -s 217.1.1.171/8 -d 0.0.0.0/0.0.0.0 -j DENY -l


/sbin/ipchains -A input -s 63.207.108.10/24 -d 0.0.0.0/0.0.0.0 -j DENY -l

Two above examples, with example IP's and with logging enabled.


More information can be obtained by typing "man ipchains" or trying to use "info ipchains" as well. Plenty of pages and recipes are surely out there for you to look at and seek help with too.

Originally posted by 2host.com


Just for the record, you shouldn't limit only GET and POST. Don't specifically add those, just deny all methods by default with <Limit> only. <Limit GET POST> is inherently flawed.

Hmmm... I havent thought of that. Thanks for the tip :)

Robert, here is the output of ipchains -L -n ;
Chain input (policy ACCEPT):
Chain forward (policy ACCEPT):
Chain output (policy ACCEPT):
Chain PORTSEN (0 references):

Does this mean i have ipchains running?

Now what would i need to do to block an IP for example;
61.11.80.251

Also, (1)what would the command look like if want to block the complete block of 61.11.80.xxx and (2) 61.11.xxx.xxx ?

Also, how do i unblock if i have to?

Cheers!

Originally posted by hostchamp
Robert, here is the output of ipchains -L -n ;
Chain input (policy ACCEPT):
Chain forward (policy ACCEPT):
Chain output (policy ACCEPT):
Chain PORTSEN (0 references):

Does this mean i have ipchains running?


Yes it does. :-)


Now what would i need to do to block an IP for example;
61.11.80.251


/sbin/ipchains -A input -s 61.11.80.251/255.255.255.255 -d 0.0.0.0/0.0.0.0 -j DENY

(there are other ways and other syntaxes you can use for the above (and the examples below)).


Also, (1)what would the command look like if want to block the complete block of 61.11.80.xxx


/sbin/ipchains -A input -s 61.11.80.251/24 -d 0.0.0.0/0.0.0.0 -j DENY


and (2) 61.11.xxx.xxx ?


/sbin/ipchains -A input -s 61.11.80.251/8 -d 0.0.0.0/0.0.0.0 -j DENY


Also, how do i unblock if i have to?

Cheers!

The -L -n will list the rules with numbered addresses. You don't need the -n, but it makes listing a large number of rules much faster. The -L is "Listing" the rules. You can list the rules with the line number by appending "--line-numbers" to the command line.

So:

/sbin/ipchains -L -n --line-numbers

will display the rules and line numbers for each. Locate the rule you want to remove and the corresponding line number.

Then type:

/sbin/ipchains -D input chain-rulenum-here [options] (if you have any).

Use "man ipchains" in shell to get more hel, or "info ipchains" whil in shell.

Excellent thanks, ust curious what the "/24" and "/8" means, i assume that's how you get into sub-net and block it?

Originally posted by hostchamp
Excellent thanks, ust curious what the "/24" and "/8" means, i assume that's how you get into sub-net and block it?

Yes, that is correct. And my mistake earlier, I meant /16, not /8. /8 will block 123.xxx.xxx.xxx, you wanted 123.123.xxx.xxx (16) and 123.123.123.xxx (24).

Here's a better example:


netmask x Subnet
255.0.0.0 8 Class A
255.255.0.0 16 Class B
255.255.255.0 24 Class C
255.255.255.255 32 Point-to-point


I will give better examples of shorter syntax if you'd prefer it for the actual deny rules. REJECT might be better than DENY, but if you have iptables, I'd suggest using that instead and just dropping it altogether with DROP.

Robert,
Someone told me;

"as soon as you start ipchains , you are blocked "

Is is correct? do i need to make some entries so that i can myself access the server?

I do have iptables-1.2.1a-1 installed.

Ans yes any better example on the DENY / REJECT rules is most welcome, i am a keen learner :cool:

Originally posted by hostchamp
Robert,
Someone told me;

"as soon as you start ipchains , you are blocked "

Is is correct?


No, that's not correct. That will happen if you put in the wrong IP or block the wrong class. As long as you input the right values and pay attention, there's nothing to worry about. If you don't know what you're doing, you can block yourself, yes.


do i need to make some entries so that i can myself access the server?


Your server doesn't have any rules/chains now, you needn't worry about that. Some people have servers set up to block outside access by default and that sometimes can cause problems on a new server set up. But the person that sets up the server just needs to be sure to not block remote access. You don't have it, ipchains is already on, the rules are already in effect.


I do have iptables-1.2.1a-1 installed.


Sorry I don't know what the newest ipchains version is. I'm sure that's fine though. I use iptables myself, as it comes with and is better suited for the newer 2.4.x kerneels.


Ans yes any better example on the DENY ? REJECT rules is most welcome, i am a keen learner :cool:


I think that perhaps the rules I gave you actually might be best, because then you can just change the IP in the example to suit your needs, as well as the class. That way there's little room for mistakes, instead of using other syntax to block classes and maybe end up blocking yourself. I'd suggest you do a search using the relevant key words on google.com and finding some site that makes the most sense to you and see if you prefer or can better use another format. You alone are the best person to decide that. It'll be good to learn anyway, as it'll provide a lot of information, examples and whatnot that man pages don't provide.

Thanks very helpful.
this is what another guy saysl;
ipchains blocks everything by default, infact all firewalls block everything , and the only one by one you can open the port or ip.

Is this correc t?

Originally posted by hostchamp
Thanks very helpful.
this is what another guy saysl;
ipchains blocks everything by default, infact all firewalls block everything , and the only one by one you can open the port or ip.

Is this correc t?

No, that is not correct. This person doesn't know what he's talking about. A lot of installs will have strict rules by default, not a web server. Firewalls to not block everything by default. You already have it running, it's not blocking you now. Most Linux servers have ipchains or iptables running by default.

all rightey, pls chk my another post on DNS zone file issue when u get time.