How to block IPs for POST requests, but not GET? - apache

I have a website where I'm getting quite a lot of comment spam. Looking at the IP addresses the spam originates from, they're mostly from countries where it's unlikely any real humans would want to interact with my English-language website, so it makes sense for me to simply block them.
This should be quite straightforward, however I'd like it if traffic from these countries could actually view my content, just not access the comment, registration etc. forms. So effectively I want to allow them to make GET method requests, but not POST method ones.
Ideally, I'd like to do this in the .htaccess file for the site rather than actually coding it into the PHP scripts that power the site. After a bit of searching, I found what I thought was exactly what I needed: . It appeared that I could do exactly as described above with:
# Block China, Russia etc. from POSTs and similar methods
<Limit POST PUT DELETE>
order deny,allow
deny from 210.5.214.128/29
deny from 210.89.69.160/28
# Hundreds more lines...
# My current IP (sample provided here, actual used in reality), to test
deny from 100.100.100.100
allow from all
</Limit>
# Allow anyone to do GETs and HEADs
<Limit GET HEAD>
order deny,allow
allow from all
</Limit>
But it's not having the desired effect. I can do GET requests (as desired), but POSTs also still work as normal where I would expect a 403 Forbidden error perhaps.
If I don't use the tag and put my IP in the deny list, it does successfully prevent me from accessing the site (both GET and POST).
Can anyone advise me as to what I need to change?

Change the order of allow deny like this:
<Limit POST PUT DELETE>
order allow,deny
allow from all
deny from 210.5.214.128/29
deny from 210.89.69.160/28
# Hundreds more lines...
# My current IP (sample provided here, actual used in reality), to test
deny from 100.100.100.100
</Limit>
<Limit GET HEAD>
order deny,allow
allow from all
</Limit>

Block backend repertory eg: /wp-admin except for allow IP (even if you have the password)
<Limit POST PUT DELETE>
order deny,allow
deny from all
#allow from localhost
#allow from 127.0.0.1
allow from xxx.xxx.xx.xx
</Limit>
# Allow anyone to do GETs and HEADs
<Limit GET HEAD>
order deny,allow
allow from all
</Limit>

Related

How to do apache htaccess ban by ip with the some exception?

P.S.: Sorry me and please be lenient with my English.
I have the situation when some IP must blocked and better way for this on my mind - htaccess. It cause I have many entry points. It easy and works fine...
I do:
<Files *>
Order allow,deny
deny from aaa.aaa.aaa.aaa/aa
deny from bbb.bbb.bbb.bbb/bb
Allow from all
</Files>
BUT! There one more things. I have a few devices which should be allowed access even if they go through the denied IP.
I can't install some module for Apache. So I need some simply way for decide it.
Can someone give me some ways or some tricks for it?
You need some way of identifying those devices, then you can add an environment variable to set up an exception and use access control by environment variable. For example, if you can do it by user-agent:
SetEnvIf User-Agent SpecialUA UAException=1
<Files *>
Order allow,deny
Allow from UAException=1
Deny from aaa.aaa.aaa.aaa/aa
Deny from bbb.bbb.bbb.bbb/bb
Allow from all
</Files>
See also SetEnvIf. I am linking to Apache 2.2 docs since you are using the old syntax which has been updated in 2.4.

Is repeating "Deny from x.x.x.x" and "Allow from all" correct

I am using following syntax to block some IPs from my .htaccess file:
DirectoryIndex index.php
order allow,deny
deny from 17.18.19.0
deny from 18.17.19.1
allow from all
and now I am not sure if I can even use this:
DirectoryIndex index.php
order allow,deny
deny from 18.17.19.1
allow from all
deny from 18.15.19.1
allow from all
deny from 18.18.19.1
allow from all
so can I just repeate this structure?
deny from x.x.x.x
allow from all
why I am asking? Because I found php script that just Append deny from at the end of file and I am not sure if I need " allow from all" line.
can it be just like this?
DirectoryIndex index.php
order allow,deny
allow from all
deny from 17.18.19.0
deny from 18.17.19.1
deny from ... etc.
First of all, this documentation page does a good job explaining things.
The following quote comes from mod_authz_host's documentation
The Order directive, along with the Allow and Deny directives,
controls a three-pass access control system. The first pass processes
either all Allow or all Deny directives, as specified by the Order
directive. The second pass parses the rest of the directives (Deny or
Allow). The third pass applies to all requests which do not match
either of the first two.
Note that all Allow and Deny directives are processed, unlike a
typical firewall, where only the first match is used. The last match
is effective (also unlike a typical firewall). Additionally, the order
in which lines appear in the configuration files is not significant --
all Allow lines are processed as one group, all Deny lines are
considered as another, and the default state is considered by itself.
In other words, if you have Order Allow,Deny, it will first process all Allow directives, then all Deny directives. You can probably figure out that it doesn't matter if you have 1 Allow from all or 100 Allow from all directives. The final result is the same, but with 100 of those directives your server will need more time processing. It will then process all deny directives and overwrite the permission you just gave if needed.
Therefore, you just need one Order Allow,Deny directive and only one Allow from all directive. Whatever script you are using can then just append Deny directives as it sees fit and all will work as expected.

Denying Access to Particular IPs on Apache

One of my websites is being continuously attacked by spammers originating from a certain set of countries.
There are four culprit IPs that are proving to be a nuisance.
I have tried using the mod_access utility of Apache and have the following lines added to my .htaccess
<Limit GET POST>
order allow,deny
Allow from all
deny from 201.xx.xx.xx
deny from 202.xx.xx.x
deny from 201.xx.xx.xx
deny from 201.xx.xxx.xx
</Limit>
Howeverm for some reason, the spammers are still able to access my site and the spam continuous from the said IPs
Can anyone tell me as to where exactly it is that I am going wrong.
Just remove the limit
order allow,deny
deny from 201.xx.xx.xx
deny from 202.xx.xx.x
deny from 201.xx.xx.xx
deny from 201.xx.xxx.xx
allow from all

How to block all IP adresses from secureserver.net using htaccess?

This usually would work using allow,deny:
order allow,deny
deny from secureserver.net
allow from all
But for this specific domain the logs show that it is still allowing access, for example:
ip-50-63-174-95.ip.secureserver.net gets an 200 ok response to requests.
Try this:
<Limit GET POST>
order allow,deny
allow from all
deny from .secureserver.edu
</Limit>

Need to deny all IPs except mine from accessing site and display friendly error

I need to deny all IPs except mine.
I got my outward facing IP from whatismyip.com. Let's assume it is 200.200.200.200
Here is the beginning of my .htaccess
ErrorDocument 403 /down.html
<Limit GET POST>
order deny,allow
deny from all
allow from 200.200.200.200
</Limit>
This works with the denying part - it shows my down.html page. However it denies me even when I place my correct IP in the .htaccess. Am I doing something wrong?
Also the down.html page contains an image - but seeing as all requests are being denied, I had to host it on a different domain to get it to display. My .htaccess skills are a little rusty, but how would I go about allowing that one image request through using .htaccess on this domain?
<Limit GET POST>
order allow,deny
allow from 200.200.200.200
deny from all
</Limit>