This usually would work using allow,deny:
order allow,deny
deny from secureserver.net
allow from all
But for this specific domain the logs show that it is still allowing access, for example:
ip-50-63-174-95.ip.secureserver.net gets an 200 ok response to requests.
Try this:
<Limit GET POST>
order allow,deny
allow from all
deny from .secureserver.edu
</Limit>
Related
I have the current configuration in my httpd.conf file.I am trying to remove the vulnerability Authentication Bypass Using HTTP Verb Tampering. I only want to allow certain HTTP request headers, Get and Post in the below example and a different header should throw an error.
DocumentRoot "c:/dev"
<Directory "C:/dev">
Options Indexes FollowSymLinks MultiViews Includes
AllowOverride Limit
<LimitExcept GET POST>
Order deny,allow
Deny from all
</LimitExcept>
Order allow,deny
Allow from all
</Directory>
This configuration is still allowing other http request headers like put, options etc. I am using postman api to test my changes. Please help!
This is how you can limit to GET/POST/OPTIONS. Note: NIST Stigs V-26396 states that this should not be applied to the root but only the others such as in my example (/etc/apache2/apache2.conf):
It appears that this would work as well :
<Location /var/www/>
Order allow,deny
Allow from all
<LimitExcept POST GET>
Deny from all
</LimitExcept>
</Location>
<Location /usr/share/>
Order allow,deny
Allow from all
<LimitExcept POST GET>
Deny from all
</LimitExcept>
</Location>
Further reading :
https://vaulted.io/library/disa-stigs-srgs/apache_22_server_for_unix_security_technical_implementation_guide/V-26396
http://httpd.apache.org/docs/current/mod/core.html#limitexcept
Try this settings
<Location />
Order allow,deny
Allow from all
<LimitExcept POST GET>
Deny from all
</LimitExcept>
</Location>
The LimitExcept directive is the inverse of Limit directive. It allows applying a set of access restrictions to all listed http methods except for the ones listed with the LimitExcept directive. See this link: http://httpd.apache.org/docs/current/mod/core.html#limitexcept. So the access restrictions are applied to all http methods except for the ones listed with LimitExcept.
In your case the problem seems to be with the access control directives. See this link for more information: http://httpd.apache.org/docs/current/mod/mod_access_compat.html#order
You can try to remove the directives below
Is there any way to block an IP that have already visited a site with htaccess other any other tools?
Like someone visited a this site www.my-site.com/index1.html and I want to prevent that he can visit it again what is the best way to do this?
You could try something like
Order Deny,Allow
Deny from xxx.xxx.xxx.xxx
or you can deny a lock like this
Order Deny,Allow
Deny from xxx.xxx.xxx
xxx is obviously the octet
One of my websites is being continuously attacked by spammers originating from a certain set of countries.
There are four culprit IPs that are proving to be a nuisance.
I have tried using the mod_access utility of Apache and have the following lines added to my .htaccess
<Limit GET POST>
order allow,deny
Allow from all
deny from 201.xx.xx.xx
deny from 202.xx.xx.x
deny from 201.xx.xx.xx
deny from 201.xx.xxx.xx
</Limit>
Howeverm for some reason, the spammers are still able to access my site and the spam continuous from the said IPs
Can anyone tell me as to where exactly it is that I am going wrong.
Just remove the limit
order allow,deny
deny from 201.xx.xx.xx
deny from 202.xx.xx.x
deny from 201.xx.xx.xx
deny from 201.xx.xxx.xx
allow from all
I have a website where I'm getting quite a lot of comment spam. Looking at the IP addresses the spam originates from, they're mostly from countries where it's unlikely any real humans would want to interact with my English-language website, so it makes sense for me to simply block them.
This should be quite straightforward, however I'd like it if traffic from these countries could actually view my content, just not access the comment, registration etc. forms. So effectively I want to allow them to make GET method requests, but not POST method ones.
Ideally, I'd like to do this in the .htaccess file for the site rather than actually coding it into the PHP scripts that power the site. After a bit of searching, I found what I thought was exactly what I needed: . It appeared that I could do exactly as described above with:
# Block China, Russia etc. from POSTs and similar methods
<Limit POST PUT DELETE>
order deny,allow
deny from 210.5.214.128/29
deny from 210.89.69.160/28
# Hundreds more lines...
# My current IP (sample provided here, actual used in reality), to test
deny from 100.100.100.100
allow from all
</Limit>
# Allow anyone to do GETs and HEADs
<Limit GET HEAD>
order deny,allow
allow from all
</Limit>
But it's not having the desired effect. I can do GET requests (as desired), but POSTs also still work as normal where I would expect a 403 Forbidden error perhaps.
If I don't use the tag and put my IP in the deny list, it does successfully prevent me from accessing the site (both GET and POST).
Can anyone advise me as to what I need to change?
Change the order of allow deny like this:
<Limit POST PUT DELETE>
order allow,deny
allow from all
deny from 210.5.214.128/29
deny from 210.89.69.160/28
# Hundreds more lines...
# My current IP (sample provided here, actual used in reality), to test
deny from 100.100.100.100
</Limit>
<Limit GET HEAD>
order deny,allow
allow from all
</Limit>
Block backend repertory eg: /wp-admin except for allow IP (even if you have the password)
<Limit POST PUT DELETE>
order deny,allow
deny from all
#allow from localhost
#allow from 127.0.0.1
allow from xxx.xxx.xx.xx
</Limit>
# Allow anyone to do GETs and HEADs
<Limit GET HEAD>
order deny,allow
allow from all
</Limit>
I need to deny all IPs except mine.
I got my outward facing IP from whatismyip.com. Let's assume it is 200.200.200.200
Here is the beginning of my .htaccess
ErrorDocument 403 /down.html
<Limit GET POST>
order deny,allow
deny from all
allow from 200.200.200.200
</Limit>
This works with the denying part - it shows my down.html page. However it denies me even when I place my correct IP in the .htaccess. Am I doing something wrong?
Also the down.html page contains an image - but seeing as all requests are being denied, I had to host it on a different domain to get it to display. My .htaccess skills are a little rusty, but how would I go about allowing that one image request through using .htaccess on this domain?
<Limit GET POST>
order allow,deny
allow from 200.200.200.200
deny from all
</Limit>