On 10 Jun 2012, at 17:21, Michael Sersen wrote: > Hello fellow Apache friends! > > This is my first time posting but I do lurk in the background, listening in on all of your valuable wisdom! :-) Please fix your mailer to send text! > I am having troubles with thousands of spam requests (possible hack attempts) to my server. Evidence? Are they requesting nonexistent dynamic-looking contents, or something? You can always try logging referers(sic) to see if someone has incorrect links to you. > My question is; How can I block all requests, with the only exception being that a referrer may request any resource, just-as-long as they first request my login page? Straight answer: you can't: - if you try, you'll lock out anyone using privacy settings and not sending a referer. - if anyone's really trying to 'hack' you, they can trivially work around it. > Basically I would like to block all inbound requests, but allow unfettered requests from any IP which 1st accesses my login page. Trying to map IPs to users is a fundamental mistake. The only IP you can know with any certainty is the nearest proxy to you (which may or may not identify itself as a proxy). Of course not all users come through a proxy, but that's not up to the server. > Furthermore, is this a good approach towards keeping spam bots away? My logic comes from looking at my access logs, and noticing that the "perps" are unwittingly, not attempting to access my login page. There's a recipe for thwarting "image theft" (your images appearing in other peoples pages). It'll 'work' subject to the above provisos. I think it's in the FAQ. If you actually have a login page, then you can just use session management, such as that provided by mod_session. -- Nick Kew --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx