Re: block directories using Apache22

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



192.168.9.43 - - [12/Jun/2013:09:05:23 -0700] "GET /wp-login.php HTTP/1.1" 200 1085

I am still able to get access from a different IP than the one allow in .htaccess
as you suggest: 
<Files wp-login.php> 
order deny,allow
Deny from all
allow from 192.168.8.4
</Files>



On Wed, Jun 12, 2013 at 9:01 AM, David Guerra <imdavidguerra@xxxxxxxxx> wrote:
Try this format:

<Files wp-login.php>
order deny,allow
Deny from all
allow from xx.xxx.xx.xx
allow from xx.xxx.xx.xx
</Files>



On Wed, Jun 12, 2013 at 11:52 AM, motty cruz <motty.cruz@xxxxxxxxx> wrote:
Hello David, 

this is the content on .htaccess
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_REFERER} !^http://(.*)?mydomain\.com [NC]
RewriteCond %{REQUEST_URI} ^/(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^/(.*)?wp-admin$
RewriteRule ^(.*)$ - [R=403,L]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

<FilesMatch wp-login.php>
Order Deny,Allow
Deny from all
Allow from 192.169.8.4
</FilesMatch>

# END WordPress

but no success! 



On Wed, Jun 12, 2013 at 8:43 AM, David Guerra <imdavidguerra@xxxxxxxxx> wrote:
Flop Allow and Deny so that your IP is whitelisted after the Deny from all.



On Wed, Jun 12, 2013 at 11:20 AM, motty cruz <motty.cruz@xxxxxxxxx> wrote:
Hello, 
I am trying to block a directory from being access except my IP but I had being unsuccessful in doing so, please help: First I place this in httpd.conf

<Directory "/usr/local/www/apache22/data">
    Options Indexes FollowSymLinks
    Options ALL -Indexes
    IndexIgnore *
    AllowOverride None
    Order allow,deny
    Allow from all
    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{HTTP_REFERER} !^http://(.*)?mydomain\.com [NC]
    RewriteCond %{REQUEST_URI} ^/(.*)?wp-login\.php(.*)$ [OR]
    RewriteCond %{REQUEST_URI} ^/(.*)?wp-admin$
    RewriteRule ^(.*)$ - [R=403,L]
    RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
    RewriteRule ^(.*)$ index_error.php [F,L]
    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
    RewriteRule .* - [F]
    RewriteRule ^my-admin$ wp-login.php [L,NC,QSA]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
</Directory>

I also tried this : on the / directory .htaccess
<FilesMatch wp-login.php>
Order Allow,Deny
Allow from 192.168.8.4
Deny from all
</FilesMatch>

Is the wp-admin or wp-login.php script that I'm trying to protect from brute force attacks, 

Thanks, 
Motty





[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux