On Mon, Jul 26, 2010 at 11:24 AM, Bennett Haselton <bennett@xxxxxxxxxxxxx> wrote: > At 10:32 PM 7/25/2010, you wrote: >> >> On Sat, Jul 24, 2010 at 5:40 AM, Bennett Haselton <bennett@xxxxxxxxxxxxx> >> wrote: >> > I'm trying to ban certain IPs from visiting my site, so that they >> > instead >> > see a message saying "Your IP has been banned, email me if you think >> > this is >> > an error." Â I've *almost* got it working -- when people visit URLs like >> > http://209.160.28.154/index.html >> > or >> > http://209.160.28.154/foo-does-not-exist >> > they see the "banned IP" message. Â However, the problem is that if you >> > try >> > to access the front page: >> > http://209.160.28.154/ >> > from a banned IP address, you see the "Apache Test Page for CentOS" >> > page, >> > instead of seeing the "banned IP" message. Â Anybody recognize this >> > problem >> > or have an idea of what could be causing it? >> > >> > In my httpd.conf file, I changed "AllowOverride None" to "AllowOverride >> > All" >> > in both the default <Directory /> tag and inside the <Directory >> > "/var/www/html"> tag -- I placed a modified copy of httpd.conf at: >> > http://209.160.28.154/httpd.conf >> > and in /var/www/html I placed a .htaccess file containing these lines: >> >>>> >> > ErrorDocument 403 /banned_ip.php >> > order deny,allow >> > deny from 71.112.32.149 >> >>>> >> > and restarted the server. Â (The page >> > http://209.160.28.154/banned_ip.php >> > shows the message you're supposed to see when connecting from a banned >> > IP. >> > Â 71.112.32.149 is my home machine IP which I've "banned" for testing >> > purposes.) >> > >> > So like I said, that almost works, where >> > http://209.160.28.154/index.html >> > gives the right error message, but http://209.160.28.154/ does not. Â >> > Any >> > idea how to change is to that all URLs under http://209.160.28.154/ will >> > give the "banned IP" message if connecting from a banned IP? >> > >> > Â Â Â Â -Bennett >> > >> >> If you want to block the IPs on all services you could use iptables >> along with ipset. >> You could also put them directly in iptables as chain rules, but as >> the number of IPs increases, it increases the CPU usage like hell. >> ipset is viable solution in that case. >> You just need kernel headers and (probably, I don't remember) >> netfilter source to compile iptables. > > Yeah but rather than blocking the entire connection, I wanted to be able to > put a message telling people to e-mail me if they think their IP has been > blocked by mistake. > > -Bennett There's still a cryptic way for that, but I don't know it will work or not. Create eth0:0 with IP of 192.168.1.X or some other non-public IP. Make apache listen on that IP, and DNAT/PREROUTE/WHATEVER those ipset requests to this private IP. And configure apache vhost for that IP which prints that message. Also this way, you can block those malicious users from all services- not only apache and they can contact you if you banned them by mistake. Do let me know if you implement successfuly (or try to do so ;)). -- Regards, Nilesh Govindarajan Facebook: http://www.facebook.com/nilesh.gr Twitter: http://twitter.com/nileshgr Website: http://www.itech7.com VPS Hosting: http://www.itech7.com/a/vps --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|