Greetings,
It seems that I've hit a size limitation when adding unwanted IPs to a "Deny From" line.
Is there any place where this is specified?
Also, if I hit the max length on a "Deny From" line, can I add another "Deny From" line?
(Running CentOS 6, and the following version of Apache: httpd-2.2.15-28.el6.centos.x86_64)
Much thanks,
Max Pyziur pyz@brama.com
On 05/29/2013 10:51 PM, Max Pyziur wrote:
Greetings,
It seems that I've hit a size limitation when adding unwanted IPs to a "Deny From" line.
Is there any place where this is specified?
Also, if I hit the max length on a "Deny From" line, can I add another "Deny From" line?
(Running CentOS 6, and the following version of Apache: httpd-2.2.15-28.el6.centos.x86_64)
Much thanks,
Max Pyziur pyz@brama.com
You can have multiple "deny from" lines, as well as multiple "allow from" lines (in case you want to configure access like a whitelist).
Multiple lines also help readability.
Max Pyziur wrote:
Greetings,
It seems that I've hit a size limitation when adding unwanted IPs to a "Deny From" line.
Is there any place where this is specified?
Also, if I hit the max length on a "Deny From" line, can I add another "Deny From" line?
(Running CentOS 6, and the following version of Apache: httpd-2.2.15-28.el6.centos.x86_64)
Have you considered running fail2ban, and banning them using iptables?
mark
On Wed, May 29, 2013 at 5:24 PM, m.roth@5-cent.us wrote:
Max Pyziur wrote:
Greetings,
It seems that I've hit a size limitation when adding unwanted IPs to a "Deny From" line.
Is there any place where this is specified?
Also, if I hit the max length on a "Deny From" line, can I add another "Deny From" line?
(Running CentOS 6, and the following version of Apache: httpd-2.2.15-28.el6.centos.x86_64)
Have you considered running fail2ban, and banning them using iptables?
Or blocking netblocks rather than individual IPs in your .htaccess file? Netblocks with iptables would work nicely too (keeping the clutter to a minimum).
mark
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Wed, 29 May 2013, m.roth@5-cent.us wrote:
Max Pyziur wrote:
Greetings,
It seems that I've hit a size limitation when adding unwanted IPs to a "Deny From" line.
Is there any place where this is specified?
Also, if I hit the max length on a "Deny From" line, can I add another "Deny From" line?
(Running CentOS 6, and the following version of Apache: httpd-2.2.15-28.el6.centos.x86_64)
Have you considered running fail2ban, and banning them using iptables?
I've considered that.
But I'm tied to my (little?/not-so-little?) home-grown system of mining threatening IPs from BL sites (spam, sshd, forumspam), running them through an sql database, and outputing /etc/hosts.deny files to block via tcp wrappers, and now starting to output "Deny from" lines to place in .htaccess files. "Deny From" lines longer than somewhere around 8000 characters seem to be the limit; I was curious if there was a specified limit somewhere, and whether or not I could put multiple Deny From lines?
WHile fail2ban looks good, the little that I've tried it, I like keeping the firewall iptables neat, and doing the blocking as I have described above (maybe it's familiarity trumping fail2ban; maybe it's that fail2ban has a bit of a learning curve ...)
mark
Much thanks for the advice.
Max Pyziur pyz@brama.com
You could try ipset (yum install ipset) and create live lists of ips/blocks and create a single lined rule in iptables to handle the lists. The only downside is the lists are lost on a reboot, which can be overcome with a little scripting.
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Max Pyziur Sent: Wednesday, May 29, 2013 10:08 PM To: CentOS mailing list Subject: Re: [CentOS] Size limitations in .htaccess
On Wed, 29 May 2013, m.roth@5-cent.us wrote:
Max Pyziur wrote:
Greetings,
It seems that I've hit a size limitation when adding unwanted IPs to a "Deny From" line.
Is there any place where this is specified?
Also, if I hit the max length on a "Deny From" line, can I add another "Deny From" line?
(Running CentOS 6, and the following version of Apache: httpd-2.2.15-28.el6.centos.x86_64)
Have you considered running fail2ban, and banning them using iptables?
I've considered that.
But I'm tied to my (little?/not-so-little?) home-grown system of mining threatening IPs from BL sites (spam, sshd, forumspam), running them through an sql database, and outputing /etc/hosts.deny files to block via
tcp
wrappers, and now starting to output "Deny from" lines to place in
.htaccess
files. "Deny From" lines longer than somewhere around 8000 characters seem to be the limit; I was curious if there was a specified limit
somewhere,
and whether or not I could put multiple Deny From lines?
WHile fail2ban looks good, the little that I've tried it, I like keeping
the firewall
iptables neat, and doing the blocking as I have described above (maybe
it's
familiarity trumping fail2ban; maybe it's that fail2ban has a bit of a
learning
curve ...)
mark
Much thanks for the advice.
Max Pyziur pyz@brama.com _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 5/29/2013 10:08 PM, Max Pyziur wrote:
On Wed, 29 May 2013, m.roth@5-cent.us wrote:
Have you considered running fail2ban, and banning them using iptables?
I've considered that.
But I'm tied to my (little?/not-so-little?) home-grown system of mining threatening IPs from BL sites (spam, sshd, forumspam), running them through an sql database, and outputing /etc/hosts.deny files to block via tcp wrappers, and now starting to output "Deny from" lines to place in .htaccess files. "Deny From" lines longer than somewhere around 8000 characters seem to be the limit; I was curious if there was a specified limit somewhere, and whether or not I could put multiple Deny From lines?
WHile fail2ban looks good, the little that I've tried it, I like keeping the firewall iptables neat, and doing the blocking as I have described above (maybe it's familiarity trumping fail2ban; maybe it's that fail2ban has a bit of a learning curve ...)
Fail2ban keeps all of its rules in it's own chain, so any custom rules that you have created will not get lost in the clutter.
You could also do the blocking yourself with iptables rather than having fail2ban manage it for you. Just create iptables rules rather than the hosts.deny format.
iptables -I Blacklist -s xxx.xxx.xxx.xxx -j DROP
Of course, you need to add a rule in your main ruleset to call the Blacklist chain. And make sure to save the rules from time to time so you don't lose all of them in a reboot.