Hi,

Using .htaccess, is there an easy way to block...

XX.XX.XXX.42 through to XX.XX.XXX.127 ?

Or must I block each one individually?

Thank you. :smile:

Kevin

Hi Kevin,

See if this post by the other Kevin helps:
http://www.aota.net/forums/showthread.php?postid=154753#post154753
:)

(I would suggest testing, of course.)

edit: Removed suggestion on a possible solution to try as was incorrect. Please view http://www.aota.net/forums/showthread.php?postid=155330#post155330 for a more appropriate solution.

Thank you Melissa! :yeah:

Thank you Melissa! :yeah: Soytenly. :smile:

deny from 196.3.0.42/127

I have tried it with the slash exactly as in this example, only to be given a 500 server error. Testing at 3 am of course, but it did disable the whole site for a minute before I deleted the .htaccess and then replaced a corrected version blocking the entire last 255.

Those sharing those first three octets with the greedy bot just don't see my site.

Hi Andi,

I got the same thing. I tried it today, after a full night's rest.

I checked my error log file...

[Sat Jan 13 17:42:13 2007] [alert] [client 72.14.XXX.17] /big/dom/xspeciousargument/www/blog/.htaccess: invalid mask in network/netmask

I then tried accessing my site. It was dead.

Hmmmm...something is amiss.

Anyone? :smile:

Best regards,
Kevin

Where are the netmask experts? I guess nobody is required to respond. ;) Anyway, a glance at Wikipedia (for "netmask") shows "/127" is totally wrong. That number should be the number of bits counting from the left that are not wildcarded. A 4-byte IP address has 32 bits, so 32 is the max (or probably 31 in reality). Just to save this thread from total error, here is a decent guess:

binary 0010 1010 = 42
binary 0011 1111 = 63
binary 0100 0000 = 64
binary 0111 1111 = 127

Looks like you can use a mask to specify 64...127.
It would be:
xx.xx.xxx.64/255.255.255.192

because
m= binary 1100 0000 = 192
satisfies:

For any i in the range 64...127,
i AND m = 0100 0000 = 64

while for any i<64
i AND m = 00.. .... <> 64

and for any i>127
i AND m = 1... .... <> 64

So somewhat briefer than

Deny from XX.XX.XXX.42
Deny from XX.XX.XXX.43
Deny from XX.XX.XXX.44
Deny from XX.XX.XXX.45
Deny from XX.XX.XXX.46
Deny from XX.XX.XXX.47
Deny from XX.XX.XXX.48
Deny from XX.XX.XXX.49
Deny from XX.XX.XXX.50
Deny from XX.XX.XXX.51
Deny from XX.XX.XXX.52
Deny from XX.XX.XXX.53
Deny from XX.XX.XXX.54
Deny from XX.XX.XXX.55
Deny from XX.XX.XXX.56
Deny from XX.XX.XXX.57
Deny from XX.XX.XXX.58
Deny from XX.XX.XXX.59
Deny from XX.XX.XXX.60
Deny from XX.XX.XXX.61
Deny from XX.XX.XXX.62
Deny from XX.XX.XXX.63
Deny from XX.XX.XXX.64
Deny from XX.XX.XXX.65
Deny from XX.XX.XXX.66
Deny from XX.XX.XXX.67
Deny from XX.XX.XXX.68
Deny from XX.XX.XXX.69
Deny from XX.XX.XXX.70
Deny from XX.XX.XXX.71
Deny from XX.XX.XXX.72
Deny from XX.XX.XXX.73
Deny from XX.XX.XXX.74
Deny from XX.XX.XXX.75
Deny from XX.XX.XXX.76
Deny from XX.XX.XXX.77
Deny from XX.XX.XXX.78
Deny from XX.XX.XXX.79
Deny from XX.XX.XXX.80
Deny from XX.XX.XXX.81
Deny from XX.XX.XXX.82
Deny from XX.XX.XXX.83
Deny from XX.XX.XXX.84
Deny from XX.XX.XXX.85
Deny from XX.XX.XXX.86
Deny from XX.XX.XXX.87
Deny from XX.XX.XXX.88
Deny from XX.XX.XXX.89
Deny from XX.XX.XXX.90
Deny from XX.XX.XXX.91
Deny from XX.XX.XXX.92
Deny from XX.XX.XXX.93
Deny from XX.XX.XXX.94
Deny from XX.XX.XXX.95
Deny from XX.XX.XXX.96
Deny from XX.XX.XXX.97
Deny from XX.XX.XXX.98
Deny from XX.XX.XXX.99
Deny from XX.XX.XXX.100
Deny from XX.XX.XXX.101
Deny from XX.XX.XXX.102
Deny from XX.XX.XXX.103
Deny from XX.XX.XXX.104
Deny from XX.XX.XXX.105
Deny from XX.XX.XXX.106
Deny from XX.XX.XXX.107
Deny from XX.XX.XXX.108
Deny from XX.XX.XXX.109
Deny from XX.XX.XXX.110
Deny from XX.XX.XXX.111
Deny from XX.XX.XXX.112
Deny from XX.XX.XXX.113
Deny from XX.XX.XXX.114
Deny from XX.XX.XXX.115
Deny from XX.XX.XXX.116
Deny from XX.XX.XXX.117
Deny from XX.XX.XXX.118
Deny from XX.XX.XXX.119
Deny from XX.XX.XXX.120
Deny from XX.XX.XXX.121
Deny from XX.XX.XXX.122
Deny from XX.XX.XXX.123
Deny from XX.XX.XXX.124
Deny from XX.XX.XXX.125
Deny from XX.XX.XXX.126
Deny from XX.XX.XXX.127


is


Deny from XX.XX.XXX.42
Deny from XX.XX.XXX.43
Deny from XX.XX.XXX.44
Deny from XX.XX.XXX.45
Deny from XX.XX.XXX.46
Deny from XX.XX.XXX.47
Deny from XX.XX.XXX.48
Deny from XX.XX.XXX.49
Deny from XX.XX.XXX.50
Deny from XX.XX.XXX.51
Deny from XX.XX.XXX.52
Deny from XX.XX.XXX.53
Deny from XX.XX.XXX.54
Deny from XX.XX.XXX.55
Deny from XX.XX.XXX.56
Deny from XX.XX.XXX.57
Deny from XX.XX.XXX.58
Deny from XX.XX.XXX.59
Deny from XX.XX.XXX.60
Deny from XX.XX.XXX.61
Deny from XX.XX.XXX.62
Deny from XX.XX.XXX.63
Deny from XX.XX.XXX.64/255.255.255.192


But not very maintainable is it? Like, what apache expert is going to bother grading my paper and telling me if it is right? :/

Easier just to have a scripting language handy where you can whip up those long lists...

for $i(42..127) {
print "Deny from XX.XX.XXX.$i\n";
}

and then upload them.

This may be a wonderful solution but the implementation is not clear to me at all.

The answer given by Melissa is identical to another I found earlier on another forum by Googling "deny IP range." It has the advantage of being easy to understand, but disabling the entire site is an unacceptable flaw--maybe it works on a different server version.

Exercise to the reader:
Deny from XX.XX.XXX.64/255.255.255.192
is equivalent to
Deny from XX.XX.XXX.64/n
for what n?
http://en.wikipedia.org/wiki/Netmask#Binary_subnet_masks

But ya gotta admit, the range you want to block probably does not start with
xx.xx.xxx.42
It probably starts on a more natural boundary, which you could do in one line.

So are you saying with certainty that:Order Allow,Deny
Allow from all

Deny from 196.3.0.42/196.3.0.127Will not disable the entire site with a 500 server error?

Or do your cryptic replies indicate that you don't know and that I must experiment to find out?

but disabling the entire site is an unacceptable flaw
Create a subdirectory strictly for the purpose of testing. Test in the subdirectory only.

There is never any reason to disable an entire site simply for testing .htaccess files.

So are you saying with certainty that:

...

Will not disable the entire site with a 500 server error?

Or do your cryptic replies indicate that you don't know and that I must experiment to find out?

My guess is that remarks such as:
Just to save this thread from total error, here is a decent guess:
indicate that he does not know for certain.

Please test in a subdirectory and do not disable your entire site.

Please test in a subdirectory and do not disable your entire site.Thanks for your reply. Yes, the subdirectory test is better. I was hoping to tease out an answer from someone who actually knows so I don't have to experiment. I guess I'll do the experiment later and post my results here.

added in edit: The problem with such an experiment is that it will only show whether the slash device disables the site and offers no clue about its effectiveness in blocking the IP range; which is why someone with real knowledge in this area is preferable to the experimentation.

Well I suppose blocking a range which includes my own IP and then seeing whether it returns a 403, a 500, or the page called is one way of designing the experiment, I'll let you all know later.

I used a dummy directory.

Hmmmm....

Order Allow,Deny
Allow from all

Deny from 196.3.0.42/196.3.0.127
# Below is ME
Deny from 68.146.57.01/68.146.57.90
My IP Address is: 68.146.57.71

The good news is that the website is not down and the subdirectory still functions. The bad news is that I was not blocked out, as I believe I should have been according to the last deny statement.

Have you triedDeny from 196.3.0
From the Apache docs for the Allow directive (http://httpd.apache.org/docs/1.3/mod/mod_access.html.en#allow) (same parameters as Deny):
A partial IP address
Example: Allow from 10.1
The first 1 to 3 bytes of an IP address, for subnet restriction.
I haven't tried it, but from the docs, it looks like it will block 196.3.0.*, which is a few more IPs than you want, but might be good enough.

-- Tom

[Edit] finished post - I hit "Save" instead of "Preview" the first time

So are you saying with certainty that:
Deny from 196.3.0.42/196.3.0.127
Will not disable the entire site with a 500 server error?

That's a new one, the other suggestion was
196.3.0.42/127
which is certainly wrong, as I read it. Your new example is not the way a mask is normally used, AFAIK. I does not mean 42 through 127. It means.. well, you can look it up: n/m means to take the incoming address, a, and calculate bitwise: a AND m, then see if that matches n. Right? I sure will be embarrassed if I'm wrong!

I can see that I will continue blocking IP ranges by blocking all 256 in the final series. Sometimes I will block 65,536 IP's in certain Chinese addresses... But thanks for your effort kitchin.

From the Apache docs:
http://httpd.apache.org/docs/1.3/mod/mod_access.html#allow

196.3.0.42/196.3.0.127

The only 2 things that should be specified for the netmask is either the form of:
1) netmask notation: 255.255.255.0 or similar (range: 128.0.0.0 - 255.255.255.255)
2) CIDR notation: /x (where 1 <= x <= 32)

You can find a lookup table for CIDR <=> Netmask values at:
http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing

Kitchen hit the nail on the head in:
http://www.aota.net/forums/showthread.php?postid=155330#post155330

Because the requested IP range does not fall on a natural CIDR boundry, therefore only a subset can be blocked via CIDR and the rest must be listed individually...

--
Terra
sysAdmin
FutureQuest

Because the requested IP range does not fall on a natural CIDR boundry, therefore only a subset can be blocked via CIDR and the rest must be listed individually...
Thank you! :yeah: