can htaccess read from files?

I'm helping out a friend with a site that has attracted a few idiots using
proxies. As soon as he bans one, they find another.

To save having to log in/FTP to the server, find the htaccess file and edit
it, is there any way we can set up an editable separate file (list) of
banned IP's that the htaccess file can read and apply? Maybe writeable by
the server so that he only needs to open a (hidden) page and enter the IP
range and have it added automatically? Or is there a simpler way of editing
the htaccess file directly from within the site?

Thanks for any help here!

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

mentalguy2004 wrote:
> I'm helping out a friend with a site that has attracted a few idiots using
> proxies. As soon as he bans one, they find another.
>
> To save having to log in/FTP to the server, find the htaccess file and edit
> it, is there any way we can set up an editable separate file (list) of
> banned IP's that the htaccess file can read and apply? Maybe writeable by
> the server so that he only needs to open a (hidden) page and enter the IP
> range and have it added automatically? Or is there a simpler way of editing
> the htaccess file directly from within the site?

You could simply write the .htaccess file from a PHP script. This would
easily enable him to ban users quickly.

However, I must point out that banning individual IP addresses is fairly
ineffective - like you said as soon as one is banned another appears. Try
banning by traits the proxy has instead.

- --
Brendan Gillatt | GPG Key: 0xBF6A0D94
brendan {a} brendangillatt (dot) co (dot) uk
http://www.brendangillatt.co.uk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFIA/JOuv4tpb9qDZQRAncpAJwOdKOV3AIh3HF0/CijHhIBkIgyagCaAvVd
BHhIIQsafJyOBypVcv/kwjE=
=j50p
-----END PGP SIGNATURE-----

"Brendan Gillatt" <brendanREMOVETHIS@brendanREMOVETHISgillatt.co.u k> wrote
in message news:QNKdnQqXvdHRb57VnZ2dneKdnZydnZ2d@pipex.net...
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> mentalguy2004 wrote:
>> I'm helping out a friend with a site that has attracted a few idiots
>> using
>> proxies. As soon as he bans one, they find another.
>>
>> To save having to log in/FTP to the server, find the htaccess file and
>> edit
>> it, is there any way we can set up an editable separate file (list) of
>> banned IP's that the htaccess file can read and apply? Maybe writeable by
>> the server so that he only needs to open a (hidden) page and enter the IP
>> range and have it added automatically? Or is there a simpler way of
>> editing
>> the htaccess file directly from within the site?
>
> You could simply write the .htaccess file from a PHP script. This would
> easily enable him to ban users quickly.
>
> However, I must point out that banning individual IP addresses is fairly
> ineffective - like you said as soon as one is banned another appears. Try
> banning by traits the proxy has instead.
>
> - --
> Brendan Gillatt | GPG Key: 0xBF6A0D94
> brendan {a} brendangillatt (dot) co (dot) uk
> http://www.brendangillatt.co.uk

Thanks for the help. Do you know of any good PHP scripts that would help
here? I've tried Googling and all the relevant links I've found seem to be
dead.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

mentalguy2004 wrote:
> Thanks for the help. Do you know of any good PHP scripts that would help
> here? I've tried Googling and all the relevant links I've found seem to be
> dead.

Basically the idea is to end up with a file such as:

<Limit GET HEAD POST>
order allow,deny
deny from xxx.xxx.xxx.xxx
deny from yyy.yyy.yyy.yyy
deny from zzz.zzz.zzz.zzz
allow from all
</LIMIT>

So you would read the file, line by line until you found the start of the
'deny from' lines. You would then read these lines into an array, append
the newly blocked host, turn the array back into a string and add the
header and footer bits.


- --
Brendan Gillatt | GPG Key: 0xBF6A0D94
brendan {a} brendangillatt (dot) co (dot) uk
http://www.brendangillatt.co.uk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFIBoShuv4tpb9qDZQRAmuGAJ4jIQJnfS4lpzHs6kXUFO riHow7xwCfd/Tt
AwToTqrkZaR/e9TUcPRDScs=
=ICDx
-----END PGP SIGNATURE-----

"Brendan Gillatt" <brendanREMOVETHIS@brendanREMOVETHISgillatt.co.u k> wrote
in message news:gKSdnWX88dkBGZvVnZ2dnUVZ8qijnZ2d@pipex.net...
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> mentalguy2004 wrote:
> > Thanks for the help. Do you know of any good PHP scripts that would help
> > here? I've tried Googling and all the relevant links I've found seem to
be
> > dead.
>
> Basically the idea is to end up with a file such as:
>
> <Limit GET HEAD POST>
> order allow,deny
> deny from xxx.xxx.xxx.xxx
> deny from yyy.yyy.yyy.yyy
> deny from zzz.zzz.zzz.zzz
> allow from all
> </LIMIT>
>
> So you would read the file, line by line until you found the start of the
> 'deny from' lines. You would then read these lines into an array, append
> the newly blocked host, turn the array back into a string and add the
> header and footer bits.

Bad approach. Try a rewritemap where the key is REMOTE_ADDR. All your CGI
program has to do is append to the file that constitutes the map.

In my personal implementation of the map file, I write as the data field a
one word reason and the time stamp that the entry was added. I have a
reason because there are multiple ways of ending up in the file. Malicious
robots that spider "/robots.txt" forbidden resources is one reason. I also
share the map file with other server programs besides the web server.

"D. Stussy" <spam@bde-arc.ampr.org> schreef in bericht
news:fu6fcg$pj4$1@snarked.org...
> "Brendan Gillatt" <brendanREMOVETHIS@brendanREMOVETHISgillatt.co.u k> wrote
> in message news:gKSdnWX88dkBGZvVnZ2dnUVZ8qijnZ2d@pipex.net...
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Basically the idea is to end up with a file such as:
>>
>> <Limit GET HEAD POST>
>> order allow,deny
>> deny from xxx.xxx.xxx.xxx
>> deny from yyy.yyy.yyy.yyy
>> deny from zzz.zzz.zzz.zzz
>> allow from all
>> </LIMIT>
>>
>> So you would read the file, line by line until you found the start of the
>> 'deny from' lines. You would then read these lines into an array, append
>> the newly blocked host, turn the array back into a string and add the
>> header and footer bits.
>
> Bad approach. Try a rewritemap where the key is REMOTE_ADDR. All your
> CGI
> program has to do is append to the file that constitutes the map.
>
I like file-based rewritemaps too for just 1 reason:
changes are effective without restarting Apache!

BUT unfortunately to the OP RewriteMaps are NOT allowed in .htaccess ...

HansH

"HansH" <hansh@invalid.invalid> wrote in message
news:480707ab$0$14343$e4fe514c@news.xs4all.nl...
> "D. Stussy" <spam@bde-arc.ampr.org> schreef in bericht
> news:fu6fcg$pj4$1@snarked.org...
> > "Brendan Gillatt" <brendanREMOVETHIS@brendanREMOVETHISgillatt.co.u k>
wrote
> > in message news:gKSdnWX88dkBGZvVnZ2dnUVZ8qijnZ2d@pipex.net...
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Basically the idea is to end up with a file such as:
> >>
> >> <Limit GET HEAD POST>
> >> order allow,deny
> >> deny from xxx.xxx.xxx.xxx
> >> deny from yyy.yyy.yyy.yyy
> >> deny from zzz.zzz.zzz.zzz
> >> allow from all
> >> </LIMIT>
> >>
> >> So you would read the file, line by line until you found the start of
the
> >> 'deny from' lines. You would then read these lines into an array,
append
> >> the newly blocked host, turn the array back into a string and add the
> >> header and footer bits.
> >
> > Bad approach. Try a rewritemap where the key is REMOTE_ADDR. All your
> > CGI
> > program has to do is append to the file that constitutes the map.
> >
> I like file-based rewritemaps too for just 1 reason:
> changes are effective without restarting Apache!
>
> BUT unfortunately to the OP RewriteMaps are NOT allowed in .htaccess ...

True (I forgot about that). However, he didn't say that .htaccess is his
ONLY means to control the server, and it read as if his friend does have
access to the main configuration file(s).