htaccess help

I am trying to lock out networks in the Netherlands that are
constantly looking for vulnerabilities on my Apache server. I do not
control the firewall so that is not an option. I thought
the .htaccess file would work but somehow these jerks are continuing
to get in.

My .htaccess file is located in the root of my web server (/var/www):

order allow,deny
deny from 58.,59.,60.,61.,62.
deny from 77.,78.,79.,80.,81.,82.,83.,84.,85.,86.,87.,88.,89 .,90.,91.
allow from all

With the above file in place I still see these messages in my Apache
errorlog:
[Tue Feb 13 18:30:19 2007] [error] [client 85.11.177.162] File does
not exist: /var/www/phpmyadmin

If I place my IP address in the same format in my .htaccess file I see
this:
[Fri Feb 16 08:39:15 2007] [error] [client x.x.x.x] client denied by
server configuration: /var/www/test1

How is that 85 address getting past the .htaccess file?

Thanks
Gary

On Feb 16, 9:47 am, Davide Bianchi <davideyeahs...@onlyforfun.net>
wrote:
> On 2007-02-16, Gary Quiring <gquir...@gmail.com> wrote:
>
> > I am trying to lock out networks in the Netherlands that are
> > constantly looking for vulnerabilities on my Apache server.
>
> Report them to the system administrator and/or the abuse of their
> network providers.
>
> Davide
>
> --
> If at first you don't succeed, work for Microsoft.

That is not going to solve the issue. The RIPE network is in the
Netherlands, aka no laws or rules. I have contacted them countless
times with zero replies. Their whole network is full of abusers and I
think that is why they register on that network to begin with. I have
no need for those folks to access my server so I want to block them.

In ProFTP the access list looks just like htaccess but works. You
should see what they do on an FTP server, thousands of illegal login
attempts each day. Blocking their IP range is best best solution as
each day it's another IP from the RIPE network looking to break in.

On Fri, 16 Feb 2007 15:45:41 +0100, Gary Quiring <gquiring@gmail.com>
wrote:

> I am trying to lock out networks in the Netherlands that are
> constantly looking for vulnerabilities on my Apache server. I do not
> control the firewall so that is not an option. I thought
> the .htaccess file would work but somehow these jerks are continuing
> to get in.
>
> My .htaccess file is located in the root of my web server (/var/www):
>
> order allow,deny
> deny from 58.,59.,60.,61.,62.
> deny from 77.,78.,79.,80.,81.,82.,83.,84.,85.,86.,87.,88.,89 .,90.,91.
> allow from all
>
> How is that 85 address getting past the .htaccess file?

Euhm, you want to block me? As far as I know, my ISP will take abuse
seriously, but slow (may take a week or 2,3).

> The RIPE network is in the Netherlands, aka no laws or rules.

I used to work for an ISP in the Netherlands, and they do block abusers.
Often even without warning to the client. Where the hell did you get the
idea that the Netherlands would be any different?

> I have contacted them countless times with zero replies.

Well, contact the ISP. Afaik RIPE is no ISP. For instance, for my IP
dnsstuff.com clearly shows:
remarks: In case of abuse issues, please contact abuse@wanadoo.nl

I'm curious as to what emailaddresses you've used to report the abuse.
--
Rik Wasmus

Owner of an 85.* ip....

On Feb 16, 7:01 pm, Rik <luiheidsgoe...@hotmail.com> wrote:
> On Fri, 16 Feb 2007 15:45:41 +0100, Gary Quiring <gquir...@gmail.com>
> wrote:
>
> > I am trying to lock out networks in the Netherlands that are
> > constantly looking for vulnerabilities on my Apache server. I do not
> > control the firewall so that is not an option. I thought
> > the .htaccess file would work but somehow these jerks are continuing
> > to get in.
>
> > My .htaccess file is located in the root of my web server (/var/www):
>
> > order allow,deny
> > deny from 58.,59.,60.,61.,62.
> > deny from 77.,78.,79.,80.,81.,82.,83.,84.,85.,86.,87.,88.,89 .,90.,91.
> > allow from all
>
> > How is that 85 address getting past the .htaccess file?
>
> Euhm, you want to block me? As far as I know, my ISP will take abuse
> seriously, but slow (may take a week or 2,3).
>
> > The RIPE network is in the Netherlands, aka no laws or rules.
>
> I used to work for an ISP in the Netherlands, and they do block abusers.
> Often even without warning to the client. Where the hell did you get the
> idea that the Netherlands would be any different?
>
> > I have contacted them countless times with zero replies.
>
> Well, contact the ISP. Afaik RIPE is no ISP. For instance, for my IP
> dnsstuff.com clearly shows:
> remarks: In case of abuse issues, please contact a...@wanadoo.nl
>
> I'm curious as to what emailaddresses you've used to report the abuse.
> --
> Rik Wasmus
>
> Owner of an 85.* ip....

why not stick to the docs, and use
order deny,allow
deny from 58. 59. 60. 61. 62.
deny from 77. 78. 79. 80. 81. 82. 83. 84. 85. 86. 87. 88. 89. 90. 91.

or better yet something like (although it bans a few too many)
order deny,allow
deny from 77.0.0.0/21 58.0.0.0/19

or if hostname lookups are on just plain old
order deny,allow
deny from .nl

or just have done with it
order allow,deny
allow from 192. 10. 172.

Running a public webserver with no firewall control will result in
thousands of hits all day and night if you've done your job well, who
cares as long as you're patched up to date, and have even the most
basic bandwidth and an old P2. Consider buying a 2nd hand $5 router
from ebay - which will take the heat all with a 200MHz processor an
8MB ram!
As for multiple login/ftp attempts, I find them interesting, watching
the pretty numbers go by. Require SSL with cert login for your real
users if you are that concerned.
Have you thought about running some old machine as a honeypot and
making fun of the whole lot of 'em You should count yourself lucky as
you can have real world experience of emerging threats, and get
forewarning of what software you need to be up2date with, the rest of
us have to read about it and keep up2date in other ways
Have you considered mod security, you can impose restrictions on the
types of connection, user agents and so on, good stuff.

matt
--
owner of 82.* IP (based in UK, whose ISP would certainly take action
immediately if I transgressed)

On Feb 16, 2:48 pm, "shimmyshack" <matt.fa...@gmail.com> wrote:
> On Feb 16, 7:01 pm, Rik <luiheidsgoe...@hotmail.com> wrote:
>
>
>
>
>
> > On Fri, 16 Feb 2007 15:45:41 +0100, Gary Quiring <gquir...@gmail.com>
> > wrote:
>
> > > I am trying to lock out networks in the Netherlands that are
> > > constantly looking for vulnerabilities on my Apache server. I do not
> > > control the firewall so that is not an option. I thought
> > > the .htaccess file would work but somehow these jerks are continuing
> > > to get in.
>
> > > My .htaccess file is located in the root of my web server (/var/www):
>
> > > order allow,deny
> > > deny from 58.,59.,60.,61.,62.
> > > deny from 77.,78.,79.,80.,81.,82.,83.,84.,85.,86.,87.,88.,89 .,90.,91.
> > > allow from all
>
> > > How is that 85 address getting past the .htaccess file?
>
> > Euhm, you want to block me? As far as I know, my ISP will take abuse
> > seriously, but slow (may take a week or 2,3).
>
> > > The RIPE network is in the Netherlands, aka no laws or rules.
>
> > I used to work for an ISP in the Netherlands, and they do block abusers.
> > Often even without warning to the client. Where the hell did you get the
> > idea that the Netherlands would be any different?
>
> > > I have contacted them countless times with zero replies.
>
> > Well, contact the ISP. Afaik RIPE is no ISP. For instance, for my IP
> > dnsstuff.com clearly shows:
> > remarks: In case of abuse issues, please contact a...@wanadoo.nl
>
> > I'm curious as to what emailaddresses you've used to report the abuse.
> > --
> > Rik Wasmus
>
> > Owner of an 85.* ip....
>
> why not stick to the docs, and use
> order deny,allow
> deny from 58. 59. 60. 61. 62.
> deny from 77. 78. 79. 80. 81. 82. 83. 84. 85. 86. 87. 88. 89. 90. 91.
>
> or better yet something like (although it bans a few too many)
> order deny,allow
> deny from 77.0.0.0/21 58.0.0.0/19
>
> or if hostname lookups are on just plain old
> order deny,allow
> deny from .nl
>
> or just have done with it
> order allow,deny
> allow from 192. 10. 172.
>
> Running a public webserver with no firewall control will result in
> thousands of hits all day and night if you've done your job well, who
> cares as long as you're patched up to date, and have even the most
> basic bandwidth and an old P2. Consider buying a 2nd hand $5 router
> from ebay - which will take the heat all with a 200MHz processor an
> 8MB ram!
> As for multiple login/ftp attempts, I find them interesting, watching
> the pretty numbers go by. Require SSL with cert login for your real
> users if you are that concerned.
> Have you thought about running some old machine as a honeypot and
> making fun of the whole lot of 'em You should count yourself lucky as
> you can have real world experience of emerging threats, and get
> forewarning of what software you need to be up2date with, the rest of
> us have to read about it and keep up2date in other ways
> Have you considered mod security, you can impose restrictions on the
> types of connection, user agents and so on, good stuff.
>
> matt
> --
> owner of 82.* IP (based in UK, whose ISP would certainly take action
> immediately if I transgressed)- Hide quoted text -
>
> - Show quoted text -

Thanks Matt, my old eyes didn't notice I had the order wrong.

Gary