On Mon, 26 Jul 2010, Shawn Badger wrote:

> What about adding the ip into the /etc/hosts.deny fie?
> I don't know if Apache uses TCP wrappers, but if it does then this would be
> an easy solution.

ask it, and see if libwrap is present:  ;)

$ ldd /usr/sbin/httpd | grep wrap

> I think the best solution is to use iptables though, because you should
> really already be running it on anything that is public facing.

iptables to just port 80/tcp will work fine

-A INPUT -m state --state NEW -m tcp -p tcp -s \
 	the.bad.guy.ip --dport 80 -j REJECT

[backslash continueations used here, to avoid wrapping issues 
-- not supported in the real config files, in say CentOS, in
  /etc/sysconfig/iptables ]

but ....

The 'correct method; from an apache POV is a 'Deny' rule in 
the config file, which avoids some workarounds

<Directory / >
Order Deny,Allow
Deny from the.bad.guy.ip
Allow from All
</Directory>

or such

-- Russ herrold
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss