On Mon, 26 Jul 2010, Shawn Badger wrote:
> What about adding the ip into the /etc/hosts.deny fie?
> I don't know if Apache uses TCP wrappers, but if it does then this would be
> an easy solution.
ask it, and see if libwrap is present: ;)
$ ldd /usr/sbin/httpd | grep wrap
> I think the best solution is to use iptables though, because you should
> really already be running it on anything that is public facing.
iptables to just port 80/tcp will work fine
-A INPUT -m state --state NEW -m tcp -p tcp -s \
the.bad.guy.ip --dport 80 -j REJECT
[backslash continueations used here, to avoid wrapping issues
-- not supported in the real config files, in say CentOS, in
/etc/sysconfig/iptables ]
but ....
The 'correct method; from an apache POV is a 'Deny' rule in
the config file, which avoids some workarounds
<Directory / >
Order Deny,Allow
Deny from the.bad.guy.ip
Allow from All
</Directory>
or such
-- Russ herrold
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
(text/plain)