Geek pop quiz.

[theweaselking]

Have a server running Apache 2.
HTAccess files are enabled. Password protection is working just fine in every way right now. mod_access is installed.

I want to deny all access from a domain name or IP range, without disabling the password protection.
The docs all say I should add

Order Allow,Deny
Deny from baddomainname.com
Allow from all

When I add this to the .htaccess file, I get a "500 internal server error" on that folder and all subfolders. Removing it again makes things work. The same thing applies for just about every other configuration of allow/deny I try. For example,

order deny,allow
deny from baddomainname.com

produces the same result: 500 internal server error. This happens whether I disable the password protection or not.

The same behaviour happens when I stick the commands under the Directory section of httpd.conf and make Apache reload it: 500 internal server error.

Any thoughts?

Comments

[scifantasy.livejournal.com]

Shoot the hostage.

[zenten.livejournal.com]

This seemed to work on my computer:

Order Allow,Deny
Allow from all
Deny from foo.apache.org

[zenten.livejournal.com]

And by "seems to work" I mean doesn't actually seem to block anything, but allows everything through.

[theweaselking.livejournal.com]

Which would be expected if you weren't foo.apache.org.

[theweaselking.livejournal.com]

But not on mine. That's the problem.

(Same results from that configuration, too)

[zenten.livejournal.com]

I tried


Order Allow,Deny
Allow from all
Deny from 192.168.2.101

Where my local ip address for my workstation is 192.168.2.101, and it still got through.

Maybe you're missing a module or something here?

[theweaselking.livejournal.com]

Do you have .htaccess files enabled?

[inguz.livejournal.com]

If you want to deny access to the box, why not just use /etc/hosts.deny? That will block the specified IP's from accessing the specified ports and does it at the protocol level.

[theweaselking.livejournal.com]

A perfectly sensible solution. I'll have to try that.

[inguz.livejournal.com]

As a follow up, everyone with a linux box that has ssh running on it should consider this wonderful project. http://denyhosts.sourceforge.net/

It adds/removes entries to your hosts.deny file based on ssh security log entries. You can deny IP addressess access to your box if they fail X number of ssh logins. Has a few other useful features too. Really cuts down on the brute force ssh attacks.

mine

[mhoye.livejournal.com]

SetEnvIfNoCase Referer badurl.com cockbites
Order Deny,Allow
Deny from env=cockbites


I've got a long list of these, which I use to block referrer spam.

Re: mine

[theweaselking.livejournal.com]

I haven't tried environment variables, but it seems that I start producing the 500 Internal Server Error as soon as I add an Order/Allow/Deny block - so I'm not so sure this will help. I'll certainly give it a shot, though.

[argaive.livejournal.com]

Have you looked for a possible typo in your .htaccess? That usually shuts down everything with a 500 error within that .htaccess' scope.

A.

[theweaselking.livejournal.com]

Indeed, I have. The htaccess for passwords is working perfectly. The htaccess in a subfolder, created in a unix text editor on the machine in question, contains *only* the bits I quoted above, exactly, and nothing else.

So no typos, and no bad carriage returns or anything like that.

And I tried removing the password protection, too, leaving *just* the stuff from above, with no help.