Deny from .htaccess with banned IP list from stopforumspam.com not working

.htaccessip-blocking

so i'm trying to use .htaccess to ban a large list (50,000) of suspicious spam IP addresses that i got from this site.

the list is almost 1M in size when i add the deny from directive for each address in the list…but when i apply the loaded .htaccess file to the server it barfs and no pages load with a 403 error.

my questions…

is there a limit to the size of a .htaccess file?
it there a limit to the number of deny from ip addresses that can be contained in the file?
is there a better way to do what im trying to do at the server level (I understand I could check the list in the webapp during submit but i'm trying to learn stuff)

Best Answer

There is no limit on the size of a .htaccess file other than the OS file size limits (usually 2GB or more). However, there are major performance implications involved in using .htaccess files because of the way that Apache processes them recursively (traversing the directory tree up) on every page load. In fact, Apache recommends against using .htaccess unless absolutely necessary, e.g. no access to higher-level config.

The standard way to handle IP blocking is with iptables, the built-in Linux firewall. You can use other applications to help manage iptables, such as Fail2ban. See this blog post for a way to do this with Fail2ban on a permanent basis. You can also block them by adding a route: route add -host 192.168.0.123 reject. Remember that you can use entire classes of IP addresses with all of these, so that rather than listing 192.168.0.1, 192.168.0.2,... 192.168.0.254 you can specify the network: 192.168.0.0/24.

Whatever method you use, remember to be very careful not to block yourself, especially from services such as SSH.

Related Solutions

Security – allowing index access only with .htaccess

Maybe you are thinking to complicated, just deny all access and then allow access to index.php and the folder itself. For example:

Order allow,deny
Deny from All

<FilesMatch "^(index\.php)?$">
        Allow from All
</FilesMatch>

If you don't even want http://doma.in/folder/ to work you can replace the FilesMatch directive with Files index.php. Keep in mind that it depends on your DirectoryIndex directive what file will be displayed when accessing a folder without filename.

Edit: To answer the question in your comment, I think you will need a more powerfull .htaccess using mod_rewrite. You can't use Directory and DirectoryMatch in a .htaccess file accordingly to the Apache documentation. Because the request is being denied before the RewriteRule can add a trailing slash you can't add the trailing slash with mod_write.

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} !/index\.php$
    RewriteRule ^.*$ - [F]
</IfModule>

<IfModule !mod_rewrite.c>
    Order allow,deny
    Deny from All
</IfModule>

Centos – .htaccess enabled, but not working

Do you have AllowOverride All in your Virtualhost configuration ? if you have a AllowOverride None, the .htaccess file is not read, so it will not be used. And right,

deny from all

alone forbidden the connection to the folder. And don't forget to reload apache

Best Answer

Related Solutions

Security – allowing index access only with .htaccess

Centos – .htaccess enabled, but not working

Related Topic