A few days back we had a problem that someone in a particular hostel was flooding the mysql through our website.
Now the problems were
1. We had to block the entire range of IP for that those places. (as the person was able to change his/ her IP and flood again)
2. We could not stop them from accessing apache2 completely as the server also hosts the local linux repos fror the network so by blocking access to port 80 the repos would also be blocked for that range.
3. A few IP in the blocked range had to be allowed as the IPs were of known people and who needed the access.
Now we followed a step by step approach to this..
1. For blocking the entire range we had to block the ips as well as the subnet as follows..
Open and edit /etc/apache2/site-enabled/ [code]
NameVirtualHost *:443
NameVirtualHost *:80
ServerAdmin webmaster@localhost
DocumentRoot /var/www/
Options FollowSymLinks
AllowOverride None
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
deny from 192.168.xxx.0/255.255.xxx.0
# This directive allows us to have apache2's default start page
# in /apache2-default/, but still have / go to the right place
#RedirectMatch ^/$ /apache2-default/
[/code]
Here the apache2 is blocking the ip range of
192.168.xxx.0 to 192.168.xxx.255
having the subnet mask 255.255.xxx.0
2. For allowing access to repos on the server.
Open and edit /etc/apache2/site-enabled/ [code]
NameVirtualHost *:443
NameVirtualHost *:80
ServerAdmin webmaster@localhost
DocumentRoot /var/www/
Options FollowSymLinks
AllowOverride None
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
deny from 192.168.xxx.0/255.255.xxx.0 # This directive allows us to have apache2's default start page
# in /apache2-default/, but still have / go to the right place
#RedirectMatch ^/$ /apache2-default/
Alias /repo/ubuntu "/var/spool/apt-mirror/mirror/archive.ubuntu.com/ubuntu/" Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from all
Alias /repo/wine "/var/spool/apt-mirror/mirror/wine.budgetdedicated.com/apt/" Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from all
Alias /repo/media "/var/spool/apt-mirror/mirror/packages.medibuntu.org/" Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from all
Alias /yum "/var/cache/yum/" Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from none
Allow from all
[/code]
3. unblocking a few IPs
Open and edit /etc/apache2/site-enabled/ [code]
NameVirtualHost *:443
NameVirtualHost *:80
ServerAdmin webmaster@localhost
DocumentRoot /var/www/
Options FollowSymLinks
AllowOverride None
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order deny,allow
deny from 192.168.xxx.0/255.255.xxx.0
allow from 192.168.xxx.yyy
# This directive allows us to have apache2's default start page
# in /apache2-default/, but still have / go to the right place
#RedirectMatch ^/$ /apache2-default/
[/code]
Here the Order is changed to deny then allow. It is interesting to note that to allow all a allow all mask is not required which initially confused me.
I hope this config helps people as much i have broken my head over it
