Server-wide .htaccess

Community support for Plesk, CPanel, WebMin and others with insight from two of the founders of Plesk. Ask for help here! No question is too simple or complicated. :-)
KrazyBob
Forum Regular
Forum Regular
Posts: 310
Joined: Mon Mar 19, 2007 3:47 pm

Server-wide .htaccess

Unread post by KrazyBob »

I am getting pounded by hackers from RIPE and AsiaNet. My client would like me to block all access from overseas.

How can I create a server-wide .htaccess file? On each node or how about on Virtuozzo that actually has two virtual servers (they're small and the servers are beefy.)
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: Server-wide .htaccess

Unread post by faris »

What about firewalling?

I've never tried it myself, but traffic to Containers goes via the Forward chain on the HN. So any rules in there apply to all containers. In theory.

China and Korea netblocks: http://okean.com/asianspamblocks.html
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
KrazyBob
Forum Regular
Forum Regular
Posts: 310
Joined: Mon Mar 19, 2007 3:47 pm

Re: Server-wide .htaccess

Unread post by KrazyBob »

Hey Faris!

Nice to see you. I can put them in our WatchGuard Peak X8000 but that will take a long time. I can't enter CDR's like 212/24.

Any suggestions on a .htaccess on the HN that will affect the containers?
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: Server-wide .htaccess

Unread post by scott »

Big performance hit whenever you use .htaccess. Its faster to do geo-blocking in the firewall
KrazyBob
Forum Regular
Forum Regular
Posts: 310
Joined: Mon Mar 19, 2007 3:47 pm

Re: Server-wide .htaccess

Unread post by KrazyBob »

Hey Scott! Good morning. I agree. I just can't enter CIDR's, just host ranges. I can import a text file and need to explore that. The firewall kicks butt!
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: Server-wide .htaccess

Unread post by faris »

I suspect even adding CIDRs would take ages if you had to add them one by one manually.
The text file import is probably the best option.

OR, just for these blocks, used the FORWARD chain on the HN.

OR, as there are only two Containers, adding them to the normal firewall in each container should not cause problems, even though you are effectively doubling the number of blocks that are strictly necessary.

If you don't have a firewall on the Containers themselves, adding APF might be an easy option - AFAIK its deny_host.rules file allows you to block by CIDR if you want.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
KrazyBob
Forum Regular
Forum Regular
Posts: 310
Joined: Mon Mar 19, 2007 3:47 pm

Re: Server-wide .htaccess

Unread post by KrazyBob »

Excellent advice from both of you. I try not to ask too much of you...
KrazyBob
Forum Regular
Forum Regular
Posts: 310
Joined: Mon Mar 19, 2007 3:47 pm

Re: Server-wide .htaccess

Unread post by KrazyBob »

OK. My firewall will accept CIDR's in this format:

123.0.0.1/23

I've looked and don't find a list
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: Server-wide .htaccess

Unread post by scott »

If you're running ASL you can just add those to /etc/asl/blacklist and run service asl-firewall restart
KrazyBob
Forum Regular
Forum Regular
Posts: 310
Joined: Mon Mar 19, 2007 3:47 pm

Re: Server-wide .htaccess

Unread post by KrazyBob »

I've been in the hospital so many times Scott that I have never installed ASL. I am struggling to hang on. I have been manually fighting each attack. :-( This is a Plesk 9.3 server but yet I have Plesk 12. I need to rebuild a whole rack of servers. But I can hardly walk. See your PM's.
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: Server-wide .htaccess

Unread post by faris »

--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
KrazyBob
Forum Regular
Forum Regular
Posts: 310
Joined: Mon Mar 19, 2007 3:47 pm

Re: Server-wide .htaccess

Unread post by KrazyBob »

Thank you, Faris. As I mentioned privately to Scott you are amongst the good guys on the internet. You seem always willing to help a rookie, well not so much of a rookie anymore due to your help over the years. But thank you. If I may, God bless you.
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: Server-wide .htaccess

Unread post by faris »

Its a shame I'm not closer to you. There's a little matter of the Atlantic Ocean in the way.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
KrazyBob
Forum Regular
Forum Regular
Posts: 310
Joined: Mon Mar 19, 2007 3:47 pm

Re: Server-wide .htaccess

Unread post by KrazyBob »

I can swim... a little...
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: Server-wide .htaccess

Unread post by faris »

Tell you what -- move to Nevada. Then I'll come and stay with you for a bit.

I'm a bit of a Vegas fan. Not for the "sin city" or gambling side of things - I'm not really interested. But I do like everything else the place has to offer, at least for a week or so at a time.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
Post Reply