store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Fri Dec 06, 2019 6:23 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 16 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: Server-wide .htaccess
Unread postPosted: Sun Apr 19, 2015 6:35 pm 
Offline
Forum Regular
Forum Regular

Joined: Mon Mar 19, 2007 3:47 pm
Posts: 310
I am getting pounded by hackers from RIPE and AsiaNet. My client would like me to block all access from overseas.

How can I create a server-wide .htaccess file? On each node or how about on Virtuozzo that actually has two virtual servers (they're small and the servers are beefy.)


Top
 Profile  
Reply with quote  
 Post subject: Re: Server-wide .htaccess
Unread postPosted: Mon Apr 20, 2015 4:44 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2321
What about firewalling?

I've never tried it myself, but traffic to Containers goes via the Forward chain on the HN. So any rules in there apply to all containers. In theory.

China and Korea netblocks: http://okean.com/asianspamblocks.html

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
 Post subject: Re: Server-wide .htaccess
Unread postPosted: Mon Apr 20, 2015 4:49 am 
Offline
Forum Regular
Forum Regular

Joined: Mon Mar 19, 2007 3:47 pm
Posts: 310
Hey Faris!

Nice to see you. I can put them in our WatchGuard Peak X8000 but that will take a long time. I can't enter CDR's like 212/24.

Any suggestions on a .htaccess on the HN that will affect the containers?


Top
 Profile  
Reply with quote  
 Post subject: Re: Server-wide .htaccess
Unread postPosted: Mon Apr 20, 2015 6:47 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 8329
Location: earth
Big performance hit whenever you use .htaccess. Its faster to do geo-blocking in the firewall


Top
 Profile  
Reply with quote  
 Post subject: Re: Server-wide .htaccess
Unread postPosted: Mon Apr 20, 2015 6:53 am 
Offline
Forum Regular
Forum Regular

Joined: Mon Mar 19, 2007 3:47 pm
Posts: 310
Hey Scott! Good morning. I agree. I just can't enter CIDR's, just host ranges. I can import a text file and need to explore that. The firewall kicks butt!


Top
 Profile  
Reply with quote  
 Post subject: Re: Server-wide .htaccess
Unread postPosted: Tue Apr 21, 2015 7:41 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2321
I suspect even adding CIDRs would take ages if you had to add them one by one manually.
The text file import is probably the best option.

OR, just for these blocks, used the FORWARD chain on the HN.

OR, as there are only two Containers, adding them to the normal firewall in each container should not cause problems, even though you are effectively doubling the number of blocks that are strictly necessary.

If you don't have a firewall on the Containers themselves, adding APF might be an easy option - AFAIK its deny_host.rules file allows you to block by CIDR if you want.

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
 Post subject: Re: Server-wide .htaccess
Unread postPosted: Tue Apr 21, 2015 9:25 am 
Offline
Forum Regular
Forum Regular

Joined: Mon Mar 19, 2007 3:47 pm
Posts: 310
Excellent advice from both of you. I try not to ask too much of you...


Top
 Profile  
Reply with quote  
 Post subject: Re: Server-wide .htaccess
Unread postPosted: Wed Apr 22, 2015 7:06 am 
Offline
Forum Regular
Forum Regular

Joined: Mon Mar 19, 2007 3:47 pm
Posts: 310
OK. My firewall will accept CIDR's in this format:

123.0.0.1/23

I've looked and don't find a list


Top
 Profile  
Reply with quote  
 Post subject: Re: Server-wide .htaccess
Unread postPosted: Wed Apr 22, 2015 7:08 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 8329
Location: earth
If you're running ASL you can just add those to /etc/asl/blacklist and run service asl-firewall restart


Top
 Profile  
Reply with quote  
 Post subject: Re: Server-wide .htaccess
Unread postPosted: Wed Apr 22, 2015 7:59 am 
Offline
Forum Regular
Forum Regular

Joined: Mon Mar 19, 2007 3:47 pm
Posts: 310
I've been in the hospital so many times Scott that I have never installed ASL. I am struggling to hang on. I have been manually fighting each attack. :-( This is a Plesk 9.3 server but yet I have Plesk 12. I need to rebuild a whole rack of servers. But I can hardly walk. See your PM's.


Top
 Profile  
Reply with quote  
 Post subject: Re: Server-wide .htaccess
Unread postPosted: Thu Apr 23, 2015 9:29 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2321
Check out http://dev.maxmind.com/geoip/geoip2/geo ... databases/ and https://www.countryipblocks.net/country_selection.php

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
 Post subject: Re: Server-wide .htaccess
Unread postPosted: Thu Apr 23, 2015 9:48 am 
Offline
Forum Regular
Forum Regular

Joined: Mon Mar 19, 2007 3:47 pm
Posts: 310
Thank you, Faris. As I mentioned privately to Scott you are amongst the good guys on the internet. You seem always willing to help a rookie, well not so much of a rookie anymore due to your help over the years. But thank you. If I may, God bless you.


Top
 Profile  
Reply with quote  
 Post subject: Re: Server-wide .htaccess
Unread postPosted: Fri Apr 24, 2015 5:56 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2321
Its a shame I'm not closer to you. There's a little matter of the Atlantic Ocean in the way.

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
 Post subject: Re: Server-wide .htaccess
Unread postPosted: Fri Apr 24, 2015 10:45 am 
Offline
Forum Regular
Forum Regular

Joined: Mon Mar 19, 2007 3:47 pm
Posts: 310
I can swim... a little...


Top
 Profile  
Reply with quote  
 Post subject: Re: Server-wide .htaccess
Unread postPosted: Fri Apr 24, 2015 11:08 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2321
Tell you what -- move to Nevada. Then I'll come and stay with you for a bit.

I'm a bit of a Vegas fan. Not for the "sin city" or gambling side of things - I'm not really interested. But I do like everything else the place has to offer, at least for a week or so at a time.

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 16 posts ]  Go to page 1, 2  Next

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group