How to dynamically deny access using .htaccess - .htaccess

I am familiar with denying access based on an IP, block of IPs, browser, URL etc... but my problem here is, let me state, how to deny access if it came from some IP address, at least 3 times a second for long period of time. Here, you don't know the IP address unless you look at the access file. By the time you found out the IP address it's already drawn too much of the bandwidth.

You can't use htaccess for doing this. The out-of-box apache directives can't handle browsing sessions. You'll need to install some sort of log parser, maybe something like fail2ban? Or you can probably cook up a set of iptables rules for blocking lots of connections from one IP: https://askubuntu.com/questions/437059/linux-command-to-prevent-dos-attack-by-using-netstat-and-iptables

Related

Block anything using an IP instead of a domain

Getting a lot of traffic [likely bots] that are hitting my site via an IP address instead of a domain.
For example, a user would access my site at https://www.example.com/login but I'm getting traffic using the IP instead: https://123.45.678.910/login
I would like to block access to anything using the IP instead of the domain. Can this be done via the .htaccess file?
I can do it via PHP, but by then, it's already wasting resources. Is there another / common / best-practice way to handle this?
When googling for the solution, I get a LOT of information about how to block or allow specific IP address(es) or range of IPs, but that's not what I'm looking for.

TYPO3 block IP addresses

Somebody tried to get access to my TYPO3 backend. I already have the IP adress of the attacker and want to block it from the backend.
I already tried to block ip with .htaccess but this doensn't work. I think the rules are overwritten by something else in the .htaccess file which I couldn't figure out yet.
Captcha is at the moment not a suitable solution.
Are there any good extensions for blocking IP adresses or is there another way to avoid these brute-force attacks?
If you are really concerned about somebody to be able to successfully get access to the system I suggest to go the "white list" path instead of blacklisting single IPs.
TYPO3 has a built in feature to block backand access for ALL IPs except some white listed ones.
To do this just add the following into AdditionalConfiguration.php putting your own IP and the IPs (or subnets) of other users too.
$GLOBALS["TYPO3_CONF_VARS"]['BE']['IPmaskList'] = 'x.x.x.x,y.y.y.*,z.z.*.*';
Other than that, just make sure you take the basic steps to make your backend more secure:
1) Force SSL for the backend:
$GLOBALS['TYPO3_CONF_VARS']['BE']['lockSSL'] = 2;
2) Implement a secure password policy for the backend users by using e.g. EXT:be_secure_pw
3) Secure session cookies to have ssl_only and http_only attributes:
$GLOBALS['TYPO3_CONF_VARS']['SYS']['cookieHttpOnly']=1;
$GLOBALS['TYPO3_CONF_VARS']['SYS']['cookieSecure']=1;
4) And last but not least: make sure you are using the most recent version of your TYPO3 version line, ideally a maintained LTS version.
You should block requests before PHP/MySql is in use in the best case. So .htaccess is the correct way in my eyes. If it does not work, you should ask your hoster.
It sounds like you want to block the IP of the attacker and put measures in place to block known bad ip's. One of the main issues with blocking the IP of the attacker is that it's fairly easy for an attacker to setup a new IP address and launch a new attack.
There are services that provide lists of known bad ip's if you wanted to implement your own firewall.
Alternatively you can look to place your URL behind a solution such as Cloudflare that have the ability to block IP's or countries. I know of business's that block traffic from China and Russia since they identified that most of their attacks came from these countries.

IIS Dynamic IP Address Restriction to permanently block IP

So I have a website that is getting hit regularly from someone scraping our content and I would like to do my best to annoy him as possible.
Currently we have IIS Dynamic IP address restriction on but this only temp blocks him for a very short time. Is it possible to have the same sort of rules but permanently block him instead.
So if we have 20 requests in 10 seconds from the same IP address that IP address is then block indefinitely (or a preset time I can pick)
we currently using IIS7.5
Thanks
Steve
To answer your question, you should look at this, it is an extension for IIS . You can actually set it up in such a way that if a user reaches a certain number of connections they are getting denied.
Hope this helps !

Staging area ptotection based on ip...what if my client has a dynamic IP?

I'm trying to put online a staging area for an upcoming website... I'd usually rather use an htaccess rule to enable only me and my client to see the website...i think is safer and you dont need to rememebr passwords and so...
but my client this time has an internet provider who doesnt give him a static ip, aparently everyday or so, his ip chamges...so i have to change my htaccess!
there is any solution for that?
First of all, dynamic IPs are very common, a lot of providers disconnect the client in intervals of 12 or 24 hours, which usually means they get a new IP assigned.
Second, just giving out a username / password combination not only seems safer, but also more hassle-free. You are about to invest time into a solution that's probably not worth it. I also don't see how you would obtain the valid IP address of the client to update your .htaccess file, apart from having the client install a service that updates a dynamic DNS entry mayb - more of a hassle than remembering a login, if you ask me.
You could have him use a dynamic DNS service like dyndns.com or no-ip.com. That way he can setup a domain name like someguy.dyndns.com which would always resolve to his ip (he'll probably need to install a small daemon/service/program to automatically update the IP though). Then you can add a rule into your .htaccess like allow from someguy.dyndns.com.

Is it possible to force setting CNAME record of the DNS?

Suppose I have two domain names (domainA, domainB). I set the CNAME record of domainA to domainB, so whenever a user resolves domainA, he will be redirected to resolving domainB instead. My question is if it is possible to restrict accessing domainB directly. So no one can resolve domainB unless it has first resolved domainA.
The DNS system is designed to be an open system that allows anyone to resolve addresses. In its native form it is not possible to do what you are looking for.
Even though the most common (perhaps only) software used for DNS servers on the internet is open source ISC Bind - And you could potentially use that to write your own DNS server to attempt to create that functionality I am reasonably sure that because DNS works as a referral network (i.e. other DNS servers make requests against your DNS servers on behalf of clients) it would be difficult to lock DNS down to a single source.
Simply DNS isn't designed to provide any form of security. Your request is akin to asking 'could I make a phone book that only allowed people to read my name if they read my neighbours first'
The only method you could use is to allow users to make a request to example.com and from their redirect their request to example.org. That way you are operating at a level higher than IP Name resolution and you start getting more control over what happens.

Resources