Thanks for the input Travis. Maybe I wasn't clear. I was blocking in .htaccess only: .... Require not ip 152.32.186.0/24 Require not ip 157.230.0.0/16 Require not ip 157.7.160.0/22 Require not ip 158.255.128.0/19 ....
These CIDR: 157.60.0.0/16, 157.54.0.0/15, 157.56.0.0/14 (are not on my list in .htaccess) I just pull them up with "whois" to investigate. So how does IP apache blocked: "157.55.39.252" matches what I had in my .htaccess file? On Wed, Feb 10, 2021 at 4:25 PM Travis Rodman <trod...@apple.com.invalid> wrote: > > given this... > --------------------------------------------------------------------- > apache log: > 157.55.39.252 - - [09/Feb/2021:17:04:33 -0700] "GET /product_info.php > HTTP/1.1" 403 199 > > The above user is from Microsoft Network > CIDR: 157.60.0.0/16, 157.54.0.0/15, 157.56.0.0/14 > that does not appear on my list. > > So why my configuration is blocking that user? > > The apache .htaccess just blocked IP: 159.14.184.11 > this is "Organization: The Children's Hospital of philadelphia" > CIDR: 159.14.0.0/16 > --------------------------------------------------------------------- > > using this to calculate the binary and the masks... > echo "obase=2;$ip" | bc > > this: > echo "obase=2;157" | bc > echo "obase=2;54" | bc > echo "obase=2;56" | bc > echo "obase=2;60" | bc > > converts to this: > 157 10011101 > 60 00111100 > 54 00110110 > 56 00111000 > > 157 | 10011101 > 55 | 00110111 > 39 | 00100111 > 252 | 11111100 > > 10011101.00110111.00100111.11111100 > > and doing the same with your CIDR masks against the input IP > 157 60 | 10011101.00111100|.00000000.00000000 > 10011101.00110111|.00100111.11111100 > > 157 54 | 10011101.0011011|0.00000000.00000000 > 10011101.0011011|1.00100111.11111100 > > 157 56 | 10011101.001110|00.00000000.00000000 > 10011101.001101|11.00100111.11111100 > > 157 | 10011101 > 55 | 00110111 > 39 | 00100111 > 252 | 11111100 > > 10011101.00110111.00100111.11111100 > > shows this is the matching (rejecting) IP and mask > this is the matching subnet: > 157 54 | 10011101.0011011|0.00000000.00000000 > 10011101.0011011|1.00100111.11111100 > > so, your 157.54.0.0/15 rule is matching (rejecting) 157.55.39.252 > > HTH, > Travis > > On Wed, Feb 10, 2021 at 03:53:35PM -0700, syscon edm wrote: > > I run apache-2.4.46 on linux > > > > In .htaccess file I have a long list of IP-subnets (over 500-subnets) > > that I ban (mostly spammers). > > But I've notices that my .htaccess prevent access to customers from IP > > that are not on the ban list. > > > > In the .htaccess the IP's are listed in numerical order, eg.: > > <Files history.txt> > > Require all denied > > </Files> > > > > <RequireAll> > > Require all granted > > > > # block spammers: > > ... > > Require not ip 152.32.186.0/24 > > Require not ip 157.230.0.0/16 > > Require not ip 157.7.160.0/22 > > Require not ip 158.255.128.0/19 > > ... > > </RequireAll> > > > > apache log: > > 157.55.39.252 - - [09/Feb/2021:17:04:33 -0700] "GET /product_info.php > > HTTP/1.1" 403 199 > > > > The above user is from Microsoft Network > > CIDR: 157.60.0.0/16, 157.54.0.0/15, 157.56.0.0/14 > > that does not appear on my list. > > > > So why my configuration is blocking that user? > > > > The apache .htaccess just blocked IP: 159.14.184.11 > > this is "Organization: The Children's Hospital of philadelphia" > > CIDR: 159.14.0.0/16 > > > > and that CIDR is not on my list, why apache is locking it? > > Do these IP subnets need to be sorted in order for them to work correctly? > > > > I can post them here if somebody wants to test it, if it is OK. They > > are just subdomains not an individual IP's. > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@community.apache.org > > For additional commands, e-mail: dev-h...@community.apache.org > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@community.apache.org > For additional commands, e-mail: dev-h...@community.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@community.apache.org For additional commands, e-mail: dev-h...@community.apache.org
