htaccess block domains not working

bmcpanel

Well-Known Member
Jun 1, 2002
546
0
316

Zion Ahead

Well-Known Member
Nov 10, 2006
347
0
166
Unfortunately I'm not comprehending the instructions/examples

RewriteCond %{HTTP_REFERER} hidemyass\.com [NC,OR]
RewriteCond %{HTTP_REFERER} proxify\.com
RewriteRule .* - [F]

That did not work.
 

Spiral

BANNED
Jun 24, 2005
2,020
8
193
For starters, using .HTACCESS like that to block proxy servers is just plain stupid!

This is because you will need an enormous control list to cover all the proxies
out there and even then you probably would not have all of them covered.

Secondly, you are relying on the proxy server's DNS providing correct reverse
DNS resolution back to a hostname that uses the same domain as the
name of the proxy service --- not guaranteed.

I would implement proxy detection technology into all the programs that
you run on your web site as your first line layer. These modifications
generally work by attempting to make proxy connections through the
user's IP address at various common proxy ports and block the
connection if a proxy connection is established.

The majority of the proxies out there will also create an "X-Forwarded-For" header
variable in Apache when connecting containing the user's real IP address when
connecting to your server. One very easy thing to do is just simply drop all
connections that have an "X-Forwarded-For" variable set and this kind of
block can be setup easily in .HTACCESS.

Now regarding your use of .HTACCESS, your main problem looks like you are
using regex matching when regex has not been designated so you won't
actually match to anything:

Code:
deny from 10.1.3.0/24
deny from .*hidemyass\.com.*
deny from .*proxy\.com.*
deny from .*anonymouse\.com.*
deny from .*proxify\.com.*
This would be better written as:
Code:
<Files *>
Order Allow,Deny
Allow from all
Deny from 10.1.3.0/24
Deny from hidemyass.com
deny from proxy.com
deny from anonymouse.com
deny from proxify.com
</Files>
(Note the ".*" regex wildcard designations have been removed)

Now with that said though, I would not use the domain name for the proxy servers
just because doing so will automatically force your web server into hostname lookups
for all connections and your entire apache log file which will slow performance.

If you are going to block specific proxies, then it would be better to do so by IP or CIDR
instead of using generic hostname domain matching as given above.

In example: hidemyass.com

Code:
# dig hidemyass.com

; <<>> DiG 9.3.1 <<>> hidemyass.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52985
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;hidemyass.com.                 IN      A

;; ANSWER SECTION:
hidemyass.com.          12973   IN      A       209.67.216.210

;; AUTHORITY SECTION:
hidemyass.com.          84973   IN      NS      ns1.zymic.com.
hidemyass.com.          84973   IN      NS      ns2.zymic.com.

# host ns1.zymic.com
ns1.zymic.com has address 209.67.216.210

# host ns2.zymic.com 
Host ns2.zymic.com not found: 3(NXDOMAIN)

#
From the dig query, you can see that hidemyass.com uses IP address 209.67.216.210
and their primary DNS server also resolves to the same IP address so they are
using a standard dedicated server and 209.67.216.210 is their IP for everything.

Code:
Deny from 209.67.216.210
Now if you want to get more effective, you can block the broad CIDR range which
will block all servers on the net from reaching your web server:

Code:
# whois -h whois.arin.net 209.67.216.210 

[Querying whois.arin.net]
[whois.arin.net]
Savvis SAVVIS (NET-209-67-0-0-1) 
                                  209.67.0.0 - 209.67.255.255
Layered Technologies, Inc. CW-209-67-208 (NET-209-67-208-0-1) 
                                  209.67.208.0 - 209.67.223.255
The IP for hidemyass.com is primarily allocated to Savvis as the main upstream
which is sub-allocated to Layered Technologies who is their dedicated server provider.

Most everything on Savvis is going to be dedicated servers on not live people
so blocking that entire range from web access would have little impact on visitor
traffic aside from those using servers as proxy relays.

Code:
Deny from 209.67.0.0/16
This could also be done from your iptables firewall to block web access as well
and would actually be faster and more effective than a .HTACCESS command:

Code:
iptables -A INPUT -s 209.67.0.0/16 -p tcp --dport 80 -j REJECT
 

Zion Ahead

Well-Known Member
Nov 10, 2006
347
0
166
I added this to my .htaccess and re-uploaded / overwriting old

deny from 207.44.150.146

That is for anonymization.net

Somehow, I was still able to access my site, even on hard refresh. Worst, I added the IP to csf -d 207.44.150.146 and still, able to access my site.
 

Spiral

BANNED
Jun 24, 2005
2,020
8
193
Some of the proxy sites utilize caching so if they are blocked, they could
still appear to be connecting for a while from their cache files.

On the other hand other proxy servers make use of multiple servers
and thus multiple IP addresses you would need to block when using
IP blacklist methods.

To be sure, clear your own web cache and then go and access your site
from any proxy server and then review the logs for your web site that
are located in /etc/httpd/domlogs to find out the IP address that was
used to connect to your server.

(A trick to make things easier for the above is to attempt to connect
to an invalid page at your site such as "pizza.html" through the
proxy server which will make finding the IP entry to block from your
web server log files that much easier)