IP block in .htaccess not working?

[ragman]

I sometimes find spammy entries in my error logs - that read something like "GET http://2.2.2.2/cgi-bin/p.35.pl HTTP/1.0" So far I've usually been able to block them in my .htaccess file with this type of entry:

order allow,deny
deny from 58.215.87.10
allow from all

It has worked well, with one exception - the IP above still appears regularly in my logs with one request every few days. Why can't I block this one, and should I worry about it?

[wige]

Most likely, there is some other setting that is allowing the bot to circumvent your .htaccess file, and that would be cause for concern. Are you on a shared or dedicated host? Also, can you post an example of the log file entry for the blocked IP?

[Tech Manager]

Quote:

Originally Posted by ragman

I sometimes find spammy entries in my error logs - that read something like "GET http://2.2.2.2/cgi-bin/p.35.pl HTTP/1.0" So far I've usually been able to block them in my .htaccess file with this type of entry:

order allow,deny
deny from 58.215.87.10
allow from all

It has worked well, with one exception - the IP above still appears regularly in my logs with one request every few days. Why can't I block this one, and should I worry about it?

I don't think the problem (yet) is that you have a configuration problem permitting the spammer/bot to bypass your .htaccess file. Generally speaking, if your htaccess file is working properly most of the time it should be working properly all the time.

The data you posted is a tad incomplete. If you have a couple of complete lines from your error logs and access logs then either post them here or send them to me in a private message. I'll look at them and have a better idea how to resolve the problem.

Incidentally, if you are not using your cgi-bin you can just as easily block all access to it.

Without knowing anything about your site and without seeing your server logs I'll just remind you that various hackers, spammers & script kiddies will run scripts searching for specific exploitable directories, files, filetypes, daemons and prepackaged programs running on your server. When they find what they are looking for they will often begin various assaults using proxy servers and/or other IP addresses to mask their identity.

The best prevention is to make your scripts as bullet proof as possible, limit traffic origins to locations acceptable to you (when possible and practical create rulesets to allow or deny access from certain IP ranges. You can use resources such as Country IP BLocks to create .htaccess files and other access/deny files by country), become as familiar as possible with available logs (on Linux, for example, watch things like your secure, message, access_log & error_log logs on each website you manage and at server level if you are running a dedicated server).

I'd be more than happy to offer some free assistance or advice.

Best regards,

Tech Manager