Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: htaccess good getting blocked by bad |
|
| Author |
|
liderbug
Joined: 30 May 2015
Posts: 7
Location: US, Black Forest
|
 Posted: Wed 15 Apr '26 17:06 Post subject: htaccess good getting blocked by bad |
 |
|
So my website gets hit 10 to 30 times every day with requests for [mysite]/wp-admin, wp-login, etc. I don't/won't use Wordpress. There are several other words I block: user, passwd, etc. When a trigger word comes in I execute a 403.php script that appends "deny from $ip" to htaccess. One of my pages is in Colorado for use of the people in the area to schedule a volunteer shift on a local project. Last night there were 4 WP attempts from - Poland. My problem is: a local user using a local internet address gets a DHCP address previously used by a BOT in the same IP range (thank you dhcp).
My 403.php scripts ends with:
while ( 1 )
{
echo "\0x16";
usleep (10000);
}
Oh, and while I write this 12 more wp-xxxxx requests have come in. My biggest gripe - the IP belongs to [say] Microsoft. "Not our problem. Take it up with the end user." (OMG we should do anything to not rake in money).
Any improvements anyone can suggest? Thanks |
|
| Back to top |
|
danielruf
Joined: 07 Jan 2026
Posts: 17
|
| Posted: Wed 15 Apr '26 20:52 Post subject: |
|
|
I can understand why you want to use some tarpit solution.
But this is the general grey noise of the web, most or all public websites are facing these rather harmless requests.
Keep in mind thyt you are also burning CPU cycles of your server via PHP.
Bots in general close the connection or just send a request but do not keep the connection open or check the response.
You can block whole CIDR blocks of relevant botnets. Or simply use fail2ban with a custom jail, which adds the relevant firewall rules automatically.
https://greg.molnar.io/blog/blocking-bots-with-fail2ban/ |
|
| Back to top |
|
liderbug
Joined: 30 May 2015
Posts: 7
Location: US, Black Forest
|
| Posted: Wed 15 Apr '26 22:51 Post subject: Diff good ip vis bad ip |
|
|
I'm having a problem. My htaccess says "deny from 1.2.3.4" because that IP tried to hack in. The next day a "good" person's router is assigned that IP and now they're blocked and they get "Forbidden" from Apache and not my htaccess. I have: ErrorDocument 403 [path]/403.php which works and doesn't work. I say works because I can get 14 "deny from [same IP] and if my IP is there I get Forbidden and my 403.php doesn't run. (twisty little passages all alike/diferent)
Thanks |
|
| Back to top |
|
Stray78
Joined: 15 Apr 2024
Posts: 62
Location: USA
|
| Posted: Thu 16 Apr '26 3:37 Post subject: |
|
|
It's going to happen. Just get rid of the Script "My 403.php scripts".
You should see my logs...
Get mod_security, mod_evasive, mod_qos...
Wordpress crap, if you don't use it, don't worry about it.
 |
|
| Back to top |
|
jmweb
Joined: 08 Jun 2017
Posts: 23
Location: USA, Charlotte
|
| Posted: Thu 16 Apr '26 5:57 Post subject: Re: Diff good ip vis bad ip |
|
|
| liderbug wrote: | I'm having a problem. My htaccess says "deny from 1.2.3.4" because that IP tried to hack in. The next day a "good" person's router is assigned that IP and now they're blocked and they get "Forbidden" from Apache and not my htaccess. I have: ErrorDocument 403 [path]/403.php which works and doesn't work. I say works because I can get 14 "deny from [same IP] and if my IP is there I get Forbidden and my 403.php doesn't run. (twisty little passages all alike/diferent)
Thanks |
As others have commented, you will never be able to stop spam requests - they will keep coming assigned with dynamic IP addresses.
If you still want to continue your project, I recommend you offload the work performed by your 403.php script and instead assign it to a scheduled job that parses your apache access log file - which should be written in a pre-configured format. This way, you alleviate the server with delayed requests. This also avoids race conditions with your PHP script with concurrent spam requests.
Then you should consider removing blacklisted IP addresses after a certain time interval since the last spam request. The whole point of your project is to temporarily blacklist the IP address a spammer is currently using - not blacklist the IP address indefinitely.
To associate the last visit timestamp with each IP address, you can either use a database or a flat file data structure. Something like this would work:
| Code: |
[
(string) 'ip' => [ 'lastVisit' => (int) timestamp, 'count' => (int) number of visits ],
]
|
|
|
| Back to top |
|
danielruf
Joined: 07 Jan 2026
Posts: 17
|
| Posted: Thu 16 Apr '26 9:02 Post subject: |
|
|
I 100% agree with Stray78.
If there is nothing, no risk is there. It's just the automatic probes of bots and the web is full of bots. This is the daily noise that I always see but besides a 404 doesn't really matter.
Due to the shortage of IPv4 addresses, dynamic IP addresses can be quickly reassigned to real people. I normally just managed some CIDR rules from hosting providers, since these are generally reserved by them in blocks and not so dynamic.
You won't see an Azure / AWS / OVH IP address that often reassigned to a home internet connection of a real person. But blocks should be regularly checked and removed after some time (this is what fail2ban does for you, and that is why I referred to that).
I would not use a database for that, this can quickly lead to DoS due to the way this puts extra work onto your server. |
|
| Back to top |
|
|
|
|
|
|
