1

When running multiple sites on the same hosting account, one might find that an attacker has attempted to breach one site. A webmaster may want to block the IP address from all sites hosted in the same account.

Is there a way to keep the list of banned IP addresses/ranges in a single location that can be referenced by all the websites in the same account?

(Example: a file that contains a list of IP addresses/ranges located at the root of the file system and simply referenced in the .htaccess file of each website.)

authentictech
  • 382
  • 1
  • 15
  • 1
    Is there a reason why you wouldn't just use your Apache configuration file to deny the IP's? – dan Oct 02 '13 at 19:23
  • I could, but with multiple sites I'd need to update multiple .htaccess files, right? How could I use one file containing the list of blocked IPs and then use it for all sites? – authentictech Oct 02 '13 at 19:35
  • See my answer below. – dan Oct 03 '13 at 15:02

2 Answers2

1

The more efficient way to blacklist IP addresses is to use your operating system's firewall, or by using a module coded specifically for this purpose, like ModSecurity.

If you don't have access to your OS and cannot add modules, then you could edit your Apache configuration file with the following (to block the example IP address 111.222.33.444):

<Location />
<Limit GET POST PUT>
order allow,deny
allow from all
deny from 111.222.33.444
</Limit>
</Location>

Then restart Apache. As covered here, that should work for all your virtual hosts.

Alternatively, you can try to use the include directive for each virtual host config as covered here (use deny from for each IP to block instead of allow from).

Lastly, if you do not have access to either your OS's firewall, server modules, or server configuration files (as might be the case with a shared web hosting account), you could use a server-side script like Perl to copy the IP's from a central file into each .htaccess file, and schedule this as a cron job so that each virtual host will share the same list of IP's to blacklist/block.

dan
  • 15,123
  • 11
  • 44
  • 52
  • Can any include statement (or similar) be used in a .htaccess file, assuming a shared virtual host with no access to OS or Apache configuration files? – authentictech Oct 04 '13 at 13:51
  • Not according to the link I provided for include: Includes other configuration files from within the server configuration files. Your only option with so little control over the server is to use a server-side script (like Perl) to copy the IP's into each .htaccess file from a single file, and run that periodically as a cron job. – dan Oct 04 '13 at 14:47
0

Is there a way to keep the list of banned IP addresses/ranges in a single location that can be referenced by all the websites in the same account?

This depends on how "all the websites" are setup on the "same account". From comments elsewhere on this question and on @dan's answer it seems you don't have access to the main server config and you are possibly using a shared hosting account.

In this case, if your separate "websites" are implemented as separate subdirectories on the main account (eg. using cPanel Addon domains) or subdomains that point to subdirectories on the main account then you can implement these blocking directives in the .htaccess file in the document root of the main account - one directory above the document root of the sub-websites. .htaccess files are inherited along the filesystem path, so the blocking directives in the parent .htaccess will be processed (unless overridden in the website's .htaccess file in the subdirectory).

For example, on Apache 2.2:

<Limit GET POST PUT>
Order allow,deny
Allow from all
Deny from 111.222.33.444
</Limit>

(The <Location> directive is not valid in .htaccess.)

MrWhite
  • 42,784
  • 4
  • 49
  • 90