AnimeSuki Forums

Register Forum Rules FAQ Members List Social Groups Search Today's Posts Mark Forums Read

Go Back   AnimeSuki Forum > AnimeSuki & Technology > Tech Support

Notices

Reply
 
Thread Tools
Old 2008-04-12, 06:54   Link #1
minhtam1638
Missing In Action
 
 
Join Date: Oct 2007
Location: Bridgeport, CT
Age: 25
Send a message via AIM to minhtam1638 Send a message via Skype™ to minhtam1638
.htaccess files - CHMOD

Okay, as some of you know, I do run International Saimoe.

I'm working on banning a handful of IP Addresses, but when I set permissions to 755, it takes pretty much everyone out instead of the list of IP Addresses I used.

Are CHMOD permissions set to 644 for .htaccess files or 755?
minhtam1638 is offline   Reply With Quote
Old 2008-04-12, 08:07   Link #2
SeijiSensei
AS Oji-kun
 
 
Join Date: Nov 2006
Location: Mucking about
Age: 64
Quote:
Originally Posted by minhtam2448 View Post
I'm working on banning a handful of IP Addresses, but when I set permissions to 755, it takes pretty much everyone out instead of the list of IP Addresses I used.

Are CHMOD permissions set to 644 for .htaccess files or 755?
.htaccess files need only by readable by the "user" that the webserver runs as, usually the "apache" or "httpd" user. Moreover the file permissions should have no effect on which IP addresses can visit your site. I assume you're using Apache's access control structures to deny certain addresses or address blocks?

Perhaps you should show us your .htaccess file.

Usually directories carry 755 privileges. Those values mean that the execute bit is turned on. For directories, that grants qualified users the ability to list the directory's contents. For files, you usually only want privileges of 4 (read-only) or 6 (read/write-only). The execute bit should be reserved for executable files; .htaccess is not one of those.

If you have full access to the machine, I recommend avoiding .htaccess files entirely and adding the directives to the VirtualHost definitions in the server configuration. I have separate configurations for each virtual domain kept in files accessed by an Include directive in httpd.conf. If you don't have control over the machine, your ISP needs to permit you to change access control settings in .htaccess with the AuthConfig directive in the server configuration. The default Apache configuration doesn't grant access control privileges to the .htaccess files for security reasons.
__________________
SeijiSensei is offline   Reply With Quote
Old 2008-04-12, 08:24   Link #3
GHDpro
Administrator
*Administrator
 
 
Join Date: Jan 2001
Location: Netherlands
Age: 35
Are you not mixing things up?

In the unix shell, file/folder permissions like 644 or 755 are usually displayed as:

-rw-rw-rw- 644 (for a file)
drwxr-xr-x 755 (for a folder)

There are three groups of "rwx" (read, write and execute/access). One is for the user the files belong to, one for the group the files belong to and the third group is for "world" (all other users on the same system [in general]).

On most webservers, the user+group of a file is set to the same user+group as the user who uploaded the file (using FTP), but the webserver software is running as a different user/group ("world").

Anyway... when you talk about chmod, 644 or 755, you are talking about file permissions, and there is no way to do any IP bans this way, because you can only lock out the webserver from accessing those files as a whole, not individual IPs that might access the webserver.

A .htaccess file should typically have 644 permissions. As mentioned already, 755 is for folders (or executable files, but that's not really relevant for web content).

PS: each "rwx" (read-write-execute) group translates into "4-2-1". So:
-rwxr-xrw-
-4214-142-
= 7 (4+2+1) 5 (4+1) 6 (4+2)
GHDpro is offline   Reply With Quote
Old 2008-04-12, 08:40   Link #4
SeijiSensei
AS Oji-kun
 
 
Join Date: Nov 2006
Location: Mucking about
Age: 64
Let me add that if you have full access to the machine, you should use its firewalling methods to block IP addresses, not application-level access controls like .htaccess. You have so much more control at the IP level, and it's absolute. You're no longer depending on the security of the server application (which, in Apache's case, is pretty damned impressive) to block unwanted connections. Firewalling closes the door on those packets when they come a-knocking.

Simple iptables rules like

/sbin/iptables -A INPUT -s 3.0.0.0/8 -j REJECT

drops any packet from General Electric's address block.

If you have root privileges, try

/sbin/iptables -L -nv

and see what you get.

(This is for Linux and, I think, the BSD's as well now. I know nothing about OS X firewalling methods, and this certainly won't get you anywhere on Windows.)

Oh, and props to GHDpro for that excellent primer on Unix file permissions.

Here's what I think you did. You probably changed the access permissions on your HTML files so that they couldn't be read by Apache. Apache will return an "Access Denied" error in this situation because access is denied by the operating system. Unfortunately the same error is returned when a specific address is blocked by virtue of the rules in .htaccess. So while you might have thought the rules were working with one set of permissions and not the other, in fact you were changing everyone's access to the files themselves. When you turned off the execute bit, you blocked access to the directory where the web documents are kept. If you changed privileges recursively with "-R" you'll have made changes all the way down the directory tree.

By default, most users have a directory for web documents that has 755 privileges, and the documents themselves have 644 privileges. That lets the entire world list the contents of the web directory (if Apache's Indexes directive is enabled), and lets everybody read the site's documents. Only you have write privileges granted by the "7" or "6" value.

Here's an example:

(755 privileges)
drwxr-xr-x me mygroup /home/user/public_html

(644 privileges)
-rw-r--r-- me mygroup /home/user/public_html/index.html

The user "me" with "owner" privileges (6 or 7) can read, write, and list the directory /home/user/public_html. Members of "mygroup" and the "world" can read and list the directory, and read the index.html file therein. If these aren't the permissions of your web directories and documents, you'll get an "Access Denied" back from Apache when you try and view them online.

I know about these issues so well, because I've played the same trick on myself in the past!
__________________

Last edited by SeijiSensei; 2008-04-12 at 19:32. Reason: specified 755/644 in example for clarity
SeijiSensei is offline   Reply With Quote
Old 2008-04-12, 09:16   Link #5
Epyon9283
Geek
 
 
Join Date: Dec 2005
Location: New Jersey
Age: 30
Send a message via ICQ to Epyon9283 Send a message via AIM to Epyon9283
Quote:
Originally Posted by SeijiSensei View Post
(This is for Linux and, I think, the BSD's as well now. I know nothing about OS X firewalling methods, and this certainly won't get you anywhere on Windows.)
BSDs and OS X use either pf or ipfw. They thankfully don't use the same awful syntax as iptables. I'm only really familiar with ipfw (OS X uses it) and the command would look like this:
Code:
ipfw -q add 001 deny all from 3.0.0.0/8 to any

In the wild and wooly world of web servers make sure no files are executable unless they absolutely need to be. Give only read access to the user apache is running as to the .htaccess file if you go that route (instead of the firewalling route). Don't make anything in your docroot writable by the apache user unless it needs to be.
Epyon9283 is offline   Reply With Quote
Old 2008-04-12, 16:10   Link #6
GHDpro
Administrator
*Administrator
 
 
Join Date: Jan 2001
Location: Netherlands
Age: 35
This is probably redundant, but if you want to do IP bans on webserver (Apache) level, see the Deny statement:
http://httpd.apache.org/docs/2.2/mod...host.html#deny
(this statement should go into the .htaccess file)
GHDpro is offline   Reply With Quote
Old 2008-04-13, 10:10   Link #7
minhtam1638
Missing In Action
 
 
Join Date: Oct 2007
Location: Bridgeport, CT
Age: 25
Send a message via AIM to minhtam1638 Send a message via Skype™ to minhtam1638
Quote:
Originally Posted by SeijiSensei View Post
.htaccess files need only by readable by the "user" that the webserver runs as, usually the "apache" or "httpd" user. Moreover the file permissions should have no effect on which IP addresses can visit your site. I assume you're using Apache's access control structures to deny certain addresses or address blocks?

Perhaps you should show us your .htaccess file.

Usually directories carry 755 privileges. Those values mean that the execute bit is turned on. For directories, that grants qualified users the ability to list the directory's contents. For files, you usually only want privileges of 4 (read-only) or 6 (read/write-only). The execute bit should be reserved for executable files; .htaccess is not one of those.

If you have full access to the machine, I recommend avoiding .htaccess files entirely and adding the directives to the VirtualHost definitions in the server configuration. I have separate configurations for each virtual domain kept in files accessed by an Include directive in httpd.conf. If you don't have control over the machine, your ISP needs to permit you to change access control settings in .htaccess with the AuthConfig directive in the server configuration. The default Apache configuration doesn't grant access control privileges to the .htaccess files for security reasons.
Okay, let's see here -

I don't have full access to the machine at this moment - todkapuz was nice enough to lend me 10 GB.

Basically, the .htaccess file is only readable to the administrator (todkapuz, not myself). Should I go ask him to set it to 664 so that it's readable and writable by the whole group?

This is what I have for my .htaccess file at this moment. Is there more that's involved in an .htaccess file?

Spoiler for .htaccess:
minhtam1638 is offline   Reply With Quote
Old 2008-04-13, 10:46   Link #8
SeijiSensei
AS Oji-kun
 
 
Join Date: Nov 2006
Location: Mucking about
Age: 64
Quote:
Originally Posted by minhtam2448 View Post
Basically, the .htaccess file is only readable to the administrator (todkapuz, not myself). Should I go ask him to set it to 664 so that it's readable and writable by the whole group?
If the .htaccess file is only readable by user todkapuz, and is not readable by the web server "user" I described above, then it's useless. The user the server runs under must have read privileges to .htaccess.

How can you make changes to it if you don't have write access?

Make sure .htaccess has the world-readable bit set (644 or 664 is fine).

The .htaccess file syntax itself looked okay to me.

I'm not sure exactly why you want to block these addresses, but if the intent is to block specific computers, or more likely specific people, this is a losing strategy. Take the first address in the list, for example. It resolves to a machine in the domain "dynamic.hcm.fpt.vn". Right away the "dynamic" in that hostname indicates the person obtained this address from the provider for a limited period of time (using something called the "Dynamic Host Configuration Protocol" or "DHCP"). The next time that computer connects to the ISP it'll most likely receive a different IP address and not be blocked by your rules.
__________________

Last edited by SeijiSensei; 2008-04-13 at 10:58. Reason: limitations of using IP address blocking
SeijiSensei is offline   Reply With Quote
Old 2008-04-13, 14:00   Link #9
minhtam1638
Missing In Action
 
 
Join Date: Oct 2007
Location: Bridgeport, CT
Age: 25
Send a message via AIM to minhtam1638 Send a message via Skype™ to minhtam1638
Quote:
Originally Posted by SeijiSensei View Post
If the .htaccess file is only readable by user todkapuz, and is not readable by the web server "user" I described above, then it's useless. The user the server runs under must have read privileges to .htaccess.

How can you make changes to it if you don't have write access?

Make sure .htaccess has the world-readable bit set (644 or 664 is fine).

The .htaccess file syntax itself looked okay to me.

I'm not sure exactly why you want to block these addresses, but if the intent is to block specific computers, or more likely specific people, this is a losing strategy. Take the first address in the list, for example. It resolves to a machine in the domain "dynamic.hcm.fpt.vn". Right away the "dynamic" in that hostname indicates the person obtained this address from the provider for a limited period of time (using something called the "Dynamic Host Configuration Protocol" or "DHCP"). The next time that computer connects to the ISP it'll most likely receive a different IP address and not be blocked by your rules.
The IP address kept coming up multiple times per each poll on multiple days (not just one or two, else I'd let it slide), so I ruled them as static IP addresses, and although I understand how dynamic addresses work, I've kept lenient on those for benefit of doubt. I know that banning ISPs are more effective, but then again, that's just not fair to those who've been voting fairly under that ISP.

Though, I would also like to know a place where I can validate these addresses as static or dynamic.

Is it possible for user "todkapuz" to give read/write-access to the .htaccess file to user "minhtam2448", or will that cause the file to be read and re-written by anyone?
minhtam1638 is offline   Reply With Quote
Old 2008-04-13, 15:25   Link #10
Epyon9283
Geek
 
 
Join Date: Dec 2005
Location: New Jersey
Age: 30
Send a message via ICQ to Epyon9283 Send a message via AIM to Epyon9283
Quote:
Originally Posted by minhtam2448 View Post
Though, I would also like to know a place where I can validate these addresses as static or dynamic.
That would be difficult. You can make assumptions based on who owns the address block but thats about it.
Epyon9283 is offline   Reply With Quote
Old 2008-04-13, 21:01   Link #11
SeijiSensei
AS Oji-kun
 
 
Join Date: Nov 2006
Location: Mucking about
Age: 64
Quote:
Originally Posted by minhtam2448 View Post
Is it possible for user "todkapuz" to give read/write-access to the .htaccess file to user "minhtam2448", or will that cause the file to be read and re-written by anyone?
Yes, if the two of you are in the same "group." Then after

chgrp yourgroup .htaccess
chmod 664 .htaccess

members of yourgroup can read and write the .htaccess file, and everyone, in particular the "apache" user, can read it. Only root, or the file's owner, can change its group, and the owner may only change it to a group to which the owner belongs.

In the /etc/passwd file there's a default group specified (by its number) for each user. It might make sense for your default group to be the one you share with todkapuz.

Like Epyon says, you can't really know which addresses are static and which dynamic, but you can sometimes tell from the hostnames associated with those addresses. The address in Vietnam I cited earlier is a good example since it had the word "dynamic" in it. You can lookup the hostname associated with an IP address with the command "host 1.2.3.4" replacing 1.2.3.4 with each IP address.

You can also determine the ownership of IP address blocks by running "whois" queries against the various IP address registries like ARIN, RIPE, or APNIC. For instance, though I was pretty sure GE owns the 3/8 address block, I confirmed it by issuing the command "whois 3.0.0.0@whois.arin.net" to look up the registered owner of the 3/8 address block at the American Registry of Internet Numbers.
__________________

Last edited by SeijiSensei; 2008-04-13 at 21:17.
SeijiSensei is offline   Reply With Quote
Old 2008-04-14, 03:24   Link #12
GHDpro
Administrator
*Administrator
 
 
Join Date: Jan 2001
Location: Netherlands
Age: 35
Quote:
Originally Posted by Epyon9283 View Post
Quote:
Originally Posted by minhtam2448 View Post
Though, I would also like to know a place where I can validate these addresses as static or dynamic.
That would be difficult. You can make assumptions based on who owns the address block but thats about it.
Actually, it's not that hard, but it would require some custom PHP coding.

The spam blocklist pbl.spamhaus.or (more info) lists end-user IPs which are not typically supposed to be sending email to email servers. This includes most dial-up/adsl/cable/broadband/etc dynamic IP ranges.

To query this blocklist, reverse the order of an IP (say 1.2.3.4 -> 4.3.2.1) and append ".pbl.spamhaus.org" to it, so it becomes 4.3.2.1.pbl.spamhaus.org. If that returns an answer like 127.0.0.2 or similar IP rather than not resolving, it means it's listed. In PHP use gethostbyname('4.3.2.1.pbl.spamhaus.org') to do this.
GHDpro is offline   Reply With Quote
Reply

Tags
apache, htaccess

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 04:15.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.
We use Silk.