News:

Want to get involved in developing SMF, then why not lend a hand on our github!

Main Menu

Unblock individual users within a blocked range of addresses

Started by grasfulls, June 16, 2014, 10:11:38 AM

Previous topic - Next topic

grasfulls

If we block an IP address range, is it possible to unblock and allow access by individuals whose address falls within this range? Given I am NOT proficient at code modifications or database manipulation, etc., but I am very good at following directions, please detail any work-around for this.
Thank you!
Gary

Arantor

There is no sane way to do this, not in the user interface, and definitely not in the code.

Ninja ZX-10RR

Arantor what if the OP uses the htaccess and edit it with the blocked IP range I mean like

deny from {banned IP range}
allow from {single IP allowed of that user}

Wouldn't it work? If no, why?
Quote from: BeastMode topic=525177.msg3720020#msg3720020
It's so powerful that on this post and even in the two PMs you sent me,you still answered my question very quickly and you're apologizing for the delay. You're the #1 support I've probably ever encountered man, so much respect for that. Thank you, and get better soon.

I'll keep this in my siggy for a while just to remind me that someone appreciated what I did while others didn't.

♥ Jess ♥

STOP EDITING MY PROFILE

Arantor


Ninja ZX-10RR

Thanks for your reply :)
I know it is, as you can see I am still stuck even on my own topic that is very similar to this one http://www.simplemachines.org/community/index.php?topic=523720.0 still no real solution as it doesn't work to me so I can't even experience it and claim it does because of that. I believe there is something wrong with those tricky 0/16 0/20 0/wth :|
Quote from: BeastMode topic=525177.msg3720020#msg3720020
It's so powerful that on this post and even in the two PMs you sent me,you still answered my question very quickly and you're apologizing for the delay. You're the #1 support I've probably ever encountered man, so much respect for that. Thank you, and get better soon.

I'll keep this in my siggy for a while just to remind me that someone appreciated what I did while others didn't.

♥ Jess ♥

STOP EDITING MY PROFILE

LiroyvH

Aye, it is annoying to get it done with .htaccess. Most people get the order wrong.
Praise iptables for this purpose, but that won't do much good on a shared host.
((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

Ninja ZX-10RR

Thanks for your reply CoreISP, this is definitely your field. But I don't get it really like I said in other posts I'm not an expert at all with server stuff and .htaccess :( dam I have so many questions that Google can't answer in a clear way... Well then:

  • What do you mean by iptables? SMF ones? I don't think so as it would slow down SMF itself...
  • Why it wouldn't work perfectly on a shared host? (we still have a little board we will get a dedicated when the game will be released and the forum will grow)
  • I don't get that order really, Internet information is so much confusing there are people claiming one thing works and there are others saying exactly the opposite and I started to feel trolled about this D:
  • What's that thing about allow, deny? I checked Arantor's link and I ended up to ban my own self for no apparent reason even if my IP is not in that list =_= probably I got that wrong I don't know I really don't get it at all
  • Why those 0/X thingies? Again internet stuff is very much confusing about this that I got even more confused trying to read something :(
  • Where am I wrong? Why that thing seems to work when I defy but effectively when an IP in a banned range was able to connect? (now i had to remove the whole list as it was banning myself as well for no reason...)
  • Forgive me if I am really annoying? Please? :'(

This is my htaccess faulty part (I am banning myself like this!!! And my IP you probably can see it it's a 93 and something...)
#Block bad IP
#######################################################################################
order allow, deny
deny from  24.91.97.152
deny from  114.130.28.154
deny from  91.207.7.182
deny from  91.207.4.14
deny from  37.58.100.0/24
deny from  46.118. 46.119
deny from  192.99. 31.41
deny from  5.255.253.164
deny from  213.87.123.232
deny from  184.173.183.0/24
allow from all


Thanks in advance to both of you, I really appreciate any kind of help.
Quote from: BeastMode topic=525177.msg3720020#msg3720020
It's so powerful that on this post and even in the two PMs you sent me,you still answered my question very quickly and you're apologizing for the delay. You're the #1 support I've probably ever encountered man, so much respect for that. Thank you, and get better soon.

I'll keep this in my siggy for a while just to remind me that someone appreciated what I did while others didn't.

♥ Jess ♥

STOP EDITING MY PROFILE

Arantor

iptables is a server level ban configuration facility, which sucks for shared hosts because no shared host is going to let just any site configure it.

Ninja ZX-10RR

Hmm weird as well. Why shouldn't I be able to configure it? Because it is related to the SERVER itself and not to my domain? Why and how can they ban someone from a whole server with multiple domains then? If not, why am I not able to configure it? And the other questions?  :'(

Yeah I realized I am very much annoying and I'm sorry about it but I have no choice but asking you to learn something as no one out there seems to know better than you in here...
Quote from: BeastMode topic=525177.msg3720020#msg3720020
It's so powerful that on this post and even in the two PMs you sent me,you still answered my question very quickly and you're apologizing for the delay. You're the #1 support I've probably ever encountered man, so much respect for that. Thank you, and get better soon.

I'll keep this in my siggy for a while just to remind me that someone appreciated what I did while others didn't.

♥ Jess ♥

STOP EDITING MY PROFILE

Arantor

Um... because it's SERVER LEVEL. That means it affects EVERYONE on the server. And it's done at operating system level so it's even before it gets to any of the hosting accounts.

The internet information I provided really was the best I could find, seeing how it even references the official Apache manual on the subject, nothing more authoritative than that.

Allow, deny is one of the most interesting things about Apache and nearly everyone gets it wrong. You set it up wrong, try using deny,allow instead of allow,deny.

CIDR notation (the 0/x thingies) is one of the more interesting parts of the internet and is so designed to reflect the fact that you're potentially trying to lock out entire networks at once, where a network is literally any range of any size of IP addresses. The /n part is how many bits from the left that you're treating as accurate. 192.0.0.0/8 means everything where the first 8 bits match 192 (seeing how it's a 32 bit address and each dotted number is 8 bits)

If I'm the more authoritative person on this subject, we really do have problems. I remember the first time I implemented CIDR checking, I got the entire thing totally backwards.

Ninja ZX-10RR

Quote from: ‽ on June 16, 2014, 09:20:02 PM
Um... because it's SERVER LEVEL. That means it affects EVERYONE on the server. And it's done at operating system level so it's even before it gets to any of the hosting accounts.
Gotcha but I think it's stupid. Why banning someone like that?

Quote from: ‽ on June 16, 2014, 09:20:02 PM
The internet information I provided really was the best I could find, seeing how it even references the official Apache manual on the subject, nothing more authoritative than that.
Yeah I saw and I thanked you for that because it was even clearer than the ones I could find that were actually terrible. Still not enough clear as we are again discussing about it not working or either not working properly..

Quote from: ‽ on June 16, 2014, 09:20:02 PM
Allow, deny is one of the most interesting things about Apache and nearly everyone gets it wrong. You set it up wrong, try using deny,allow instead of allow,deny.
Indeed I tried to reverse but then why the heck it didn't and doesn't work anymore even fixing it and using allow, deny back?

Quote from: ‽ on June 16, 2014, 09:20:02 PM
CIDR notation (the 0/x thingies) is one of the more interesting parts of the internet and is so designed to reflect the fact that you're potentially trying to lock out entire networks at once, where a network is literally any range of any size of IP addresses. The /n part is how many bits from the left that you're treating as accurate. 192.0.0.0/8 means everything where the first 8 bits match 192 (seeing how it's a 32 bit address and each dotted number is 8 bits)
Ahn ok I did got how it works now... Still it doesn't work as like I said
Quote from: Flavio93Zena on June 16, 2014, 08:36:31 PM
effectively when an IP in a banned range was able to connect?

Quote from: ‽ on June 16, 2014, 09:20:02 PM
If I'm the more authoritative person on this subject, we really do have problems. I remember the first time I implemented CIDR checking, I got the entire thing totally backwards.
Well you still know much more than the average user. Hopefully CoreISP who is a server team member will know even better ;)



and of course thanks for your accurate reply :)
Quote from: BeastMode topic=525177.msg3720020#msg3720020
It's so powerful that on this post and even in the two PMs you sent me,you still answered my question very quickly and you're apologizing for the delay. You're the #1 support I've probably ever encountered man, so much respect for that. Thank you, and get better soon.

I'll keep this in my siggy for a while just to remind me that someone appreciated what I did while others didn't.

♥ Jess ♥

STOP EDITING MY PROFILE

Arantor

QuoteGotcha but I think it's stupid. Why banning someone like that?

Because when you're running a VPS or better, it's *much* more efficient. You ban them as early as you can. Remember: if you ban in Apache, you're blocking SMF from having to do it. Blocking them from even connecting to the server means not even Apache has to do it.

I have no idea why it's not working for you, I don't need to ban from .htaccess ;)

Ninja ZX-10RR

Quote from: ‽ on June 16, 2014, 09:35:17 PM
QuoteGotcha but I think it's stupid. Why banning someone like that?

Because when you're running a VPS or better, it's *much* more efficient. You ban them as early as you can. Remember: if you ban in Apache, you're blocking SMF from having to do it. Blocking them from even connecting to the server means not even Apache has to do it.
Seeing it like from this point of view it makes sense :)

Quote from: ‽ on June 16, 2014, 09:35:17 PM
I have no idea why it's not working for you, I don't need to ban from .htaccess ;)
*runs in the kitchen takes a sharp knife and cuts his wrist in horrible pain* (jk)




Well then I hope Core will know better then >.< meantime thanks again I started to understand something more again :D
Quote from: BeastMode topic=525177.msg3720020#msg3720020
It's so powerful that on this post and even in the two PMs you sent me,you still answered my question very quickly and you're apologizing for the delay. You're the #1 support I've probably ever encountered man, so much respect for that. Thank you, and get better soon.

I'll keep this in my siggy for a while just to remind me that someone appreciated what I did while others didn't.

♥ Jess ♥

STOP EDITING MY PROFILE

Lou69

@Flavio...

Look at these two links:

http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#order

http://httpd.apache.org/docs/current/mod/mod_access_compat.html#allow

They are not that difficult of a read actually but, you will need to ponder it sentence by sentence. Start first with the Order Directive and understand what happens first, second and third. It is easy to get screwed up and get things turned around or in the incorrect order. 

If an admin only wanted to ban one person then I would say do it in SMF. However, banning an entire country IP range with the exception of only one IP takes a little more effort.

Ninja ZX-10RR

omfg I am already getting a headache with the first one but I'm trying, I'll update you if I can understand something from that mess.
Quote from: BeastMode topic=525177.msg3720020#msg3720020
It's so powerful that on this post and even in the two PMs you sent me,you still answered my question very quickly and you're apologizing for the delay. You're the #1 support I've probably ever encountered man, so much respect for that. Thank you, and get better soon.

I'll keep this in my siggy for a while just to remind me that someone appreciated what I did while others didn't.

♥ Jess ♥

STOP EDITING MY PROFILE

Ninja ZX-10RR

Well ok my brain is like on fire but somehow I got how it works... Now I understood why you told me it is complicated and tricky... I wonder when I will tell my colleague about it and the whole mess that he will have to do to ban a user xD
But thanks to everybody that thing is somehow more clear even if it doesn't explain CIDR at all with the reference of that other topic I can say I got it, hopefully >.<
Ah the error was me being kind enough to put a whitespace after the "," between allow and deny, bad idea as it denies access to anyone being the default state a necessary deny  X_X well thanks again I'm marking the other topic as solved, if I have further problems with that I just give up this time XD
Anyway going back to the original question it would be something like

order deny,allow
deny from {banned IP range}
allow from {exception}


Without the allow from all as it would override everything but it would be good as the default setting is allow like that so any other user could enter freely :) correct me if I'm wrong.
Quote from: BeastMode topic=525177.msg3720020#msg3720020
It's so powerful that on this post and even in the two PMs you sent me,you still answered my question very quickly and you're apologizing for the delay. You're the #1 support I've probably ever encountered man, so much respect for that. Thank you, and get better soon.

I'll keep this in my siggy for a while just to remind me that someone appreciated what I did while others didn't.

♥ Jess ♥

STOP EDITING MY PROFILE

Advertisement: