Need help banning IP's

How do I do it, for starters? and can I use wildcards?

I run the latest Apache server, and I use PHP4 and MySQL.

Start here -> http://httpd.apache.org/docs/mod/mod_access.html#deny

freebsd,

You seem to be the most knowledgable among us on this sort of thing.

Do you know of anyway to use an external file holding a list of IPs to be used in a DENY directive?

There are 3 ways to do it technically:
1) Using http://httpd.apache.org/docs/mod/core.html#include, but your situation needs to by dynamic, so this probabaly doesn't work well

2) Using http://httpd.apache.org/docs/mod/mo...tml#RewriteMap. Specifically, you need to be using something like this:

RewriteMap deny-list txt:/path/to/deny.txt

But still, you can't use RewriteMap directive in .htaccess (can't be dynamic as well)

Try this link -> http://httpd.apache.org/docs/misc/rewriteguide.html and look for Host Deny.

3) The only dynamic way (I can think of) to do it is to alter .htaccess with a script:

<Limit GET POST>
order allow,deny
allow from all
deny from # alter this line and put all IPs or the acceptable format on the same line
</Limit>

Thanks, I'll check into those. Maybe a little more information on what I'm thinking of would help.

I know to ban an IP immediately I'll have to add it to an .htaccess file. Due to experience I know that after a period of time the list can become quite large and I want to avoid the overhead of reading thru that list with each access. What I was envisioning was to transfer that list on a periodic basis from .htaccess to a file that would be read via httpd.conf and doing a restart. This would prevent the list in .htaccess from becoming overly large.

>> What I was envisioning was to transfer that list on a periodic basis from .htaccess to a file

Good idea. I suggest the RewriteMap approach. It shouldn't be too difficult to read the deny from line and append each IP to /path/to/deny.txt. In reality, people out there only use the (3) way to append IPs to allow from line instead.

Thanks for your suggestions. I've re-thought things a bit, tho. To make it easier when adding an IP to the deny list I'll add it to both the .htaccess AND the text file simultaneously. Then my cron job will only have to unlink the original .htaccess and copy a base .htaccess (without IPs) and restart apache. No need to parse the .htaccess file for the IPs that way.