HTML Logo by World Wide Web Consortium (www.w3.org). Click to learn more about our commitment to accessibility and standards.

Moving forward with Composr

ocPortal has been relaunched as Composr CMS, which is now in beta. ocPortal 9 will be superseded by Composr 10.

Head over to compo.sr for our new site, and to our migration roadmap. Existing ocPortal member accounts have been mirrored.


Banned IPs corrupting .HTACCESS file

Login / Search

 [ Join | More ]
 Add topic 
Posted
Rating:
#103684 (In Topic #20276)
Avatar

Fan in training

I really don't know how to word this as a question because I don't know exactly how it is happening.  Every fews days or so the number of banned ips either gets to large, or something is incorrectly written to the file, but my .HTACCESS file is getting corrupted by the banned ips as best as I can figure and causing a 500 server error, and I have to re-upload my original .htaccess file. Is anyone else experiencing this, and how do I stop it from happening?
Back to the top
 
Posted
Rating:
#103686
Avatar

Community saint

Hey Chip,

I HAVE experienced this 'corruption' of the .htaccess file in the last couple of months which resulted in 500 errors. My fix has been to access the .htaccess file and edit out (delete) the corruption.

In all cases it has been the 'order allow, deny' section that appears to get a couple of entries added that read - literally:

deny from
deny from

followed by the currently banned IP's.

This completely throws the server, it appears, and it serves up the 500 error.

I offer no explanation of HOW the corruption occurs - only an example of being oin the receiving end, and of how I've managed to overcome the problem.

Take my advice. I'm not using it!

View my working ocPortal site (version 9.x.x) at Anglo-Indian Portal
Back to the top
 
Posted
Rating:
#103687
Avatar

Oh, sorry to hear this. It sounds like a locking problem, if two web requests write to the file at the same time, it should prevent it being able to do this, but if locking is buggy in ocPortal or not available on the filesystem, it could cause it. I will look into it.

Removing write access to the file should make ocPortal stop trying to write to it.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#103688
Avatar

Oh, and the reason ocPortal writes to this file is for performance. Normally IP banning works via the DB, but that means ocPortal has to boot up with a database connection before detecting the ban, which is not good if you're trying to auto-ban bots that eat your server resource.

Never-the-less, that's not the end of the world because this effect isn't usually all that strong, so removing write access to .htaccess is a fine workaround.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#103690
Avatar

Community saint

Chris Graham said

… so removing write access to .htaccess is a fine workaround.

Gotcha!

 :thumbs:

Take my advice. I'm not using it!

View my working ocPortal site (version 9.x.x) at Anglo-Indian Portal
Back to the top
 
Posted
Rating:
#103692

Honoured member

Are you just deleting one of the "deny from" lines?
Back to the top
 
Posted
Rating:
#103693

Honoured member

Thanks Chris. I'll do that.
Back to the top
 
Posted
Rating:
#103695
Avatar

Community saint

chipster said

Are you just deleting one of the "deny from" lines?
I don't think this will be necessary in future if we all follow Chris' advice, but just in case somebody else is following this thread, I'll explain briefly.

It appears the the 'deny from' parameter without an amplifier throws the server(s) into a hissy-fit. So I delete anything that isn't kosher in that line …!!



Take my advice. I'm not using it!

View my working ocPortal site (version 9.x.x) at Anglo-Indian Portal
Back to the top
 
Posted
Rating:
#103718
Avatar

Two major issues here…

0001652: Corrupting of .htaccess for IP ban attempts for no-IP - ocPortal feature tracker
0001653: Filenames with two dots in a page directory, false hack-attempt detections - ocPortal feature tracker

Chipster, I just applied and tested the fix on your site.

I'm not sure why suddenly this started happening. (#1653 was found yesterday from a different source, so that's 3 users) – I think all these issues must have existed for a very long time. Maybe it just takes some time for users to get themselves in a position to have accidentally uploaded a filename pattern that ocPortal doesn't like.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#103730

Honoured member

Thanks Chris.
Back to the top
 
1 guests and 0 members have just viewed this: None
Control functions:

Quick reply   Contract

Your name:
Your message: