Apache Limit overrides HostnameLookups

Apache was ignoring my “HostnameLookups Off” setting when I was updating my <Limit> block for some IP-based bans.  It drove me batty!  I eventually figured it out, and realized where my false assumptions were.  I am documenting my problem and solution for others to hopefully benefit from!  This was the straw that broke the camels back, and prompted me to setup this site!

So, for some of my sites, I maintain a file that bans many IP addresses from POSTing.  I also have one where I Limit being able to do anything.  Why?  Because there’s WAY too much spam coming from certain regions, and while not a perfect solution, it’s currently effective enough for me.

Anyway, the reason for this post was that I had added a bunch of IP ranges (CIDR) to the “deny from” list.  When I went to test it (I included my own IP as a test), I noticed that the log files were now including the hostname for my IP and not just the IP address.  I made sure that HostnameLookups was off in my apache configuration file.  None of my other domains were having this problem.  Just the one I was messing with.

I tried to remove specific request methods from the Limit (i.e. GET).  That helped.  But I realized after thinking about it and testing my thought, that it would happen for whatever method is in the list that gets requested (i.e. anything I actually DO want to ban for).

Here is what I had initially (I had more, but that’s irrelevant)…

<Limit GET HEAD POST PUT>
order allow,deny
allow from all
deny from 1.2.4.0/24 # detected scanning
deny from 1.2.3.0/24 # detected attempts to hack
deny from 5.5.5.5/32 # My IP (Test)
</Limit>

Then I modified it to comment out everything but the line with my IP, as follows:

<Limit GET HEAD POST PUT>
order allow,deny
allow from all
#deny from 1.2.4.0/24 # detected scanning
#deny from 1.2.3.0/24 # detected attempts to hack
deny from 5.5.5.5/32 # My IP (Test)
</Limit>

It worked correctly.  My IP address was logged instead of the hostname, as it should.  WTF?!

Okay… long story short (well… shorter than it was about to be)…

You cannot have comments inline!!!!  Having the comment after earlier entries caused apache to think that it was somehow part of the IP/hostname being “deny from”‘d.  And so, Apache decides to enable HostnameLookups (apparently globally for that request, and not localized to ONLY the Limit processing).  It was fine with my own IP having a comment if it was the only one to do so.  I suspect this is because it matched what it needed and did not process any further.

Anyway… making the Limit block look like the following resolved my issue:

<Limit GET HEAD POST PUT>
order allow,deny
allow from all
# detected scanning
deny from 1.2.4.0/24
# detected attempts to hack
deny from 1.2.3.0/24
# My IP (Test)
deny from 5.5.5.5/32
</Limit>

So, if you’re seeing Apache ignore your HostnameLookups Off setting… take a look at your Limit blocks and make sure everything is an IP address, and that you do not have anything else after it… including comments.

I found many many sites where people asked a similar question (for years), only to be met with ridicule or simply being ignored.   This is the one site that actually helped me realize what might be going on (along with my own debugging attempts to understand what it might have been doing).

http://kb.simplywebhosting.com/idx/6/213/article/

So, cheers to SimplyWebHosting.com’s knowledge base!

This entry was posted in Technology and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *