Blocking by IP address in the 'cloud' (Mosso)

I had a hacker on one of my sites over the weekend. Found a root kit hidden away which I removed but not after he found a way to add some text to one of my webpages.

So I started by adding his IP address to my block list, but apparently that’s easier said than done with the ‘cloud’. In the cloud sometimes the server isn’t really sure where the actual request is coming from, apparently.

But fear not, I got this nugget back from Mosso support (after 48 hours or so–come on guys, security issues should be answered immediately)

Unfortunately there are some issues with being able to block by IP
address on the cloud using the standard methods. Because of our load
balancer and clustered environment the IP address in the REMOTE_ADDR
will not be the end users.

You can however use the following:

SetEnvIf X-Cluster-Client-Ip 11.11.11.11 block
Deny from env=block

in your .htaccess to block access to your site via IP. Just replace
11.11.11.11 with the IP address you want to block.

]]>

4 thoughts on “Blocking by IP address in the 'cloud' (Mosso)”

  1. It was c99madshell and another variant, which isn’t necessarily a rootkit but a nasty file manipulation program. Saw hits on it in the raw log files which I enabled and viewed following the hit.

  2. It was c99madshell and another variant, which isn’t necessarily a rootkit but a nasty file manipulation program. Saw hits on it in the raw log files which I enabled and viewed following the hit.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.