Size Limitations In .htaccess

Home » CentOS » Size Limitations In .htaccess
CentOS 6 Comments


It seems that I’ve hit a size limitation when adding unwanted IPs to a
“Deny From” line.

Is there any place where this is specified?

Also, if I hit the max length on a “Deny From” line, can I add another
“Deny From” line?

(Running CentOS 6, and the following version of Apache:

Much thanks,

Max Pyziur

6 thoughts on - Size Limitations In .htaccess

  • You can have multiple “deny from” lines, as well as multiple “allow from” lines (in case you want to configure access like a whitelist).

    Multiple lines also help readability.

  • Or blocking netblocks rather than individual IPs in your .htaccess file?
    Netblocks with iptables would work nicely too (keeping the clutter to a minimum).

  • I’ve considered that.

    But I’m tied to my (little?/not-so-little?) home-grown system of mining threatening IPs from BL sites (spam, sshd, forumspam), running them through an sql database, and outputing /etc/hosts.deny files to block via tcp wrappers, and now starting to output “Deny from” lines to place in
    .htaccess files. “Deny From” lines longer than somewhere around 8000
    characters seem to be the limit; I was curious if there was a specified limit somewhere, and whether or not I could put multiple Deny From lines?

    WHile fail2ban looks good, the little that I’ve tried it, I like keeping the firewall iptables neat, and doing the blocking as I have described above (maybe it’s familiarity trumping fail2ban; maybe it’s that fail2ban has a bit of a learning curve …)

    Much thanks for the advice.

    Max Pyziur

  • You could try ipset (yum install ipset) and create live lists of ips/blocks and create a single lined rule in iptables to handle the lists. The only downside is the lists are lost on a reboot, which can be overcome with a little scripting.

    .htaccess somewhere, the firewall it’s learning

  • Fail2ban keeps all of its rules in it’s own chain, so any custom rules that you have created will not get lost in the clutter.

    You could also do the blocking yourself with iptables rather than having fail2ban manage it for you. Just create iptables rules rather than the hosts.deny format.

    iptables -I Blacklist -s -j DROP

    Of course, you need to add a rule in your main ruleset to call the Blacklist chain. And make sure to save the rules from time to time so you don’t lose all of them in a reboot.