topic Re: 403 error page not using stylesheet or displaying images in Archive

403 error page not using stylesheet or displaying images

Rank_Outsider — Fri, 04 Nov 2011 12:03:31 GMT

Hi,

I block access to our site from known spammers/hackers using a htaccess file, at which point a custom 403 error page is shown.

This page works fine when the user is being blocked because they've tried to access a directory instead of a page, but if they're blocked due to the htaccess file then the stylesheet and company logo are not loaded by the page.

If it was just spammers and the like I wouldn't care, but we will sometimes block genuine users who are using dynamic IP addresses where the IP address was previous used by a spammer etc (actually happened today - luckily the blocked user knows us and emailed us a screen shot). I'd like them to have a 'proper' looking company page so that they know they've come to the right site and are more likely to email us to let us know they are being incorrectly blocked.

Is there anyway to modify the htaccess file to allow blocked IP addresses to access our logo and stylesheets so that the 403 error page displays correctly?

It's not a big or serious problem, but I'd like to fix it if possible - thank you!

Re: 403 error page not using stylesheet or displaying images

Sogo7 — Fri, 04 Nov 2011 16:40:55 GMT

Without seeing all the code or even a link to the site it's hard to give a precise answer

As a workaround why not embed the required images in the 403 page itself using base64 encoding?

There's a free encoder at http://www.greywyvern.com/code/php/binary2base64

and simple instructions

Re: 403 error page not using stylesheet or displaying images

Rank_Outsider — Fri, 04 Nov 2011 18:06:51 GMT

Thank you Sogo7, I'd never heard of base64 enoding before, but it looks interesting and I will look into it further - thanks for the tip.

Sorry for not including links or code - sloppy of me.

The web site is www.neotherix.com and the 403 page is at http://www.neotherix.com/403error.php

An example of the htaccess file code (i.e. the first few lines) is:

order allow,deny
ErrorDocument 404 /404error.php
ErrorDocument 403 /403error.php
ErrorDocument 401 /401error.php
allow from all

deny from 38.100.41           "#  2010-11-22 - email harvester subnet"
deny from 46.4.240.7          "#  2011-03-11 - spam harvester"
deny from 46.4.145.242       "#  2011-04-20 - attempted to hack site"
deny from 46.21.144.176     "#  2011-09-27 - comment spammer"
deny from 69.27.110.130     "#  2011-09-27 - possible hacker"

Thank you

Re: 403 error page not using stylesheet or displaying images

Sogo7 — Fri, 04 Nov 2011 20:00:05 GMT

Personally I think you're being to nice to the miscreants, anyhow here's some code that should sort you out or at least point you in a better direction.

It's not a block you need but an htaccess redirect, though the same result could be achieved with server side php/asp code included in all sensitive pages. Checking the referer / userAgent string signature may also be useful.

# permanently redirect IP ranges request for entire site
Options +FollowSymlinks
RewriteEngine on
RewriteCond %{REMOTE_HOST} 22\.22\.22 [or]
RewriteCond %{REMOTE_HOST} 68\.33\.44 [or] ---- leave thr OR off the last one
RewriteRule ^.*$ http://www.destinationwebsite.com/ [R=403,L]

Alternatively change the last line to something like this...

# send em to a hellish website of your choice
RewriteRule ^.*$ http://www.hellish-website.com [R,L]

Or, to send em to a virtual blackhole of fake email addresses:

# send em to a virtual blackhole of fake email addresses
RewriteRule ^.*$ http://english-61925045732.spampoison.com [R,L]

Re: 403 error page not using stylesheet or displaying images

Rank_Outsider — Fri, 11 Nov 2011 11:30:10 GMT

Thank you again Sogo7. Sorry to take so long to reply to your last post.

I agree with you that my first instinct is to redirect these IP addresses somewhere unpleasant or somewhere that might poison spammers' databases with fake email addresses, however I don't want to risk sending the small number of geniune users that may be unfairly excluded (the one we know about it a Vice President for a company we work with!).

Therefore I like the idea of the base64 encoding the best, although will keep your other suggestions in mind.

I am thinking of dispensing with a manually compiled .htaccess file anyway and using Http:BL to reject IP addresses based on their score in Project Honey Pot's database. It takes up too much of my time and is a reactive rather than proactive approach.

Regards,

Rank_Outsider