Apache 2.4.x ip blacklist

妖精的绣舞 提交于 2021-02-15 09:17:33

问题


I'm looking for an easy way to blacklist IP addresses in Apache 2.4.x. My web site logs ip addresses that tried illegal operations into a text file. I would like to use this text file within Apache to deny all access to all vhosts to this ip list. What would be the best way (easiest and least resource consuming way) ? Found this but this is only for 2.2.. Not sure how this applies to 2.4.. Cheers.

edit: this is a windows x64 box running apache x64


回答1:


@vastlysuperiorman called it right, csf/lfd is the best at this. Unfortunately, they only run on linux.

This free utility promises to provide the same functionality: dynamically monitor access attempts and auto-block IP addresses. You can unblock with a command, in case of false positives. Certainly worth a short.

An alternative could be to create a VM (if your platform supports virtualization) deploy a very small spec linux box, and use that as a proxy. This should be easy to implement. BTW, why not just use linux? .. :-)

(this should have been a comment on @vastlysuperiorman's post, but I don't have enough SO reps to comment on the post of others)

Edited to suggest a possible apache 2.4 based solution:

To translate ACL directives between the 2.2 and 2.4 in apache

2.2 Syntax

order Deny,Allow
include conf/IPList.conf
Allow from all

2.4 Syntax

DocumentRoot /some/local/dir

<Directory /some/local/dir/>
   <RequireAll>
      Require all granted
      Include conf/IPList.conf
   </RequireAll>
</Directory>

#this will also work
<Location />
   <RequireAll>
      Require all granted
      Include conf/IPList.conf
   </RequireAll>
</Directory>

# conf/IPLIst.com is actually in /etc/apache2/conf/IPList.conf 
#   (ie, paths are relative to where apache is installed.  
#    I guess you can also use the full path to the list.

And inside conf/IPList.conf, you will have individual lines with entries like the following

Require not ip 10.10.1.23
Require not ip 192.168.22.199
Require not ip 10.20.70.100

Using mod-rewrite and a list of IPs for banning

  • For a redirect-to-another-page to work, you need to keep the RewriteRule outside the base URL you are guarding.
  • For instance, the redirect would not work under a Directory directive on DocumentRoot or a Location directive on '/', because the ban affects the status page we want to display.
  • So, best to keep this outside a Directory or Location directive, or link to a status page on another unprotected web server.

#Required set of rewrite rules
RewriteEngine on
RewriteMap    hosts-deny  txt:/etc/apache/banned-hosts
RewriteCond   ${hosts-deny:%{REMOTE_ADDR}|NOT-FOUND} !=NOT-FOUND [OR]
RewriteCond   ${hosts-deny:%{REMOTE_HOST}|NOT-FOUND} !=NOT-FOUND
RewriteRule   ^  /why-am-i-banned.html

##  inside our banned hosts file, we have:
## /etc/apache2/banned-hosts (maintain the format .. its not just a plain text file)
## 

193.102.180.41 -
192.168.111.45 -
www.example.com -
www.sumwia.net -

# inside our status page, could be html as below or a plain text file with '.txt' extension
#/var/www/html/why-am-i-banned.html
#
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>Why is my IP banned?</title>
</head>
<body>
<h2>Why is my IP address banned?</h2>
<p>
To manage spammers and for other security needs, our server automatically blocks      
suspicious IP address.  If however you reckon your IP address has been blocked 
wrongfully, please contact us.
</p>
</body>
</html>

And of course, you can parse your log files and populate conf/IPList.conf or /etc/apache2/banned-hosts as appropriate ..

As a short term solution

An alternative that will allow you to use the 2.2 syntax, is to install mod_access_compat module and continue using your deprecated 2.2 style 'Deny,Allow' directives. But this is only advisable as a short-term solution since that module is just there to aid transition, and would probably go away in future versions of apache 2.4




回答2:


I too have not seen a good alternative for blocking access dynamically from within Apache itself. There are "hacky" ways: you could set an environment variable to contain a list of IPs and then use the module with ${REMOTE_ADDR} and the env function, but that's a stretch. Details on the Expression Parser

However, I have used several light weight modules that are helpful in protecting your Apache server.

ConfigServer Firewall (CSF/LFD) is a great solution for linux systems. It provides a simple method for managing iptables, and can be set up to do brute force detection and blocking. Info here


EDIT: Add the following line to /etc/csf/csf.deny to include your custom IP block list:

Include /var/www/example.deny

Alternately, update your script to append IP addresses to csf.deny either directly:

echo $badIP >> /etc/csf/csf.deny

or using the CSF command line option (preferred):

csf -d 10.20.30.40

CSF readme here


mod_security is one of my favorite Apache/nginx modules. It detects dangerous GET and POST requests and blocks access accordingly. When set up properly, it will trigger CSF to block the IP addresses that frequently violate rules. Details here



来源:https://stackoverflow.com/questions/23157707/apache-2-4-x-ip-blacklist

标签
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!