0

As a newbie, I find the Apache documentation a bit confusing, too much specification and too little recipes / practical examples to achieve a certain goal.

Forum posts are usually referring to older versions of Apache and refers to files that do no longer exist, such as httpd.conf or are on a syntax that no longer seems to be used.

Therefore I would like to ask for some help to get started with access control, despite this question earlier been raised.

My setup: Apache 2.4.29, Ubuntu 18.04, Django 2.1.7

Problem: Some bots in China do Host Header attacks against my IP address and today my Django deals with security. As well as, I get automated requests from search and survey companies flagged as errors.

Solution: I would like to deal with/stop those requests already at Apache level so they never reach Django.

Attempted solution: Some forum posts I have been reading suggest I need to define [SERVER] some other suggest a Require or Authorization Containers but cannot find a complete comprehensive answer to test.

In Apache documentation: e.g. in this section access control which file am I supposed to change, how does the whole file looks like, how does a fully working example looks like?

Ideally, the answers I am looking for is more of a recipe:

  1. Change this file (e.g. etc/apache/apache2.conf or etc/apache/conf-available/security.conf)

  2. Add the following section (below, above, etc)

  3. Test it by...

I hope someone can help me to get started, many thanks

Jaco
  • 143
  • 1
  • 7
  • 2
    You could go another route: On linux there is the program `fail2ban`. It will analyse Apache log for offending traffic. It will in turn make automatic IP ban rule in `iptables`, so that all traffic from offending IP addresses are plain and simple dropped. It never gets to go all the way up the OSI-stack to Apache. – Lasse Michael Mølgaard Feb 25 '20 at 10:46
  • Takk Lasse, will definitely look into it. At a closer inspection, the range of IP addresses "knocking on the door" is quite wide, including Robots and Surveys, so it will be interesting to see if it can deal with those also with fail2ban (I don't want any of those automated requests either). – Jaco Feb 25 '20 at 11:15
  • Crawlers should be informed about your policy through a [robots.txt](https://en.wikipedia.org/wiki/Robots_exclusion_standard) file and only those misbehaving should be banned. – Piotr P. Karwasz Feb 25 '20 at 18:35
  • FYI: My rather uninteresting web and mail server are blocking around 200 IP addresses / month. This is all done by `fail2ban`. I block failed login attempts on SSH, SMTP, IMAP and some types of web requests. Around 40% of all blocked IP adresses comes from a single /16 subnet in western part of China and another 20 or so ip addresses from Iran. – Lasse Michael Mølgaard Feb 25 '20 at 21:53
  • Yes, I will go for it, thanks for the tips. Maybe easier to only allow access for certain countries that are relevant. No need to go global on local stuff. https://lite.ip2location.com/ip-address-ranges-by-country – Jaco Feb 25 '20 at 22:12

0 Answers0