16

I'm looking for an easy way to blacklist IP addresses in Apache 2.4.x. My web site logs ip addresses that tried illegal operations into a text file. I would like to use this text file within Apache to deny all access to all vhosts to this ip list. What would be the best way (easiest and least resource consuming way) ? Found this but this is only for 2.2.. Not sure how this applies to 2.4.. Cheers.

edit: this is a windows x64 box running apache x64

Community
  • 1
  • 1
Eric
  • 9,870
  • 14
  • 66
  • 102

2 Answers2

15

@vastlysuperiorman called it right, csf/lfd is the best at this. Unfortunately, they only run on linux.

This free utility promises to provide the same functionality: dynamically monitor access attempts and auto-block IP addresses. You can unblock with a command, in case of false positives. Certainly worth a short.

An alternative could be to create a VM (if your platform supports virtualization) deploy a very small spec linux box, and use that as a proxy. This should be easy to implement. BTW, why not just use linux? .. :-)

(this should have been a comment on @vastlysuperiorman's post, but I don't have enough SO reps to comment on the post of others)

Edited to suggest a possible apache 2.4 based solution:

To translate ACL directives between the 2.2 and 2.4 in apache

2.2 Syntax

order Deny,Allow
include conf/IPList.conf
Allow from all

2.4 Syntax

DocumentRoot /some/local/dir

<Directory /some/local/dir/>
   <RequireAll>
      Require all granted
      Include conf/IPList.conf
   </RequireAll>
</Directory>

#this will also work
<Location />
   <RequireAll>
      Require all granted
      Include conf/IPList.conf
   </RequireAll>
</Directory>

# conf/IPLIst.com is actually in /etc/apache2/conf/IPList.conf 
#   (ie, paths are relative to where apache is installed.  
#    I guess you can also use the full path to the list.

And inside conf/IPList.conf, you will have individual lines with entries like the following

Require not ip 10.10.1.23
Require not ip 192.168.22.199
Require not ip 10.20.70.100

Using mod-rewrite and a list of IPs for banning

  • For a redirect-to-another-page to work, you need to keep the RewriteRule outside the base URL you are guarding.
  • For instance, the redirect would not work under a Directory directive on DocumentRoot or a Location directive on '/', because the ban affects the status page we want to display.
  • So, best to keep this outside a Directory or Location directive, or link to a status page on another unprotected web server.
#Required set of rewrite rules
RewriteEngine on
RewriteMap    hosts-deny  txt:/etc/apache/banned-hosts
RewriteCond   ${hosts-deny:%{REMOTE_ADDR}|NOT-FOUND} !=NOT-FOUND [OR]
RewriteCond   ${hosts-deny:%{REMOTE_HOST}|NOT-FOUND} !=NOT-FOUND
RewriteRule   ^  /why-am-i-banned.html

##  inside our banned hosts file, we have:
## /etc/apache2/banned-hosts (maintain the format .. its not just a plain text file)
## 

193.102.180.41 -
192.168.111.45 -
www.example.com -
www.sumwia.net -

# inside our status page, could be html as below or a plain text file with '.txt' extension
#/var/www/html/why-am-i-banned.html
#
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>Why is my IP banned?</title>
</head>
<body>
<h2>Why is my IP address banned?</h2>
<p>
To manage spammers and for other security needs, our server automatically blocks      
suspicious IP address.  If however you reckon your IP address has been blocked 
wrongfully, please contact us.
</p>
</body>
</html>

And of course, you can parse your log files and populate conf/IPList.conf or /etc/apache2/banned-hosts as appropriate ..

As a short term solution

An alternative that will allow you to use the 2.2 syntax, is to install mod_access_compat module and continue using your deprecated 2.2 style 'Deny,Allow' directives. But this is only advisable as a short-term solution since that module is just there to aid transition, and would probably go away in future versions of apache 2.4

Community
  • 1
  • 1
Chux Uzoeto
  • 1,324
  • 1
  • 12
  • 19
  • Thanks for your input, I'll give it a look but this solution isn't very good for me since it's basically handled by a software firewall instead of at web server level, since I'd probably like to redirect to a page : You have been banned due to illegal operations, send me a mail if you believe this is a mistake blah blah.. So I'd really like to see a solution for Apache 2.4... – Eric Apr 29 '14 at 19:20
  • OK, fair enough. Then you will have to focus on modrewrite based solutions. Look at [this question](http://stackoverflow.com/questions/3165804/dynamic-ip-htaccess-blocklist) .. and [perhaps, this](http://perishablepress.com/eight-ways-to-blacklist-with-apaches-mod_rewrite/) .. and [this also looks useful](http://scamalertnetwork.net/blog/blocking-bad-bots-and-ip-addresses-on-an-apache-hosting-server/) – Chux Uzoeto Apr 29 '14 at 20:15
  • Yup, the 1st link is in my msg and was actually hoping for a 2.4 version of this... – Eric Apr 29 '14 at 20:40
  • There is not much difference between apache 2.2 and 2.4, so what are you needing translated to 2.4 syntax? The example from the accepted answer or the example with RewriteMap? – Chux Uzoeto Apr 29 '14 at 20:48
  • The Deny, Allow has changed in 2.4 and as I'm not very good at that, but yea the accepted answer.. – Eric Apr 29 '14 at 20:53
  • If Apache fails, there will be error logs to show why. What does the logs say? .. Generally, I think because you have put a bounty on this question, you are approaching it in a funny way, and making it awkward to work with you to get on top of your needs. I don't care about no bounty, and it's not helpful trying to work on issues with a non-cooperative person. So, why don't you just spare all of us the time .. well, until you are more serious about resolving your issues – Chux Uzoeto May 02 '14 at 16:37
  • AH00526: Syntax error on line 1 of F:/webserver/apache/conf/blacklist.txt: negative Require directive has no effect in directive – Eric May 03 '14 at 00:49
  • Eric, I have a chance to set up and test this for myself .. That is a typo in my post .. its 'Include' .. not 'include'. You need that in a Directory or Location setting. And it sure does work. I will amend my answer with the exact syntax. Will add a mod_rewrite version that could redirect to a status page, when I have had a chance to test it out. – Chux Uzoeto May 04 '14 at 12:45
  • For starters, try the first example .. Let's get that easier one working. Then we try with the mod_rewrite way since that fits more closely to what you are intending. – Chux Uzoeto May 05 '14 at 15:31
  • Have edited again, and this time provided a full re-direct example. It is actually simpler than I first thought to redirected to a status page. Please, let me know how you got on with it. Cheers. – Chux Uzoeto May 05 '14 at 18:39
  • does this look right to you ? Options Indexes FollowSymLinks AllowOverride All Require all granted Include conf/blacklist.conf Reason I'm asking I have no error but blacklist doesn't seem to work, is limitexcept an issue ? – Eric May 08 '14 at 17:04
  • I would advice using the setting I put up above exactly as is (you did notice I edited the post again with a fuller example, including mod_rewrite with redirect?). So, let's keep it simple and get the basic function working. Then we can add extra checks and configs. If it would help, consider creating another vhost to test this, before putting it up on your live server. – Chux Uzoeto May 08 '14 at 20:05
  • Does **Using mod-rewrite and a list of IPs for banning** section rewrite rules work into .htaccess ? (seems no !). – Jean-Luc Barat Jul 11 '16 at 22:18
9

I too have not seen a good alternative for blocking access dynamically from within Apache itself. There are "hacky" ways: you could set an environment variable to contain a list of IPs and then use the module with ${REMOTE_ADDR} and the env function, but that's a stretch. Details on the Expression Parser

However, I have used several light weight modules that are helpful in protecting your Apache server.

ConfigServer Firewall (CSF/LFD) is a great solution for linux systems. It provides a simple method for managing iptables, and can be set up to do brute force detection and blocking. Info here

EDIT: Add the following line to /etc/csf/csf.deny to include your custom IP block list:

Include /var/www/example.deny

Alternately, update your script to append IP addresses to csf.deny either directly:

echo $badIP >> /etc/csf/csf.deny

or using the CSF command line option (preferred):

csf -d 10.20.30.40

CSF readme here

mod_security is one of my favorite Apache/nginx modules. It detects dangerous GET and POST requests and blocks access accordingly. When set up properly, it will trigger CSF to block the IP addresses that frequently violate rules. Details here

vastlysuperiorman
  • 1,694
  • 19
  • 27
  • Thanks for the comment but I already know and use mod_sec, I am looking for a practical answer, as in, how to do it in mod_sec or else... – Eric Apr 27 '14 at 11:10
  • Using csf might be a great option for you. If your site already contains a script that writes IP addresses to a file, you can simply have it append the addresses to /etc/csf/csf.deny. This can be done by appending the line directly, or by running the command `csf -d 10.20.30.40` on the command line. Alternately, you can add `Include /var/www/example.deny` to csf.deny to include your custom block list. My answer edited accordingly. – vastlysuperiorman Apr 27 '14 at 16:21
  • I have to read on this as I'm not aware of csf. Thanks for the message, will comment asap :) – Eric Apr 27 '14 at 16:34
  • Yup that looked good but i forgot to mention, this is a windows box :( – Eric Apr 27 '14 at 16:36
  • Ahh... sorry. That's what I get for not posting a more universal reply. – vastlysuperiorman Apr 27 '14 at 16:45
  • Gave it a +1, sorry can't go with that answer, thanks again for your time – Eric Apr 29 '14 at 11:20