I work on Apache 2.4.7 server that filters out requests based on blacklist of IP addresses. At the moment they are stored in a database. Is there a way to deny access for specific domain - IP combinations by querying the database? Currently I have a script which syncs the database with httpd.conf config file by adding and removing "Require not 1.2.3.4" lines.
1 Answer
Is there a strong requirement for domain/IP pairs, or would it be acceptable to block IPs from all domains?
If the latter is acceptable, I would tend to think you would be better off using ipsets and iptables, rather than making apache deal with the problem.
It may in fact be worth using fail2ban and configuring it to automate (some of) this for you, by parsing e.g. apache logs for malicious events.
That would also avoid these unwanted requests from hitting apache at all, which might help conserve some resources.
You could otherwise consider using ModSecurity, which in your case, would allow:
- the use of SecRemoteRules to allow modSec to grab fresh rules when needed.
- the use of
@ipMatchto rate-limit or deny access to specific IPs (and domains if you want).
I suppose it may also be worth mentioning that instead of editing your apache conf directly, you could use .htaccess files (see e.g. https://httpd.apache.org/docs/2.4/mod/mod_access_compat.html).
answered Mar 21, 2017 at 17:00
- The block is applied per IP for all URLs except one which will be used by trusted users to unblock the IP in case it is blocked by mistake. All other services except HTTP are blocked and unblocked by adding and removing iptables rules, ipsets can be helpful for this part.J. Doe– J. Doe2017-03-21 17:53:59 +00:00Commented Mar 21, 2017 at 17:53