How to block specific IPs in apache? - apache

I am having a java based application running in tomcat. It is an online app, the request first goes to apache and then redirects to tomcat.
Today I was not able to log into my application and I noticed warnings at catalina.out file. They said "An attempt was made to authenticate the locked user "root" "and "An attempt was made to authenticate the locked user "manager" "
In my localhost_access_log.2015-07-07.txt I found the below IP addresses trying to access the system.
83.110.99.198
117.21.173.36
I need to block these 2 IPS from accessing my system. The first IP is a well known blacklisted according to the anti-hacker-alliance. How can I do this thing?
FYI I am using apache 2, so the main configuration file is apache2.conf
(Please don't remove the IP addreses I listed above, as I need other developers to be aware of the threat as well)

If you're using VPC:
The best way to block traffic from particular IPs to your resources is using NACLs (Network Access Control Lists).
Do a DENY for All protocols INGRESS for these IPs. This is better than doing it on the server itself as it means traffic from these IPs will never even get as far as your instances. They will be blocked by your VPC.
NACLs are on the subnet level, so you'll need to identify the subnet your instance is in and then find the correct NACL. You can do all of this using the VPC Dashboard on the AWS console.
This section of the documentation will help you:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html
Note that you will need to give the rule numbers for these 2 rules to block these 2 IPs a rule number that is less than the default rule number (100). Use 50 and 51 for example.

You can use an .htaccess file:
Order Deny,Allow
Deny from 83.110.99.198
Deny from 117.21.173.36
It's probably better to add this as a firewall rule though. are you using any firewall service now?

Related

Why is Apache redirecting all domains without a .conf file to one particular domain?

My company has a LAMP server, and I am not an expert at web hosting but I manage basic tasks.
My server currently hosts about twelve different domains. Each domain has a .conf file in the sites-enabled directory, and they work fine. Let's say we have example1.com, example2.com, and example3.com, just to hopefully help explain this question.
Recently, a person I work with registered a bunch of new domains. With the domain registrar, they pointed the domains to our IP address. I believe this is called "parking" a domain. I have not set up a .conf file or enabled any of these new domains on our server yet. Let's say they are newsite1.com, newsite2.com, etc...
What's puzzling to me is that if one types one of the new domains into a browser, one of our existing domain shows up. Let's say it's example1.com. So, if you go to a browser and type in newsite1.com, or newsite2.com, you are taken to example1.com. Also, in the address bar at the top of the browser, it will be displayed as example1.com.
This is not the desired behaviour. For one thing, we did not choose, as far as I know, for example1.com to be the default, and it's not necessarily the website we would want to be the default. In any case, I don't know why the system is going to example1.com as opposed to example2.com or any of our other sites.
The desired behaviour would be for there to just be a general error, "this domain does not exist" or something like that. If there has to be a default website, we'd like to be able to choose it.
I've seen questions on Stack Oveflow that are similar, but they all presume one wants to set a default. When I look at the configuration files they reference, for example /etc/httpd/conf/httpd.conf, they are empty, so in my case, there is nothing to unset.
How do I stop browsers from being redirected to the website that they are currently being directed to? How can I set it so that Apache just returns a "site not found" error instead of serving up a website?
The easiest way to fix this is name your .conf files starting with a number.
If you look at the default apache configs, you'll notice a file called "000-default.conf". Apache will load the files in number order - so just make your default virtual host .conf file be 000-whatever.conf.
I suppose you're using name based virtual hosts and the <VirtualHost> directive and this is what docs have to say:
If no matching name-based virtual host is found, then the first listed virtual host that matched the IP address will be used. As a consequence, the first listed virtual host for a given IP address and port combination is the default virtual host for that IP and port combination.
So when you say:
I've seen questions on Stack Oveflow that are similar, but they all
presume one wants to set a default.
... all I can add is that that's the way Apache works. I don't think it's inherently wrong to have a default host that serves a this domain does not exist page. I always do so in my Windows development box, typically by commenting out the default hosts at conf/extra/httpd-vhosts.conf file and adding my default host there.
If you ask for my opinion, it's rather questionable that Apache basically serves an arbitrary site when there's no match, thus making this customisation mandatory—and I've seen lots of live sites that don't do it.

Downsides to whitelisting localhost in mod_security?

I've just enabled mod_security on my CentOS server via WHM with OWASP ModSecurity Core Rule Set.
I've seen some very useful stuff so far but also some very annoying, not very useful things such as:
016-06-23 10:00:01 127.0.0.1 WARNING 200 960008: Request Missing a Host Header
2016-06-23 10:00:01 127.0.0.1 NOTICE 200 960009: Request Missing a User Agent Header More
2016-06-23 10:00:01 127.0.0.1 200 981204: Inbound Anomaly Score Exceeded (Total Inbound Score: 5): Request Missing a User Agent Header
Basically 95% of the hits (which are a lot) are like this, form localhost.
What is this exactly? And are there security concerns should I simply whitelist localhost?
Thanks
Only you can answer this to be honest.
It sounds like you have something running locally which connects to you webserver. Maybe a script to check if the site is up? Maybe something else that gets something webserver.
Whatever it is not setting:
The Host Header: which site you want to visit - so guessing script is using IP address to connect or just not passing the hostname.
The user agent: all browsers pass a user agent so when this is not present its highly likely it's a script. That's not to say whether that script is malicious or useful.
Neither of those rules are really problems or security concerns in themselves. They are just a sign that it's likely not a browser so likely is a script so maybe want to block.
To be honest I'd find out what is doing this. As I say I would guess it might be a heartbeat check script to check site it still up. If so, then no problem whitelisting localhost for these two rules. If not then you can decide whether you want to whitelist or not.
I personally prefer to only whitelist what's necessary rather than blanket whitelist all of localhost, so to whitelist these rules you can add config like this BEFORE the rules (as the ctl command expects the rules it's amending to come after it):
SecRule REMOTE_ADDR "#ipMatch 127.0.0.1" "id:1000,phase:2,nolog,ctl:ruleRemoveById=960008;ctl:ruleRemoveById=960009"

.htaccess safety vs password

Is is safe to create a .htaccess in a folder in my website (example.com/thisfolderismine) and ONLY allow MY IP address?
My goal is to MAKE SURE that no one else than me access this folder. This is also a login in this folder but I'd rather take a crazy-full access protection.
Is this safe? Is there a way to hack this?
Note: I don't care about not being able to access it from somewhere else.
My website is getting hacked by Ukraine, Vietnam, Philippines, Algeria, China in the last 4 months and these nolife are driving me nuts.
Also, is there a simple way to only allow IP/computers from ONLY Canada & USA? I don't have clients anywhere else anyway.
Thanks a bunch
Joel
Kind of going in reverse order of your question:
While there may be some general association of geographic location to IP address range, you should not count on it.
What if one of your clients in Canada want to access your site through a proxy in Europe? You should use a "real" authentication method to verify users, not IP address.
Using specific IPs is better, assuming those users have static IPs. This not a safe assumption for a dial-up or DSL-based user, though (for example).
If you yourself have a static IP, then yes, it should be fine to limit access to a folder based on that. Of course if you ever release that IP or switch ISP, etc. you will have to update your website's configuration. One more thing to have to remember.
You could also consider using a VPN and only limiting your page's access to the local network (see anubhava's answer - note the 192.168.XX.XX address).
Personally, I use a combination of HTTPS + username + good password for stuff like this.
Put these 3 lines on top of your .htaccess file in the folder you want to restrict:
Order deny,allow
Deny from all
Allow from 192.168.100.101
This will only allow access to that folder from IP address 192.168.100.101 otherwise it will show forbidden error.

.htaccess block local ip address

I have 3 applications running on wampserver hosted on our intranet.
I would like to block the access of applications for a certain ip range. So I edited .htaccess files for each application as below. But the application is not blocked.
order deny,allow
allow from 10.212.4.
deny from all
After checking the logs I found that the ip address the client returning was different. Since all our machines use proxy settings by default.
Anyone could help me how to over come this ?
You can use mod_rewrite to block people based on their "x-forwarded-for" header. I would not consider this secure though, because these are easy to forge.
See the discussion here:
http://www.110mb.com/forum/empty-t26129.0.html

How to prevent hackers from exploiting Apache ->Sites-available -> Default file

We noticed that a hacker created a domain and configured DNS to point it to our server's IP address.
We are using apache2.x on Ubuntu.
There is a "default" file in apache's /etc/apache2/sites-available directory and it looks like the the hacker's domain is using "default" apache configuration file to display our web content in their domain.
How can we prevent this?
Can some one post a "default" apache configuration file as an example?
Unknown domains that come into apache over the specified ip and port will be directed to the first virtual host, thus the 000-default file. Your best bet is to make the 000-default host return a 400 or 500 error (or some explicit message saying the domain doesn't belong) and use explicit virtualhosts for each of your sites.
+1 Jeremy's answer: make the default (first) virtual host for each IP address you're listening on return something useless like a 404 or page saying nothing but “this is a virtual server”.
Allowing your web server to serve a real web site on a non-matching ‘Host’-name (including a raw IP address) opens you up to two particular attacks:
DNS rebinding attacks, leading to cross-site scripting into your real web site.
This affects sites with a user access element (eg. logging in, cookies, supposedly-private intranet apps).
‘Search-hijacking’. This affects all sites (even completely static ones). This may be what is happening to you. By pointing their own domain name at your server, they can make search engines see both the real domain name and their fake one as duplicates for the same site. By using SEO techniques they can then try to make their fake address seem like the more popular, at which point the search engines see that as the canonical address for the site, and will start linking to it exclusively instead of yours.
Most web servers are configured by default to serve a web site to all-comers, regardless of what hostname or IP address they're accessing it through. This is a dangerous mistake. For all real live sites, configure it to require that the ‘Host’ header matches your real canonical hostname.