someone trying to access pages like
//mysqladmin//scripts/setup.php
Is it some hack attempt or .. ?
If yes then how i can block its ip from accessing mine website ?
Via htaccess or something else ?
As an update to this old question for those who still land here:
Order Allow Deny are deprecated as of Apache 2.4 and Require should be used.
<RequireAll>
Require all granted
Require not ip 1.2.3.4
</RequireAll>
Ranges, netmasks, etc. can also be specified.
https://httpd.apache.org/docs/2.4/mod/mod_access_compat.html (Deprecated)
https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#require
To block special IP addresses you can put the following in a .htaccess file located in your directory, you like to restrict:
order allow,deny
deny from 1.2.3.4
allow from all
Where 1.2.3.4 is the IP you like to block.
But note that IP adresses change users and also attackers change IP adresses.
So this will not secure your application and potentially block leagal visitors.
The better solution will be to make sure your script does not accept malicious paths.
Append a base path to the path you get from the user
Make sure the path you get from the user does not contain '../'
Related
I want to allow the connection from my LAN and in the case, that the external ip matches my ip (for when I use my domain to connect internal to my http server via browser)
I found this:
Require forward-dns bla.example.org
but I get an 403 Forbidden :/
My .htaccess looks like this:
Order Deny,Allow
Deny from all
Allow from 192.168.254.1/24
Require forward-dns mydomain.de
Thank you :C
Here is the answer I have worked out:
I use a scipt to enter the IP address in the hosts file.
Follow the instructions from:
https://www.the-art-of-web.com/system/apache-auth-ddns/
After that it works with the following command in .htaccess
Allow from yourDomain.de
Its not the best answer, but it will work.
I've been trying to allow only cloudflares i.p ranges on my server but I keep getting 403 errors, 403 is what people bypassing cloudfare should see
I have tried
#cloudflare
order deny,allow
Deny from all
#ipv4
allow from 173.245.48.0/20
allow from 103.21.244.0/22
allow from 103.22.200.0/22
allow from 103.31.4.0/22
allow from 141.101.64.0/18
allow from 108.162.192.0/18
allow from 190.93.240.0/20
allow from 188.114.96.0/20
allow from 197.234.240.0/22
allow from 198.41.128.0/17
allow from 162.158.0.0/15
allow from 104.16.0.0/12
allow from 172.64.0.0/13
allow from 131.0.72.0/22
#ipv6
allow from 2400:cb00::/32
allow from 2606:4700::/32
allow from 2803:f800::/32
allow from 2405:b500::/32
allow from 2405:8100::/32
allow from 2a06:98c0::/29
allow from 2c0f:f248::/32
and I have tried
DenyAllButCloudFlare
I get the same issue, the above line gives me 500 error
for the life of me I cant figure it out, cloudflare support just referred me to there whitelist page which I have followed
I'm using Apache 2.4.2
edit: changed Apache version num :)
Try using the Require directive in Apache. Apache themselves mention:
The Allow, Deny, and Order directives, provided by mod_access_compat, are deprecated and will go away in a future version. You should avoid using them, and avoid outdated tutorials recommending their use.
Try changing it to, and make sure mod_authz_host is enabled:
#path to your website
<Directory "path/to/public_html/or/var/www/html">
#ipv4
Require ip 173.245.48.0/20
Require ip 103.21.244.0/22
Require ip 103.22.200.0/22
Require ip 103.31.4.0/22
Require ip 141.101.64.0/18
Require ip 108.162.192.0/18
Require ip 190.93.240.0/20
Require ip 188.114.96.0/20
Require ip 197.234.240.0/22
Require ip 198.41.128.0/17
Require ip 162.158.0.0/15
Require ip 104.16.0.0/12
Require ip 172.64.0.0/13
Require ip 131.0.72.0/22
#ipv6
Require ip 2400:cb00::/32
Require ip 2606:4700::/32
Require ip 2803:f800::/32
Require ip 2405:b500::/32
Require ip 2405:8100::/32
Require ip 2a06:98c0::/29
Require ip 2c0f:f248::/32
</Directory>
Have a look at https://httpd.apache.org/docs/2.4/howto/access.html for more info.
Be aware of this: Cloudflare themselves say: I think it should be better just using the normal Apache directives anyways
Cloudflare no longer updates and supports mod_cloudflare, starting with versions Debian 9 *and *Ubuntu 18.04 LTS of the Linux operating system. We now support mod_remoteip for customers using Apache web servers. Customers who are interested in building the mod_cloudflare package can download the codebase from GitHub.
See: https://support.cloudflare.com/hc/en-us/articles/200170916-Restoring-original-visitor-IPs-Option-1-Installing-mod-cloudflare
And mod_remoteip feels like it is insecure. So, I suggest you to stick with the Require ip directive.
I run apache locally, on one of my homeservers. I am able to access the domain once or twice, but then it will time out. It simply wont allow me to access it from my ip (the same IP the site is hosted on). Others are able to type in the domain name, and access the server as much as they want. If i use a proxy, then i am also able to access it. The only times it messes up is when i try to access it without a vpn, or by using another computer that is on the network.
TL;DR cant access site from own network, other networks can access.
Could you tell us what operating system you use? It could also be that in the rules for that directory you are allowing access to it from any IP except localhost.
Example:
<Directory /var/www/html/>
Order Deny,Allow
Deny from 127.0.0.1
Allow from All
</Directory>
Such a configuration would deny everything from localhost and allow everything from any other IP.
I would like to restrict access to a folder according to some IPs.
I already know how to do that by
<Directory "/path/to/my/directory/">
Order Deny,Allow
Deny from all
Allow from 123.123.123.1 # IP 1
Allow from 123.123.123.2 # IP 2
Allow from 127
</Directory>
As I would like to manage the list of allowed IP differently, I would prefer allow them from a text file where the IPs could be notes like that :
123.123.123.1
123.123.123.2
Does anybody know how to do that ? If that's not possible is there another way to do such thing ?
P.S.: To make everything clear, my final purpose is to grab IPs connected to a local VPN (OpenVPN), complete a file with the IP if not already include and restart apache2 so that it can take account of them. It's a little bit strange but on the same server i have html contents that I wanna be accessed only by vpn users. But even if I pass through the vpn, apache2 see the remote IP address not the endpoint one...
You can't include extra files in the apache config like what you want to do, but you could use mod_rewrite's RewriteMap directive to use a mapping file, or run a script.
For example, you can create the map:
RewriteMap allow_ips txt:/path/to/ipfile.txt
And in the /path/to/ipfile.txt you'd have
123.123.123.1 1
123.123.123.2 1
123.123.123.4 1
123.123.123.10 1
Then in your directory container:
RewriteEngine On
RewriteCond ${allow_ips:%{REMOTE_ADDR}|0} 0
RewriteRule ^ - [L,F]
The mapping is being used in the condition: ${allow_ips:%{REMOTE_ADDR}|0}. if the remote address is in the /path/to/ipfile.txt, then the mapping will return "1", otherwise it returns "0" which would satisfy the condition and the rule will deny access.
Problem with this kind of mapping is that you need to have something other than a "0" at the end of each IP (in order to form a map).
The other option is to write a script and use the prg map type. The script would look up the IP in a different file and return the appropirate "1" or "0". This is a little less lightweight since the script would be run each time as opposed to a cached map file.
I want to allow access to a file (secret.txt) only from my ip.
Below is the .htaccess I'm using.
It works great at my provider's server.
However, at my localhost this .htaccess does not allow me to access the file.
<Files "secret.txt">
order deny,allow
deny from all
allow from 1.2.3.4
</Files>
Where my external ip is "1.2.3.4"
I use Apache server locally.
How can I make things work at localhost also?
What Address are you using to access your local Apache server? If you're addressing it as localhost then you're probably not going all the way out of your machine via the network and back in again. This means that as far as your local Apache server is seeing you, you're coming from a loopback address.
Try putting 127.0.0.1 in instead of your external IP, and see if that works.
Try looking into your local server's access logs: does your local server see 1.2.3.4 when you are accessing the file from the computer that should be allowed? You may see a different IP address (due to NATs and whatnot).