Restricting access to apache by IP

Discussion in 'Tips/Tricks/Mods' started by Parsec, Mar 22, 2013.

  1. Parsec

    Parsec Member

    If this tip/trick is not deemed suitable by the ISPConfig admins, then please just delete this post.

    Done on a Debian system - others are most probably similar
    Note: I am also terrible at writing tips and tricks files for people so please be careful interpreting my words here. Also you should know what you are doing via a server command line before trying this.

    This is for those people who run servers that incorporate a fair number of IP's and would like a way to stop various nefarious systems attempting to hack their web servers via IP based methods. Often attempts to find weaknesses in websites are done by just accessing servers via the ip and running scripts etc to find such weaknesses. This way they just troll their mechanisms from one IP to the next looking for such weaknesses.

    The method below most probably will not ever be endorsed by ISPConfig because it goes against, and requires changes, to the default apache configurations used by ISPC. I prefer to try and stop hack attempts before they start, rather then seeing the results of such an attempt and then deciding to ban the attacker etc, this is why I use this.

    All this is, is a simple web jail that gives anyone accessing the web server by IP no where to go and nothing to do. It's also good for those clients who know the IP address of their site and when they browse to it could quite possibly get a different site (we do use virtual hosts now don't we..), they will no longer think you are ripping them off because the IP goes to someone else's website.

    Let's start with the things required: (these can be altered somewhat)

    A directory for the website these people will see. I stay outside of ISPC setups here and manually create the dirs. I will use my home directory (called "myhome" here) on the server and call the web dir "ipdefault".

    So we need to create some dirs (note "myhome" is your user home dir or you can alter the entire path to where ever you want)

    (you may have to use su/sudo for the following depending on how you access your server)

    Code:
    mkdir /home/myhome/web/ipdefault
    mkdir /home/myhome/log/ipdefault
    
    Now we create an index.html for the webdir. You can use any editor, like nano, vi whatever
    Code:
    nano /home/myhome/web/ipdefault/index.html
    
    In this file we just type
    Code:
    <html><body>
    This server is not accessible by IP only
    </body></html>
    
    Now we make that all owned by root
    Code:
    chown -R root:root /home/myhome/web/ipdefault
    chown -R root:root /home/myhome/log/ipdefault
    
    Now to configure apache. We have to alter 4 configuration files so you best make backups first.
    Code:
    cp /etc/apache2/sites-available/apps.vhost /etc/apache2/sites-available/apps.vhost.orig
    
    cp /etc/apache2/sites-available/default /etc/apache2/sites-available/default.orig
    
    cp /etc/apache2/sites-available/ispconfig.vhost /etc/apache2/sites-available/ispconfig.vhost.orig
    
    cp /etc/apache2/ports.conf /etc/apache2/ports.conf.orig
    
    Now you have to edit those 4 files and change the VirtualHost directive to a specific IP. This IP is the one that your server is setup as default (the one ISPC answers to).

    Change "your_ip_address" for the servers actual IP.

    Edit apps.vhost and change "<VirtualHost _default_:8081>" to "<VirtualHost your_ip_address:8081>"

    Edit default and change "<VirtualHost *:80>" to "<VirtualHost your_ip_address:80>"

    Edit ispconfig.vhost and change "<VirtualHost _default_:8080>" to "<VirtualHost your_ip_address:8080>". Also comment out the "NameVirtualHost *:8080" by placing a hash (#) before it.

    Edit ports.conf and comment out the "NameVirtualHost *:80" by placing a hash (#) before it.

    REMEMBER: if you ever update ISPC to a new version it will destroy all your changes!

    Now to create our config file for our ipdefault website. We need to call it something so it appears first in the list of sites for apache (so it loads first). I have chosen to call it 0-aaaa.conf You can create this file directly into /etc/apache2/sites-enabled, or place it in the sites-available and use a2ensite to add it.

    The contents of this file are as follows (create using any editor) I am going to pretend my ip addresses are 123.123.123.1, 123.123.123.2 and so on. Obviously you use all the IP's of your server here. Although it's all in one file, you will have a virtualhost config for each IP for your server in this file. Don't forget to change the paths in this file to where you put your web setup - don't leave it as /home/myhome/web.. like this example. Also change your_server_name to what it actually is.
    Code:
    <VirtualHost 123.123.123.1:80>
            ServerName your_server_name
            DirectoryIndex index.html
            DocumentRoot /home/myhome/web/ipdefault
            <Directory /home/myhome/web/ipdefault>
                Options -Indexes
            </Directory>
            RewriteEngine On
            RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} !-f
            RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} !-d
            RewriteRule . /home/myhome/web/ipdefault/index.html [L]
            CustomLog /home/myhome/log/ipdefault/access.log combined
            ErrorLog /home/myhome/log/ipdefault/error.log
    </VirtualHost>
    <VirtualHost 123.123.123.2:80>
            ServerName your_server_name
            DirectoryIndex index.html
            DocumentRoot /home/myhome/web/ipdefault
            <Directory /home/myhome/web/ipdefault>
                Options -Indexes
            </Directory>
            RewriteEngine On
            RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} !-f
            RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} !-d
            RewriteRule . /home/myhome/web/ipdefault/index.html [L]
            CustomLog /home/myhome/log/ipdefault/access.log combined
            ErrorLog /home/myhome/log/ipdefault/error.log
    </VirtualHost>
    
    Now obviously if you have more IP's on your server then your config file above will have more listings, one for each IP. You need to have an entry in that file for each IP apache will answer to. So this file can end up very long.. still all the entries are the same, so copy and paste and just change the IP.

    Now you need to test that all these changes will still work with apache, so..
    Code:
    apache2ctl configtest
    
    If there are no errors and everything looks like it will work, then reload apache with "apache2ctl graceful". Check that the log directory you created now has logfiles in it, check that ISPConfig still works (website) and check what happens when you try to browse to your server by any of it's IP's.

    If you screwed up - well you do have those original files I got you to make copies of, don't you?

    REMEMBER: if you ever update ISPC to a new version it will destroy all your changes!

    Explanation on the apache config for this.
    Being the first entry in the list, apache will direct all connection attempts by the IP's listed in this file to the ipdefault/index.html page. The rewrite conditions will also take any attempt at expanding the ip url by using directories or files and send it back to the index.html. Thus people using a url of 123.123.123.1/phpmyadmin will be redirected back to the index.html It won't matter what is added to the end.

    Now it is possible to leave out the logfile entries for the above and just let the requests go to the default apache logfiles in /var/log/apache2, but I use explicit logfiles for one reason. I use fail2ban and other systems to catch hack attempts and do something with them. Now fail2ban in particular is a bit of a hog if you give it lots of logfiles ie: if you are using apache-badbots or similar in fail2ban then giving it hundreds of logfiles for it to process (because you have hundreds of websites on your server) it doesn't seem particularly efficient. So I use these logfiles for fail2ban (apache-badbots apache-overflows apache-nokiddies etc). It works quite well because 99% of accesses via IP are not legitimate customers anyway - real people are using the web domain. There are also other cute things you can do with this setup, but Ill let you figure them out.

    Hmm that's it, hope I explained it properly and it's of use to someone.
     

Share This Page