Hey all,

I'm exploring ways to improve system security. You may have seen my other posts regarding PostFix, and this posting is indirectly related to those. I wanted to start a new thread, however, just to avoid pissing anyone off by changing subjects mid-stream.

This time I'm asking about Apache HTTPD webserver. I'm running Apache 2.2 on a Fedora Core 5 system (Red Hat).

I have a list of IP addresses that have recently tried to relay junk mail, break in through the SSH daemon, or otherwise attempted to violate the system. I want to ban the entire lot of them from ever getting near it since they obviously cannot be trusted. I realize it is a reactive strategy, but it is the best I can manage at the moment.

One measure I took was to implement TCP wrappers, which seems to work well at protecting the SSH port. However, it doesn't cover HTTP, nor would I really want it to. SSH's rule is "deny all those not specifically granted", while with HTTP, I want to do just the reverse - "allow all NOT specifically singled out as banned."

Sorry for the wordy intro, but I wanted to get some background information out there before getting to my actual question. Here it is: What is the best way to stop IP address XXX.XXX.XXX.XXX or network 123.456.789.XXX from reaching the HTTP server?

I looked on the Apache website for suggestions, and it seems the best it had to offer (near as I can tell) to use the Order directive in conjuction with allow/deny. As a test, I tried banning my own IP address within /etc/httpd/conf/httpd.conf (my client computer that I'm actually sitting in front of, not the server's IP). That caused the server, when I use IE to pull up its webpage, to show me the "default" page that is shipped with FC5, instead of the website I've built for it. When I removed my IP address from httpd.conf, my HTTP request was resolved normally and I got the actual server webpage I'd built. It means anyone trying to access the HTTP server from a banned IP address would presumably get the same thing - the default FC5 webpage instead of the server's website.

Well, that is *ok*, but what I really want is for the server to simply say "Access denied" or something similar, when a banned IP tries to pull up the server's webpage. Better still, I'd like it to say the computer equivalent of, "HTTP? Who the hell is that?" After all, you cannot attack what you cannot see. The point of course is to thwart attempts to break into the system via HTTP port 80. According to the system logs, port 80 has already been "probed" once. (What does that mean, anyway? Probed with what - a rectal thermometer?)

So, Linux gurus, how do I make this happen? Help me give Apache the tools it needs, to give crackers the middle finger.

Thanks, Matt

Stop them at the firewall. Tell iptables to drop the connection on port 80. I personally use MonMotha's firewall script which has a place to ban "bad ip's" and then implement it. To the abuser it appears the system doesn't exist. Bear in mind that many of these blackhats are using proxy servers and they may well re-appear using another address.

How do I tell iptables to deny a particular IP address? Is there a specific utility to run (either GUI or command-line) or a configuration file I can edit?

Or alternatively, where do I obtain this "MonMotha's script?"

You must be using some type of firewall at present. There should be a way of configuring the rules so that ip ranges are excluded. I am no iptables expert and perhaps you would be better advised to open a new thread in the Security section of LQ dealing with how to setup the rules in your current firewall configuration.
If you are interested in the MonMotha script then I have a copy and details on using it for NAT/Firewalling on my site. The write-up is Debian based and cannot be used in a RH environment because the rc file system is different.