This article is about securing apache2.
There's some excellent resources and article about several things you can do to secure apache2. One is by Peter Freitag and called 20 ways to Secure your Apache Configuration. Although it is quite an old post, much of it is still relevant.
Don't give too much information
Hiding apache version information is a worthwhile change and can be done by adding
# Turn off apache version info displaying
Version information can be useful in attack planning as there are often bugs and exploits that are particular to a version (later versions having been patched for example).
Blocking ip addresses
Apache allows several approaches to blocking ip addresses. You meant have several ip addresses you would like to block, or several hundred. The approach outlined here is focused more on the latter.
This assumes you're using apache 2.4. We'll using using the <RequireAll> directive inside a <Location /> directive so I'm assuming you're using a apache also as a reverse-proxy (like outlined here). Alternatively you can place it inside a <Proxy *> directive as well.
Let's first start with creating a file with the blocked ip addresses in there. This file can be placed anywhere but for simplicity we'll keep it in /etc/apache2. Create a file like this:
sudo nano /etc/apache2/ipblacklist.conf
This will open our text editor: nano. You want every line to start with
followed by a space and then either an ip address or an multiple ip addresses separated by a space.
Here's an example of a file with ip addresses from the excellent wizcrafts.net/htaccess-blocklists. Note though that I used the .htaccess files provided but since I'm not using .htaccess in this approach I modified (simplifed) the file to only contain the lines starting with "Require not ip":
### NOTE: THE COMMANDS IN THIS BLOCKLIST APPLY TO APACHE 2.4 AND NEWER. THEY ARE NOT BACKWARDS COMPATIBLE!
### THEY WILL CAUSE A SERVER 500 ERROR LOCKOUT IN EARLIER VERSIONS OF APACHE!
### BEFORE USING THIS BLOCKLIST, MAKE SURE THAT YOUR WEBSITE IS RUNNING ON APACHE WEB SERVER 2.4 OR NEWER.
##### IMPORTANT USAGE NOTES
### If your website, or dedicated server, has an IP address falling within the ones below and you use absolute URLs in your includes or links, those pages will be blocked from loading.
### If this occurs you should find the IP of your website, or server, and allow it, using the example form: allow from (your IP address(es))
### You can find your website's IP address by logging into your website's Control Panel (e.g. Cpanel, Plesk, vDeck, Ensim) and it should be displayed on the control panel home page.
### You can also run a Whois lookup, at - http://whois.domaintools.com - on your domain name, to see the IP where it is hosted.
### Example of a page that might be blocked: You use PHP (or SSI) includes for headers, navigation links, or footers, using this form: <php include('http://www.example.com/folder/filename');
### If your web server is covered by this blocklist the included page will get a 403 forbidden server status.
# Miscellaneous badware, comment spam (including Zhou Pizhong and DataShack) and exploiting hosts and servers:
Require not ip 220.127.116.11/21 18.104.22.168/20 22.214.171.124/16 126.96.36.199 188.8.131.52/24 184.108.40.206/21 220.127.116.11/17 18.104.22.168/20 22.214.171.124/23 126.96.36.199/19 188.8.131.52/27 184.108.40.206/24 220.127.116.11/19 18.104.22.168/19 22.214.171.124/22 126.96.36.199/16 188.8.131.52/16 184.108.40.206/24 220.127.116.11/24 18.104.22.168/17 22.214.171.124/20 126.96.36.199/19 188.8.131.52/24 184.108.40.206/20 220.127.116.11/19 18.104.22.168 22.214.171.124/17 126.96.36.199/20 188.8.131.52/19 184.108.40.206/19 220.127.116.11/19 18.104.22.168 22.214.171.124/17 126.96.36.199 188.8.131.52/22 184.108.40.206/18 220.127.116.11/20 18.104.22.168/28 22.214.171.124/19 126.96.36.199/20 188.8.131.52/19 184.108.40.206/17 220.127.116.11/24 18.104.22.168/18 22.214.171.124/18 126.96.36.199/19 188.8.131.52 184.108.40.206/21 220.127.116.11/23 18.104.22.168/18 22.214.171.124/26 126.96.36.199
# Bulk email company Media Place Ground, 188.8.131.52 - 184.108.40.206
Require not ip 220.127.116.11/30 18.104.22.168/29 22.214.171.124/28
# United Gameservers in Germany (compromised by spammers)
Require not ip 126.96.36.199
# DigitalOcean and ServerStack
Require not ip 188.8.131.52/16 184.108.40.206/20 220.127.116.11/21 18.104.22.168/16 22.214.171.124/16 126.96.36.199/24 188.8.131.52/24 184.108.40.206/17 220.127.116.11/21 18.104.22.168/20 22.214.171.124/22
# Psychz Networks - Spam and attack friendly web hosting company that turns a blind eye to abuse reports
Require not ip 126.96.36.199/19 188.8.131.52/17 184.108.40.206/26 220.127.116.11/21 18.104.22.168/16 22.214.171.124/27 126.96.36.199/20 188.8.131.52/22 184.108.40.206/20 220.127.116.11/20 18.104.22.168/22 22.214.171.124/21 126.96.36.199/22 188.8.131.52/20 184.108.40.206/20
# Spammers from MNT-WEBEXXPURTS or OVH servers in France
Require not ip 220.127.116.11/24 18.104.22.168/18 22.214.171.124 126.96.36.199/24 188.8.131.52/16 184.108.40.206/22
# Proxy servers and services and hosting companies with proxy server clients, listed by the full CIDR of the hosting company.
Require not ip 220.127.116.11/24 18.104.22.168/23 22.214.171.124 126.96.36.199/16 188.8.131.52/16 184.108.40.206/16 220.127.116.11/17 18.104.22.168/29 22.214.171.124/29 126.96.36.199/24 188.8.131.52/29 184.108.40.206/29 220.127.116.11/29 18.104.22.168/15 22.214.171.124/23 126.96.36.199/24 188.8.131.52 184.108.40.206/25 220.127.116.11/26 18.104.22.168/20 22.214.171.124/24 126.96.36.199/20 188.8.131.52/20 184.108.40.206/26 220.127.116.11/18 18.104.22.168/16 22.214.171.124/23 126.96.36.199/17 188.8.131.52/18 184.108.40.206/29 220.127.116.11/20
# Individual Proxy Server IPs
Require not ip 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52
# Cyveillance, Performance Systems International (PSI) and associated companies (Internet Content Spies)
Require not ip 184.108.40.206/24 220.127.116.11/29 18.104.22.168/28 22.214.171.124/26 126.96.36.199/26 188.8.131.52/30 184.108.40.206/27
# End of file
Now that we've created our file, we need to modify our apache config to use this file.
In Ubuntu you would add the following to the /etc/apache2/apache2.conf
# Default to allow through all reverse proxies.
Require all granted
# Block ip addresses in our ipblacklist.conf file
Require all granted
# Add a 403 forbidden message for blacklisted ips
ErrorDocument 403 "<h3>Unusual activity has been detected from this IP address.</h3><p>As a consequence, access has been denied.</p><p>If you believe this is a mistake please contact me directly.</p>"
Finally, reload apache2 configuration
sudo service apache2 reload