What do you think? Discuss, post comments, or ask questions at the end of this article [More about me]

Skip to end of metadata
Go to start of metadata

This article is about securing apache2.

There's some excellent resources and article about several things you can do to secure apache2.  One is by Peter Freitag and called 20 ways to Secure your Apache Configuration.  Although it is quite an old post, much of it is still relevant.

Don't give too much information

Hiding apache version information is a worthwhile change and can be done by adding

# Turn off apache version info displaying
ServerSignature Off
ServerTokens Prod

to /etc/apache2/apache2.conf.

Version information can be useful in attack planning as there are often bugs and exploits that are particular to a version (later versions having been patched for example).

Blocking ip addresses

I would recommend implementing Implementing fail2ban with custom apache filter, ipset, and a sample based verification approach instead of (or in conjunction with) the below approach.  Fail2ban will automate (based on regex expressions on queries received) the blocking of IPs.  Also our fail2ban implementation uses ipset so are blocked at the firewall level rather than being processed and blocked by Apache.

Apache allows several approaches to blocking ip addresses.  You meant have several ip addresses you would like to block, or several hundred.  The approach outlined here is focused more on the latter.

This assumes you're using apache 2.4.  We'll using using the <RequireAll> directive inside a <Location /> directive so I'm assuming you're using a apache also as a reverse-proxy (like outlined here).  However you can place it inside a <Proxy *> directive as well.

Let's first start with creating a file with the blocked ip addresses in there.  This file can be placed anywhere but for simplicity we'll keep it in /etc/apache2.  Create a file like this:

sudo nano /etc/apache2/ipblacklist.conf

This will open our text editor: nano.  You want every line to start with

Require not ip

followed by a space and then either an ip address or an multiple ip addresses separated by a space. 

Here's an example of a file with ip addresses from the excellent wizcrafts.net/htaccess-blocklists.  Note though that I used the .htaccess files provided but since I'm not using .htaccess in this approach I modified (simplifed) the file to only contain the lines starting with "Require not ip":

Example of a file for black-listed ip addresses (which we are going to block)
### NOTE: THE COMMANDS IN THIS BLOCKLIST APPLY TO APACHE 2.4 AND NEWER. THEY ARE NOT BACKWARDS COMPATIBLE! 
### THEY WILL CAUSE A SERVER 500 ERROR LOCKOUT IN EARLIER VERSIONS OF APACHE!
### BEFORE USING THIS BLOCKLIST, MAKE SURE THAT YOUR WEBSITE IS RUNNING ON APACHE WEB SERVER 2.4 OR NEWER.

##### IMPORTANT USAGE NOTES
### If your website, or dedicated server, has an IP address falling within the ones below and you use absolute URLs in your includes or links, those pages will be blocked from loading.
### If this occurs you should find the IP of your website, or server, and allow it, using the example form: allow from (your IP address(es))
### You can find your website's IP address by logging into your website's Control Panel (e.g. Cpanel, Plesk, vDeck, Ensim) and it should be displayed on the control panel home page.
### You can also run a Whois lookup, at - http://whois.domaintools.com - on your domain name, to see the IP where it is hosted.
### Example of a page that might be blocked: You use PHP (or SSI) includes for headers, navigation links, or footers, using this form: <php include('http://www.example.com/folder/filename');
### If your web server is covered by this blocklist the included page will get a 403 forbidden server status.
    
# Miscellaneous badware, comment spam (including Zhou Pizhong and DataShack) and exploiting hosts and servers:
Require not ip 5.34.240.0/21 5.61.32.0/20 5.135.0.0/16 5.254.144.213 27.122.14.0/24 37.1.208.0/21 37.187.0.0/17 45.43.224.0/20 62.210.82.0/23 63.141.224.0/19 67.215.235.224/27 69.197.186.0/24 72.46.128.0/19 78.46.64.0/19 79.143.80.0/22 91.121.0.0/16 94.23.0.0/16 94.242.237.0/24 104.36.84.0/24 104.168.128.0/17 104.243.128.0/20 104.194.0.0/19 104.200.154.0/24 104.243.128.0/20 107.150.32.0/19 107.183.203.174 137.175.0.0/17 142.0.128.0/20 142.4.96.0/19 142.4.192.0/19 142.54.160.0/19 151.236.36.16 173.208.128.0/17 184.28.188.177 185.43.220.0/22 188.165.192.0/18 192.3.0.0/20 192.34.108.176/28 192.74.224.0/19 192.151.144.0/20 192.187.96.0/19 192.227.128.0/17 194.28.115.0/24 198.2.192.0/18 198.199.64.0/18 198.204.224.0/19 208.76.83.195 208.89.208.0/21 208.115.124.0/23 208.115.192.0/18 208.167.254.64/26 209.126.132.11

# Bulk email company Media Place Ground, 23.95.187.196 - 23.95.187.222
Require not ip 23.95.187.196/30 23.95.187.200/29 23.95.187.208/28

# United Gameservers in Germany (compromised by spammers)
Require not ip 89.163.150.105

# DigitalOcean and ServerStack
Require not ip 46.101.0.0/16 82.196.0.0/20 95.85.0.0/21 104.131.0.0/16 107.170.0.0/16 141.0.170.0/24 185.14.187.0/24 188.226.128.0/17 192.34.56.0/21 192.81.208.0/20 208.68.36.0/22

# Psychz Networks - Spam and attack friendly web hosting company that turns a blind eye to abuse reports
Require not ip 23.91.0.0/19 23.238.128.0/17 45.35.20.192/26 74.117.56.0/21 104.149.0.0/16 107.160.158.64/27 108.171.240.0/20 160.20.12.0/22 173.224.208.0/20 192.210.48.0/20 199.71.212.0/22 199.119.200.0/21 208.87.240.0/22 216.24.192.0/20 216.99.144.0/20

# Spammers from MNT-WEBEXXPURTS or OVH servers in France
Require not ip 37.203.208.0/24 91.121.0.0/18 149.255.107.2 185.3.134.0/24 176.31.0.0/16 176.61.140.0/22

# Proxy servers and services and hosting companies with proxy server clients, listed by the full CIDR of the hosting company.
Require not ip 61.206.125.0/24 62.171.194.0/23 62.210.56.250 75.126.0.0/16 80.33.0.0/16 80.58.0.0/16 81.12.0.0/17 83.16.154.152/29 85.10.219.104/29 85.92.130.0/24 88.198.241.104/29 88.198.252.144/29 145.253.239.8/29 150.188.0.0/15 178.73.192.0/23 193.164.131.0/24 194.112.195.202 198.145.112.128/25 198.145.182.0/26 200.30.64.0/20 200.43.108.0/24 200.75.128.0/20 200.126.112.0/20 200.172.222.0/26 200.202.192.0/18 200.210.0.0/16 203.160.0.0/23 207.44.128.0/17 207.210.192.0/18 208.110.68.144/29 216.104.32.0/20

# Individual Proxy Server IPs
Require not ip 5.153.234.154 64.20.205.251 64.202.161.130 66.6.122.130 66.36.230.163 66.37.153.74 66.63.167.166 66.79.162.102 66.212.18.89 66.232.107.140 69.50.208.74 69.94.124.137 72.55.146.175 72.167.115.164 74.115.6.56 74.208.16.108 75.175.243.195 76.76.15.73 77.235.40.189 85.92.130.117 88.198.5.220 88.214.192.24 91.186.21.78 107.151.152.218 141.76.45.34 206.221.184.108 208.100.20.148 209.139.208.236

# Cyveillance, Performance Systems International (PSI) and associated companies (Internet Content Spies)
Require not ip 38.100.21.0/24 38.100.22.104/29 38.100.22.112/28 38.100.22.128/26 38.100.41.64/26 38.104.111.92/30 38.108.108.160/27

# End of file

Now that we've created our file, we need to modify our apache config to use this file.

In Ubuntu you would add the following to the /etc/apache2/apache2.conf

# Default to allow through all reverse proxies.
ProxyRequests Off
ProxyVia Off
<Proxy *>
    Require all granted
</Proxy>

# Block ip addresses in our ipblacklist.conf file
<Location />
   <RequireAll>
      Require all granted
      Include /etc/apache2/ipblacklist.conf
   </RequireAll>
</Location>

# Add a 403 forbidden message for blacklisted ips
ErrorDocument 403 "<h3>Unusual activity has been detected from this IP address.</h3><p>As a consequence, access has been denied.</p><p>If you believe this is a mistake please contact me directly.</p>"

Finally, reload apache2 configuration

sudo service apache2 reload

References

  1. https://www.petefreitag.com/item/505.cfm
  2. http://www.wizcrafts.net/htaccess-blocklists.html
  3. https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html