Banning IP addresses across multiple virtual hosts?

Apache 2.2

I'm happily banning IP addresses for each virtual host using code similar to this in each virtual hosts conf file:

<directory /var/www/abcd>
Order allow, deny
allow from all
deny from aa.bb.cc.dd
deny from ee.ff.gg.hh
etc

I'm getting tired of entering the same IP addresses into multiple conf files. Can anyone tell me

a) whether I can put this code somewhere else where it will affect all virtual hosts? I've tried putting it in the main apache2.conf but it didn't work.

b) can I somehow read deny lists from a common, shared file?

c) is there a better method entirely for IP blocking accross vhosts?

Many thanks

 

I would suggest instead of banning IP's from accessing apache, you use a firewall to ban then completely from the server. A nice little firewall, with or without a control panel, is CSF:

http://www.configserver.com/cp/csf.html

This will drop the banned IP's from accessing the server in any way, not just apache. It also has LFD with it, a log in failure daemon that will ban IP's who have x amount of failed log ins to your server, which is nice as well. If you do not have a control panel, banning IP's whn CSF is installed is easy, just use:

csf -d IP_address

 

Thanks for that suggestion - seems like it might do the job and would integrate with Webmin as well.

However, the LFD part worries me a little - I'm already running Fail2ban for that sort of access control.

I wonder whether I can install CSF then disable the LFD functionality? <edit> I think that is possible looking at the CSF control panel screenshot on their site.

 

Hello,

It's possible after the install of CSF to disable many many functions of LFD easily. You can alternatively just ban an IP via iptables.

 

Unfortunately due to my server being on a virtual host, I can't use anything that uses IPTables

So, it's back to just banning in Apache.

 

From your OP, you state that you have access to the apache configuration files. Are you on a VPS, dedicated, or shared hosting?

 

It's a VPS solution - i have root access but due to the virtualization layer cannot access IPTables.

 

Then you need to talk to your VPS provider, and ask them to make the required modules available.

 

Hello,

You may also want to checkout blocking IP's by .htaccess. It will require more work, but it might work out for you.

 

They've said that they can't make them available to me, although they will happily add rules to IPTables for me - not a great solution since of course the IPs constantly change. I suppose I could do it with IP ranges but that's a bit of a coarse solution.

Something like CSF with a Webmin interface would have been perfect.

I'll have another word with them to see if they can suggest anything else. Really I need a dedicated server but my sites don't generate enough revenue for that to be a possibility at the moment.

 

Hi there - I think that anything I can do in .htaccess can also be done in the config files using the deny directive? Or am I wrong there?

 

What visualization does the host use? Perhaps point them to this article:

http://forum.configserver.com/showthread.php?t=212