1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Banning IP addresses across multiple virtual hosts?

Discussion in 'Apache' started by borque, Sep 13, 2009.

  1. #1
    Apache 2.2

    I'm happily banning IP addresses for each virtual host using code similar to this in each virtual hosts conf file:

    <directory /var/www/abcd>
    Order allow, deny
    allow from all
    deny from aa.bb.cc.dd
    deny from ee.ff.gg.hh
    etc

    I'm getting tired of entering the same IP addresses into multiple conf files. Can anyone tell me

    a) whether I can put this code somewhere else where it will affect all virtual hosts? I've tried putting it in the main apache2.conf but it didn't work.

    b) can I somehow read deny lists from a common, shared file?

    c) is there a better method entirely for IP blocking accross vhosts?
    SEMrush
    Many thanks :)
     
    borque, Sep 13, 2009 IP
    SEMrush
  2. RHS-Chris

    RHS-Chris Well-Known Member

    Messages:
    1,007
    Likes Received:
    35
    Best Answers:
    10
    Trophy Points:
    150
    #2
    I would suggest instead of banning IP's from accessing apache, you use a firewall to ban then completely from the server. A nice little firewall, with or without a control panel, is CSF:

    http://www.configserver.com/cp/csf.html

    This will drop the banned IP's from accessing the server in any way, not just apache. It also has LFD with it, a log in failure daemon that will ban IP's who have x amount of failed log ins to your server, which is nice as well. If you do not have a control panel, banning IP's whn CSF is installed is easy, just use:

    csf -d IP_address
     
    RHS-Chris, Sep 13, 2009 IP
  3. borque

    borque Peon

    Messages:
    6
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #3
    Thanks for that suggestion - seems like it might do the job and would integrate with Webmin as well.

    However, the LFD part worries me a little - I'm already running Fail2ban for that sort of access control.

    I wonder whether I can install CSF then disable the LFD functionality? <edit> I think that is possible looking at the CSF control panel screenshot on their site.
     
    Last edited: Sep 13, 2009
    borque, Sep 13, 2009 IP
  4. hostvault

    hostvault Peon

    Messages:
    15
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #4
    Hello,

    It's possible after the install of CSF to disable many many functions of LFD easily. You can alternatively just ban an IP via iptables.
     
    hostvault, Sep 15, 2009 IP
  5. borque

    borque Peon

    Messages:
    6
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #5
    Unfortunately due to my server being on a virtual host, I can't use anything that uses IPTables :(

    So, it's back to just banning in Apache.
     
    borque, Sep 15, 2009 IP
  6. RHS-Chris

    RHS-Chris Well-Known Member

    Messages:
    1,007
    Likes Received:
    35
    Best Answers:
    10
    Trophy Points:
    150
    #6
    From your OP, you state that you have access to the apache configuration files. Are you on a VPS, dedicated, or shared hosting?
     
    RHS-Chris, Sep 15, 2009 IP
  7. borque

    borque Peon

    Messages:
    6
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #7
    It's a VPS solution - i have root access but due to the virtualization layer cannot access IPTables.
     
    borque, Sep 16, 2009 IP
  8. RHS-Chris

    RHS-Chris Well-Known Member

    Messages:
    1,007
    Likes Received:
    35
    Best Answers:
    10
    Trophy Points:
    150
    #8
    Then you need to talk to your VPS provider, and ask them to make the required modules available.
     
    RHS-Chris, Sep 16, 2009 IP
  9. hostvault

    hostvault Peon

    Messages:
    15
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #9
    Hello,

    You may also want to checkout blocking IP's by .htaccess. It will require more work, but it might work out for you.
     
    hostvault, Sep 16, 2009 IP
  10. borque

    borque Peon

    Messages:
    6
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #10
    They've said that they can't make them available to me, although they will happily add rules to IPTables for me - not a great solution since of course the IPs constantly change. I suppose I could do it with IP ranges but that's a bit of a coarse solution.

    Something like CSF with a Webmin interface would have been perfect.

    I'll have another word with them to see if they can suggest anything else. Really I need a dedicated server but my sites don't generate enough revenue for that to be a possibility at the moment.
     
    Last edited: Sep 16, 2009
    borque, Sep 16, 2009 IP
  11. borque

    borque Peon

    Messages:
    6
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #11
    Hi there - I think that anything I can do in .htaccess can also be done in the config files using the deny directive? Or am I wrong there?
     
    borque, Sep 16, 2009 IP
  12. RHS-Chris

    RHS-Chris Well-Known Member

    Messages:
    1,007
    Likes Received:
    35
    Best Answers:
    10
    Trophy Points:
    150
    #12
    RHS-Chris, Sep 16, 2009 IP