SOPA

Monday, March 23, 2009

Apache2 : Blocking access to a range of IPs

A few days back we had a problem that someone in a particular hostel was flooding the mysql through our website.
Now the problems were

1. We had to block the entire range of IP for that those places. (as the person was able to change his/ her IP and flood again)

2. We could not stop them from accessing apache2 completely as the server also hosts the local linux repos fror the network so by blocking access to port 80 the repos would also be blocked for that range.

3. A few IP in the blocked range had to be allowed as the IPs were of known people and who needed the access.

Now we followed a step by step approach to this..

1. For blocking the entire range we had to block the ips as well as the subnet as follows..

Open and edit /etc/apache2/site-enabled/

[code]
NameVirtualHost *:443
NameVirtualHost *:80

ServerAdmin webmaster@localhost

DocumentRoot /var/www/

Options FollowSymLinks
AllowOverride None


Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
deny from 192.168.xxx.0/255.255.xxx.0
# This directive allows us to have apache2's default start page
# in /apache2-default/, but still have / go to the right place
#RedirectMatch ^/$ /apache2-default/

[/code]

Here the apache2 is blocking the ip range of 192.168.xxx.0 to 192.168.xxx.255
having the subnet mask
255.255.xxx.0

2. For allowing access to repos on the server.

Open and edit /etc/apache2/site-enabled/

[code]
NameVirtualHost *:443
NameVirtualHost *:80

ServerAdmin webmaster@localhost

DocumentRoot /var/www/

Options FollowSymLinks
AllowOverride None


Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
deny from 192.168.xxx.0/255.255.xxx.0
# This directive allows us to have apache2's default start page
# in /apache2-default/, but still have / go to the right place
#RedirectMatch ^/$ /apache2-default/


Alias /repo/ubuntu "/var/spool/apt-mirror/mirror/archive.ubuntu.com/ubuntu/"
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from all


Alias /repo/wine "/var/spool/apt-mirror/mirror/wine.budgetdedicated.com/apt/"
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from all


Alias /repo/media "/var/spool/apt-mirror/mirror/packages.medibuntu.org/"
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from all


Alias /yum "/var/cache/yum/"
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from none
Allow from all

[/code]

3. unblocking a few IPs

Open and edit /etc/apache2/site-enabled/

[code]
NameVirtualHost *:443
NameVirtualHost *:80

ServerAdmin webmaster@localhost

DocumentRoot /var/www/

Options FollowSymLinks
AllowOverride None


Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order deny,allow
deny from 192.168.xxx.0/255.255.xxx.0
allow from 192.168.xxx.yyy
# This directive allows us to have apache2's default start page
# in /apache2-default/, but still have / go to the right place
#RedirectMatch ^/$ /apache2-default/

[/code]

Here the Order is changed to deny then allow. It is interesting to note that to allow all a allow all mask is not required which initially confused me.

I hope this config helps people as much i have broken my head over it

No comments: