如何安全是它阻止IP地址在.htaccess？ [英] How secure is it to block IP addresses in .htaccess?

问题描述

我有它承载几个不同的网站之一的网络服务器。有些是用于外部客户，有些是仅供内部使用。对于内部网站，我有拒绝所有IP地址，但允许有10.25.xx开头的IP地址.htaccess文件

I have one webserver which hosts several different sites. Some are used by external customers and some are only used internally. For the internal sites, I have an .htaccess file which denies all IP address but allows any IP address that starts with 10.25.x.x.

IndexIgnore *
deny from all
allow from 10.25.

这意味着只有一台PC本地网络可以访问服务器。即使客户有自己的计算机上10.25.xx一个本地IP地址，我的网络服务器应该只看到自己的公网IP​​，对不对？

This means only a PC our local network can access the server. Even if the customer has a local IP address of 10.25.x.x on their computer, my webserver should only see their public IP, right?

我没有那个文件上传到该目录下，以便他们不应该能够覆盖.htaccess文件形式。

I have no forms that upload files to this directory so they shouldn't be able to overwrite the .htaccess file.

我的问题是：有没有办法攻击者可以绕过这些安全的方法呢？那么，是什么preventive措施，我可以保证不​​会发生？

My question is: Is there any way an attacker can bypass these security methods? If so, what preventive measures can I take to ensure that doesn't happen?

推荐答案

我认为塞巴斯蒂安Renauld的回答表明，IP黑/白名单列表尚不完善，以确保您的网站。您的应用程序应该已足够安全的公共访问的部署。不管怎么说，IP限制并帮助限制攻击媒介您的应用程序。

I think the answer of Sébastien Renauld shows that IP black/white listing is not perfect to secure your websites. Your application should already be secure enough for a public accessible deployment. Anyways, IP restrictions do help limiting the attack vectors on your application.

请记住，IP欺骗在技术上是可行的，但为pretty的难以执行。

Keep in mind that IP spoofing is technically possible, but is pretty difficult to perform.

从网络之外，黑客已经绕过至少以下障碍

From outside of the network, a hacker has to bypass at least the following obstacles.

• 任何去除故障的IP分组的ISP逻辑（又名，具有这是不一样的发送者IP中的IP地址。）
• 在你身边的任何防火墙/网关/路由器丢弃这些数据包。通常内部和外部网络分离，数据包不会轻易该网络之间的路由。
• HTTP使用TCP协议，其中包括一三次握手的作为部分连接设置。这意味着，发送者需要确认连接为好。简而言之：此连接建立使用任意号码来同步服务器和客户端的通信。一个黑客需要猜这个数字，它在正确的时刻发送。

• Any ISP logic that removes faulty IP packets (aka, having an IP address which is not the same as the senders IP.)
• Any firewall/gateway/router on your side that drops these packets. Usually internal and external networks are separated, and packets are not easily routed between this networks.
• HTTP uses the TCP protocol, which includes a three way handshake as part of the connection setup. This means that the sender needs to acknowledge the the connection as well. In short: this connection setup uses an arbitrary number to synchronize the server and the clients communication. An hacker needs to guess this number, send it at the correct moment.

有更多的障碍比我只是总结了这些需要旁路攻击者，像preventing一个地方，合法的客户端不与攻击干扰。 （想想那里的响应的服务器的IP欺骗联系地址会去，什么模拟客户端就可以了。）

There are many more obstacles than I just summed up which need to bypassed by an attacker, like preventing a local, legitimate client not interfering with the attack. (Think about where the responses to the spoofed IP adress of the server will go to, and what the impersonated client will do.)

欺骗的IP地址，的更简单的方法是从网络本身做这件事。好吧，如果这已经是可能的，你可能有一些其他的事情要考虑第一：）

The easier way of spoofing an IP address, is doing it from within the network itself. Well, if that is already possible, you probably have some other things to look into first :)

我希望你将看到它是一个黑客会执行这种攻击，这些天几乎不可行。安全性是所需的工作量和满意由攻击者获得的平衡。

I hope you will see that it is practically not feasible that an hacker will perform this attack these days. Security is a balance between the effort needed and the satisfaction gained by an attacker.

所以我要说的是，IP白名单，旁边的是塞巴斯蒂安Renauld表明本地网络的结合，是一个足够好的安全习惯。您还需要假设攻击者能够访问到您的内部网络，并为此也应考虑您的网站和服务器本身的安全性。

Therefore I would say that IP white listing, next to binding at the local network as Sébastien Renauld suggests, is a good enough security practice. You still need to assume that an attacker can gain access to your internal network, and therefor should also look into the security of your websites and server themselves.

这篇关于如何安全是它阻止IP地址在.htaccess？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！