Apache 2.4.x ip 黑名单 [英] Apache 2.4.x ip blacklist

问题描述

我正在寻找一种简单的方法来将 Apache 2.4.x 中的 IP 地址列入黑名单.我的网站将尝试非法操作的 IP 地址记录到文本文件中.我想在 Apache 中使用这个文本文件来拒绝对这个 ip 列表的所有虚拟主机的所有访问.什么是最好的方式(最简单和最少资源消耗的方式)?找到 this 但这仅适用于 2.2.. 不确定这如何适用于 2.4..干杯.

这是一个运行 apache x64 的 windows x64 机器

解决方案

@vastlysuperiorman 说得对，csf/lfd 是最擅长的.不幸的是，它们只能在 linux 上运行.

这个免费实用程序 承诺提供相同的功能:动态监控访问尝试并自动阻止 IP 地址.如果出现误报，您可以使用命令取消阻止.当然值得一看.

另一种方法是创建一个 VM(如果您的平台支持虚拟化)部署一个非常小的规范 linux 机器，并将其用作代理.这应该很容易实现.顺便说一句，为什么不直接使用 linux?.. :-)

(这应该是对@vastlysuperiorman 帖子的评论，但我没有足够的 SO 代表来评论其他人的帖子)

编辑建议一个可能的基于 apache 2.4 的解决方案:

在 apache 中在 2.2 和 2.4 之间转换 ACL 指令

2.2 语法

订单拒绝，允许包括 conf/IPList.conf所有人都允许

2.4 语法

DocumentRoot/some/local/dir<目录/some/local/dir/><RequireAll>要求所有授予包括 conf/IPList.conf</RequireAll></目录>#这也能用<位置/><RequireAll>要求所有授予包括 conf/IPList.conf</RequireAll></目录># conf/IPLIst.com 实际上在/etc/apache2/conf/IPList.conf#(即，路径是相对于 apache 安装位置的.# 我猜你也可以使用列表的完整路径.

在 conf/IPList.conf 中，您将有单独的行，其中包含如下条目

<前>不需要ip 10.10.1.23不需要ip 192.168.22.199不需要 ip 10.20.70.100

使用 mod-rewrite 和用于禁止的 IP 列表

• 要使重定向到另一个页面起作用，您需要将 RewriteRule 保留在您保护的基本 URL 之外.
• 例如，重定向在 DocumentRoot 上的 Directory 指令或/"上的 Location 指令下不起作用，因为禁令会影响我们想要显示的状态页面.
• 因此，最好将其保留在目录或位置指令之外，或者链接到另一个未受保护的网络服务器上的状态页面.

---

#必需的重写规则集重写引擎开启RewriteMap hosts-deny txt:/etc/apache/banned-hostsRewriteCond ${hosts-deny:%{REMOTE_ADDR}|NOT-FOUND} !=NOT-FOUND [OR]RewriteCond ${hosts-deny:%{REMOTE_HOST}|NOT-FOUND} !=NOT-FOUND重写规则 ^/why-am-i-banned.html

---

## 在我们禁止的主机文件中，我们有:##/etc/apache2/banned-hosts(保持格式..它不仅仅是一个纯文本文件)##193.102.180.41 -192.168.111.45 -www.example.com -www.sumwia.net -

---

# 在我们的状态页面中，可以是如下所示的 html 或带有.txt"扩展名的纯文本文件#/var/www/html/why-am-i-banned.html#<html xmlns="http://www.w3.org/1999/xhtml"><头><title>为什么我的 IP 被封禁了?</title><身体><h2>为什么我的 IP 地址被禁止?</h2><p>为了管理垃圾邮件发送者和其他安全需求，我们的服务器会自动阻止可疑的 IP 地址.但是，如果您认为您的 IP 地址已被阻止错误，请与我们联系.</p></html>

当然，您可以解析日志文件并根据需要填充 conf/IPList.conf 或/etc/apache2/banned-hosts ..

作为短期解决方案

允许您使用 2.2 语法的替代方法是安装 mod_access_compat 模块并继续使用已弃用的 2.2 样式拒绝，允许"指令.但这只是作为一个短期解决方案的建议，因为该模块只是为了帮助过渡，并且可能会在 apache 2.4 的未来版本中消失

I'm looking for an easy way to blacklist IP addresses in Apache 2.4.x. My web site logs ip addresses that tried illegal operations into a text file. I would like to use this text file within Apache to deny all access to all vhosts to this ip list. What would be the best way (easiest and least resource consuming way) ? Found this but this is only for 2.2.. Not sure how this applies to 2.4.. Cheers.

edit: this is a windows x64 box running apache x64

解决方案

@vastlysuperiorman called it right, csf/lfd is the best at this. Unfortunately, they only run on linux.

This free utility promises to provide the same functionality: dynamically monitor access attempts and auto-block IP addresses. You can unblock with a command, in case of false positives. Certainly worth a short.

An alternative could be to create a VM (if your platform supports virtualization) deploy a very small spec linux box, and use that as a proxy. This should be easy to implement. BTW, why not just use linux? .. :-)

(this should have been a comment on @vastlysuperiorman's post, but I don't have enough SO reps to comment on the post of others)

Edited to suggest a possible apache 2.4 based solution:

To translate ACL directives between the 2.2 and 2.4 in apache

2.2 Syntax

order Deny,Allow
include conf/IPList.conf
Allow from all

2.4 Syntax

DocumentRoot /some/local/dir

<Directory /some/local/dir/>
   <RequireAll>
      Require all granted
      Include conf/IPList.conf
   </RequireAll>
</Directory>

#this will also work
<Location />
   <RequireAll>
      Require all granted
      Include conf/IPList.conf
   </RequireAll>
</Directory>

# conf/IPLIst.com is actually in /etc/apache2/conf/IPList.conf 
#   (ie, paths are relative to where apache is installed.  
#    I guess you can also use the full path to the list.

And inside conf/IPList.conf, you will have individual lines with entries like the following

Require not ip 10.10.1.23
Require not ip 192.168.22.199
Require not ip 10.20.70.100

Using mod-rewrite and a list of IPs for banning

• For a redirect-to-another-page to work, you need to keep the RewriteRule outside the base URL you are guarding.
• For instance, the redirect would not work under a Directory directive on DocumentRoot or a Location directive on '/', because the ban affects the status page we want to display.
• So, best to keep this outside a Directory or Location directive, or link to a status page on another unprotected web server.

---

#Required set of rewrite rules
RewriteEngine on
RewriteMap    hosts-deny  txt:/etc/apache/banned-hosts
RewriteCond   ${hosts-deny:%{REMOTE_ADDR}|NOT-FOUND} !=NOT-FOUND [OR]
RewriteCond   ${hosts-deny:%{REMOTE_HOST}|NOT-FOUND} !=NOT-FOUND
RewriteRule   ^  /why-am-i-banned.html

---

##  inside our banned hosts file, we have:
## /etc/apache2/banned-hosts (maintain the format .. its not just a plain text file)
## 

193.102.180.41 -
192.168.111.45 -
www.example.com -
www.sumwia.net -

---

# inside our status page, could be html as below or a plain text file with '.txt' extension
#/var/www/html/why-am-i-banned.html
#
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>Why is my IP banned?</title>
</head>
<body>
<h2>Why is my IP address banned?</h2>
<p>
To manage spammers and for other security needs, our server automatically blocks      
suspicious IP address.  If however you reckon your IP address has been blocked 
wrongfully, please contact us.
</p>
</body>
</html>

And of course, you can parse your log files and populate conf/IPList.conf or /etc/apache2/banned-hosts as appropriate ..

As a short term solution

An alternative that will allow you to use the 2.2 syntax, is to install mod_access_compat module and continue using your deprecated 2.2 style 'Deny,Allow' directives. But this is only advisable as a short-term solution since that module is just there to aid transition, and would probably go away in future versions of apache 2.4

这篇关于Apache 2.4.x ip 黑名单的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！