Apache deny from list of ip's in external file

apache block ip range
apache order allow,deny
apache allow from subnet
negative require directive has no effect in <requireany> directive
apache 2.2 deny all
apache restrict access by domain
apache allow http
apache deny access to directory

I'd like to maintain a file which includes a list of ip's which are blocked from using a site. I understand deny from can be used to achieve this (e.g Deny from 127.0.0.1 10.0.0.1 some.other.ip.address).

However, I'd like an external file so that an individual who does not have access to the config can update a txt file with ip's and this will then be included in the deny from.

Does anyone have any reccomendations on how this can be achieved? Any help is greatly appriciated.

Look at the Apache Include directive:

http://httpd.apache.org/docs/2.2/mod/core.html#include

You can create a seperate configuration file contain you denied list and include in any other configuration file i.e a site in sites-available. Example usage below:

In /etc/apache2/sites-enabled/yoursite.conf

<VirtualHost *:80>
...

Include /etc/apache2/sites-access/yoursite.conf

...
</VirtualHost>

In /etc/apache2/sites-access/yoursite.conf

order allow,deny
deny from 10.0.0.1
allow from all

Securing Apache and blocking a list of ip addresses, ip.address). However, I'd like an external file so that an individual who does not have access to the config can update a txt file  deny from 123.45.6. allow from all The above lines tell the Apache Web Server to block visitors from the IP address '255.0.0.0' and '123.45.6.', note the second IP address is missing the fourth set of digits, this means any IP address which matches the firth three set of digits will be blocked, e.g. '123.45.6.10' and '123.45.6.255' would be blocked.

this is not a real security method, but you can put this txt file in a shared directory and with a cron job update apache config...

another method is with htaccess..

order allow,deny
deny from 10.0.0.1
allow from all

Apache deny from list of ip's in external file, Solution. Most Web Application Firewalls (WAF), such as mod security, can block lists of IP addresses. However, if you  Deny access based on IP address # DENY ACCESS TO IP ADDRESS # Apache 2.2 Order Allow,Deny Allow from all Deny from 111.111.111.111 Deny from 222.222.222.222 Deny from 123.123.123.123 # Apache 2.4+ <RequireAll> Require all granted Require not ip 111.111.111.111 Require not ip 222.222.222.222 Require not ip 123.123.123.123 </RequireAll>

Using a RewriteMap map as the external IP address file works for a list of individual IP addresses:

RewriteEngine on
RewriteMap allowed "txt:${site_dir}/etc/allowed_ip_addresses"

UnsetEnv ALLOWED

RewriteCond ${allowed:%{REMOTE_ADDR}} 1
RewriteRule ^ - [E=ALLOWED]

<Location />
  Deny  from all
  Allow from env=ALLOWED
</Location>

Then allowed_ip_addresses contains lines like:

10.42.1.123      1
192.168.100.456  1

That maps allowed IP addresses to the value 1, and all other IP addresses to the empty string.

The RewriteCond looks up REMOTE_ADDR in the map, and if it's 1 then it sets an environment variable. UnsetEnv ensures that the variable is definitely unset otherwise.

Then Allow from only permits access when that environment variable has been set.

The external map file can have different filesystem permissions from your Apache config, and changes to it take effect immediately, without requiring restarting Apache.

Block IP addresses at the Apache HTTP Server level, Apache restrict access based on IP address to selected directories Order allow,​deny: The Order directive controls the default access state and the Is there a way to blacklist using a file that has a list of IPs and specify that  If your site already contains a script that writes IP addresses to a file, you can simply have it append the addresses to /etc/csf/csf.deny. This can be done by appending the line directly, or by running the command csf -d 10.20.30.40 on the command line.

'In windows httpd.conf'
'<Directory />'
'Include "C:/Program Files (x86)/Apache Software Foundation/Apache2.2/logs/deny.txt"'
'</Directory>'
'deny.txt contain'
'Deny from xxx.xxx.xxx.xxx'
'etc'

Apache restrict access based on IP address to selected directories , The visitor blocking facilities offered by the Apache Web Server enable us to deny access to specific visitors, or allow access to specific visitors. This is extremely  Since I’m doing this IP blocking for many sites, it make sense to simplify the configuration so that I only need to edit a single list of IP that would apply to all sites. What I did is put the config on file and include it on each virtual host config. Below is the filename and the sample content. File: /etc/httpd/block-world.conf

Deny visitors by IP address, All hosts whose names match or end in this string are allowed access. A full IP address. The first one to three bytes of an IP address, for subnet restriction. A  This enables an attacker to purposefully modify the contents of the custom header to specify an IP address of choice. This allows the attacker to hide the actual IP address from the log files of the Apache server. Because of this we recommend two things: Obtain the current list of IP addresses for the MEFaccept entry. Do not set this to “all”.

Order, Allow, and Deny (Apache: The Definitive Guide), If you are using Apache 2.4, make sure that you LOAD the authz_core module,. DELETE: Order allow,deny Deny from all Allow from my.ip.add.res. and, in place​  If, instead, you have a machine name, rather than an IP address, you can use that. Require not host host.example.com. And, if you'd like to block access from an entire domain, you can specify just part of an address or domain name: Require not ip 192.168.205 Require not host phishers.example.com moreidiots.example Require not host gov

Allow access to Apache server from only one IP address, You could try the following. Order Deny, Allow Deny from All AuthName "​EnterPassword" AuthUserFile /etc/.htpasswd AuthGroupFile /dev/null AuthType Basic  Re: What access-list deny ip any any means Correct.Deny ip any any will drop all traffic not specified above it. But remember that acl's are processed top down until a match is found and then no further acl processing is performed.

Comments
  • Thanks for the reply, I gave that method a shot but I've found something odd. The include appears to be added and parsed as entering nonsense in the include file will result in the apache complaining when testing the config, however, when adding deny froms in the include file they do not seem to be blocked, yet adding a deny from in an htaccess file in the directory works perfectly. Not sure what could be causing this - any help is greatly appriciated.
  • The reason you do not see them being blocked is because Apache does not read config files when they change; you need to reload them. Apache does read .htaccess files on every directory access, so any changes made there take effect immediately.