Apache 2.4.x ip blacklist

Question

I'm looking for an easy way to blacklist IP addresses in Apache 2.4.x. My web site logs ip addresses that tried illegal operations into a text file. I would like to use this text file within Apache to deny all access to all vhosts to this ip list. What would be the best way (easiest and least resource consuming way) ? Found this but this is only for 2.2.. Not sure how this applies to 2.4.. Cheers.

edit: this is a windows x64 box running apache x64

Answer 1

@vastlysuperiorman called it right, csf/lfd is the best at this. Unfortunately, they only run on linux.

This free utility promises to provide the same functionality: dynamically monitor access attempts and auto-block IP addresses. You can unblock with a command, in case of false positives. Certainly worth a short.

An alternative could be to create a VM (if your platform supports virtualization) deploy a very small spec linux box, and use that as a proxy. This should be easy to implement. BTW, why not just use linux? .. :-)

(this should have been a comment on @vastlysuperiorman's post, but I don't have enough SO reps to comment on the post of others)

Edited to suggest a possible apache 2.4 based solution:

To translate ACL directives between the 2.2 and 2.4 in apache

2.2 Syntax

order Deny,Allow
include conf/IPList.conf
Allow from all

2.4 Syntax

DocumentRoot /some/local/dir

<Directory /some/local/dir/>
   <RequireAll>
      Require all granted
      Include conf/IPList.conf
   </RequireAll>
</Directory>

#this will also work
<Location />
   <RequireAll>
      Require all granted
      Include conf/IPList.conf
   </RequireAll>
</Directory>

# conf/IPLIst.com is actually in /etc/apache2/conf/IPList.conf 
#   (ie, paths are relative to where apache is installed.  
#    I guess you can also use the full path to the list.

And inside conf/IPList.conf, you will have individual lines with entries like the following

Require not ip 10.10.1.23
Require not ip 192.168.22.199
Require not ip 10.20.70.100

Using mod-rewrite and a list of IPs for banning

• For a redirect-to-another-page to work, you need to keep the RewriteRule outside the base URL you are guarding.
• For instance, the redirect would not work under a Directory directive on DocumentRoot or a Location directive on '/', because the ban affects the status page we want to display.
• So, best to keep this outside a Directory or Location directive, or link to a status page on another unprotected web server.

---

#Required set of rewrite rules
RewriteEngine on
RewriteMap    hosts-deny  txt:/etc/apache/banned-hosts
RewriteCond   ${hosts-deny:%{REMOTE_ADDR}|NOT-FOUND} !=NOT-FOUND [OR]
RewriteCond   ${hosts-deny:%{REMOTE_HOST}|NOT-FOUND} !=NOT-FOUND
RewriteRule   ^  /why-am-i-banned.html

---

##  inside our banned hosts file, we have:
## /etc/apache2/banned-hosts (maintain the format .. its not just a plain text file)
## 

193.102.180.41 -
192.168.111.45 -
www.example.com -
www.sumwia.net -

---

# inside our status page, could be html as below or a plain text file with '.txt' extension
#/var/www/html/why-am-i-banned.html
#
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>Why is my IP banned?</title>
</head>
<body>
<h2>Why is my IP address banned?</h2>
<p>
To manage spammers and for other security needs, our server automatically blocks      
suspicious IP address.  If however you reckon your IP address has been blocked 
wrongfully, please contact us.
</p>
</body>
</html>

And of course, you can parse your log files and populate conf/IPList.conf or /etc/apache2/banned-hosts as appropriate ..

As a short term solution

An alternative that will allow you to use the 2.2 syntax, is to install mod_access_compat module and continue using your deprecated 2.2 style 'Deny,Allow' directives. But this is only advisable as a short-term solution since that module is just there to aid transition, and would probably go away in future versions of apache 2.4