Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How secure is it to block IP addresses in .htaccess?

I have one webserver which hosts several different sites. Some are used by external customers and some are only used internally. For the internal sites, I have an .htaccess file which denies all IP address but allows any IP address that starts with 10.25.x.x.

IndexIgnore *
deny from all
allow from 10.25.

This means only a PC our local network can access the server. Even if the customer has a local IP address of 10.25.x.x on their computer, my webserver should only see their public IP, right?

I have no forms that upload files to this directory so they shouldn't be able to overwrite the .htaccess file.

My question is: Is there any way an attacker can bypass these security methods? If so, what preventive measures can I take to ensure that doesn't happen?

like image 553
Kenny Johnson Avatar asked Dec 27 '22 03:12

Kenny Johnson


2 Answers

I think the answer of Sébastien Renauld shows that IP black/white listing is not perfect to secure your websites. Your application should already be secure enough for a public accessible deployment. Anyways, IP restrictions do help limiting the attack vectors on your application.

Keep in mind that IP spoofing is technically possible, but is pretty difficult to perform.

From outside of the network, a hacker has to bypass at least the following obstacles.

  • Any ISP logic that removes faulty IP packets (aka, having an IP address which is not the same as the senders IP.)
  • Any firewall/gateway/router on your side that drops these packets. Usually internal and external networks are separated, and packets are not easily routed between this networks.
  • HTTP uses the TCP protocol, which includes a three way handshake as part of the connection setup. This means that the sender needs to acknowledge the the connection as well. In short: this connection setup uses an arbitrary number to synchronize the server and the clients communication. An hacker needs to guess this number, send it at the correct moment.

There are many more obstacles than I just summed up which need to bypassed by an attacker, like preventing a local, legitimate client not interfering with the attack. (Think about where the responses to the spoofed IP adress of the server will go to, and what the impersonated client will do.)

The easier way of spoofing an IP address, is doing it from within the network itself. Well, if that is already possible, you probably have some other things to look into first :)

I hope you will see that it is practically not feasible that an hacker will perform this attack these days. Security is a balance between the effort needed and the satisfaction gained by an attacker.

Therefore I would say that IP white listing, next to binding at the local network as Sébastien Renauld suggests, is a good enough security practice. You still need to assume that an attacker can gain access to your internal network, and therefor should also look into the security of your websites and server themselves.

like image 168
Skoonhoven Avatar answered Jan 08 '23 05:01

Skoonhoven


The bottom line of your question is: DO NOT, EVER, RELY ON THE VALUE OF AN IP.

To demonstrate and illustrate this point, this document here explains how an IP address actually is attached to a data packet. Effectively, it is just a list of bytes for the source, and a list of bytes for the destination. Anyone can effectively modify those (this is, amongst other things, what NAT does, by the way, and NAT traversal would not work otherwise). What this means is that, if they can be modified, they can be spoofed.

There are ways to ward against this partially, but all the methods rely on heuristics. For example, the simplest rule is that if a packet came from your WAN interface yet claims to be from 192.168.0.1, you know that something is up. Some security devices on the market do exactly this: they filter out what they think is dubious.

In your case, there is a way to ward off against all this. I assume you are using Apache. If you are, instead of binding your VirtualHost to all interfaces (As is the default in Apache: *:80), bind it to that specific local interface (10.0.0.0:80 or equivalent). This will force Apache to only listen for pings on that interface, which, if running unix/linux, is segregated from the other interfaces and guaranteed to be distinct. This allows you to have a LAN-only website, effectively.

like image 20
Sébastien Renauld Avatar answered Jan 08 '23 05:01

Sébastien Renauld