Ugacomp

How can I block IP addresses in Apache?

Where necessary, you may need to have access to a VPS server so you can follow how to implement the steps in this article.  You can get a cheaper VPS Server from Contabo with 4vCPU cores, 8GM RAM, and 32TB Bandwidth for less than $5.50 per month. Get this deal here now

Table of Contents

Cloud VPS S

$5.50 Monthly
  • 4 vCPU Cores | 8GB RAM

CLOUD VPS M

$15.50 Monthly
  • 6 vCPU Cores | 16GB RAM

CLOUD VPS L

$17.50 Monthly
  • 8 vCPU Cores | 24GB RAM

One of the essential features Apache offers is the ability to block specific IP addresses, preventing unwanted visitors, malicious bots, or potential attackers from accessing your web applications. An IP address is a unique numerical label assigned to each device connected to a computer network that uses the Internet Protocol for communication. Blocking specific IP addresses can help you to prevent access to your server from malicious addresses, something that can enhance your server’s security.

In this comprehensive guide, we will explore various methods to block IP addresses in Apache, ensuring the security and stability of your web server.

Method 1: Using .htaccess Files

A .htaccess file is a configuration file used by Apache web servers. It is named .htaccess because it is a hidden file that begins with a dot. The .htaccess file is located in the root directory of a website and can be used to override or modify the settings of the Apache web server for that directory and all subdirectories.

One of the simplest ways to block IP addresses in Apache is by using a .htaccess file. This file allows you to configure server settings on a per-directory basis, enabling you to block specific IP addresses for specific directories or your entire website.

First, access your server using SSH or any other preferred method. Navigate to the root directory of your website and create or edit the .htaccess file. The default location of a .htaccess file in Linux is in the root directory of the website that it is configured for. This is typically the /var/www/html directory, but it may be different depending on the specific web server configuration. The .htaccess file is a hidden file, so it will not be visible by default. To see it, you will need to enable the option to show hidden files in your file manager.

Block Specific IP address

To block a specific IP address, add the following line to your .htaccess file:

   Deny from xxx.xxx.xxx.xxx

Replace xxx.xxx.xxx.xxx with the IP address you want to block. You can add multiple IP addresses, each on a new line.

Block Multiple IP addresses

You can also block multiple IP addresses from accessing your application as seen below:

Order Deny,Allow
Deny from 192.168.1.10
Deny from 10.0.0.1
Allow from all

This will block the IP addresses 192.168.1.10 and 10.0.0.1 from accessing the directory. The Allow from all directive allows all other IP addresses to access the directory.

Block  CIDR subnet

You can use IP ranges and CIDR notation to block multiple IP addresses at once. For example, the following directive will block all IP addresses in the 192.168.1.0/24 subnet:

Deny from 192.168.1.0/24

Block IP addresses based on a pattern

You can use regular expressions to block IP addresses based on a pattern. For example, the following directive will block all IP addresses that start with 192.168.1:

Deny from ^192\.168\.1\.

Remember to save the .htaccess file and exit the editor and then you will have to restart your Apache server to apply the changes by running the following command:

   sudo service apache2 restart

RECOMMENDED READING: How to block countries using iptables firewall on Linux

Method 2: Using Apache Configuration Files

Another approach to blocking IP addresses is by directly editing Apache configuration files. This method offers more control and efficiency, especially for blocking a large number of IP addresses. The main configuration file is usually located at /etc/apache2/apache2.conf or /etc/httpd/conf/httpd.conf.

You need to open the configuration file using a text editor with administrative privileges. To block specific IP addresses, add the following lines within the <VirtualHost> or <Directory> block:

   <Directory /path/to/directory>
       Order Deny,Allow
       Deny from xxx.xxx.xxx.xxx
       Allow from all
   </Directory>

Replace /path/to/directory with the path to the directory you want to protect and xxx.xxx.xxx.xxx with the IP address you wish to block. You can add multiple <Directory> blocks for different directories.

For example, the following configuration allows only the IP address 192.168.1.100 to access the /var/www/html directory and explicitly denies access to 192.168.1.200.

<Directory /var/www/html>
    RequireAll granted
    Require ip 192.168.1.100
    Deny ip 192.168.1.200
</Directory>

As always, save the configuration file and exit the editor. You will also have to verify the configuration for any syntaxy errors before restarting the Apache server by running the following command: Before restarting Apache, verify the configuration for any syntax errors:

   apachectl configtest

If there are no errors, restart your Apache server to apply the changes:

   sudo service apache2 restart

Method 3: Using ModSecurity

ModSecurity is an open-source web application firewall module that can be integrated with Apache to enhance security. It allows you to create custom rules for blocking IP addresses based on various criteria, such as suspicious behavior or specific patterns in incoming requests.

Install ModSecurity

If ModSecurity is not already installed, install it using your package manager based on the appropriate system you’re using. For Debian-based systems like Ubuntu, run the following command to install it:

   sudo apt-get install libapache2-mod-security2  

For Red Hat-based systems, you need to run the following command to install ModSecurity:

   sudo yum install mod_security                   

Create Custom Rules

You need to create custom ModSecurity rules to block specific IP addresses. You can achieve this by editing the ModSecurity configuration file, usually located at /etc/modsecurity/modsecurity.conf or /etc/httpd/conf.d/mod_security.conf. Here is the syntax for adding a custom rule to block a specific IP address:

   SecRule REMOTE_ADDR "^xxx\.xxx\.xxx\.xxx$" "id:1001,phase:1,deny,status:403"

Replace xxx.xxx.xxx.xxx with the IP address you want to block. This rule will deny access to any request coming from the specified IP address and return a 403 Forbidden status code.

Block IP addresses based on their HTTP headers

The mod_proxy_http module for the Apache HTTP Server can be used to block IP addresses based on their HTTP headers. HTTP headers are a set of name-value pairs that are exchanged between a client and a server as part of an HTTP request or response. They provide additional information about the request or response, such as the type of resource being requested, the capabilities of the client, and the status of the response.

Now, to block IP IP addresses based on their HTTP headers, you will need to create a configuration file that specifies the headers to block and the IP addresses to block.

Here is an example of a configuration file that blocks IP addresses that send the User-Agent header with the value “Mozilla/4.0”:

ProxyBlock http_header User-Agent Mozilla/4.0
ProxyBlock 192.168.1.1

This configuration file will block requests from the IP address 192.168.1.1 if the User-Agent header is set to “Mozilla/4.0”.

You can add as many ProxyBlock directives to the configuration file as you need to block additional IP addresses or headers.

Conclusion

Securing your Apache web server is paramount to protecting your website and its users from potential threats. By understanding how to block IP addresses using .htaccess files, Apache configuration files, or ModSecurity, you can enhance your server’s security and maintain a stable online environment. Regularly monitoring your server’s access logs and updating your blocking rules as needed will help you stay one step ahead of potential attackers, ensuring a safer online experience for everyone accessing your web applications.

Hire us to handle what you want

Hire us through our Fiverr Profile and leave all the complicated & technical stuff to us. Here are some of the things we can do for you:

  • Website migration, troubleshooting, and maintenance.
  • Server & application deployment, scaling, troubleshooting, and maintenance
  • Deployment of Kubernetes, Docker, Cloudron, Ant Media, Apache, Nginx,  OpenVPN, cPanel, WHMCS, WordPress, and more
  • Everything you need on AWS, IBM Cloud, GCP, Azure, Oracle Cloud, Alibaba Cloud, Linode, Contabo, DigitalOcean, Ionos, Vultr, GoDaddy, HostGator, Namecheap, DreamHost, and more.
 

We will design, configure, deploy, or troubleshoot anything you want. Starting from $10, we will get your job done in the shortest time possible. Your payment is safe with Fiverr as we will only be paid once your project is completed.