Apache 2.4.x ip 黑名单

Question

我正在寻找一种在 Apache 2.4.x 中将 IP 地址列入黑名单的简单方法。我的网站将尝试非法操作的 IP 地址记录到文本文件中。我想在 Apache 中使用这个文本文件来拒绝对这个 ip 列表的所有虚拟主机的所有访问。最好的方法是什么(最简单且资源消耗最少的方法)？
找到 this但这仅适用于 2.2.. 不确定这如何适用于 2.4..
干杯。

编辑:这是一个运行 apache x64 的 windows x64 机器

Answer 1

@vaSTLysuperiorman 说得对，csf/lfd 在这方面做得最好。不幸的是，它们只在 linux 上运行。
This free utility promises to provide the same functionality :动态监控访问尝试并自动阻止 IP 地址。如果出现误报，您可以使用命令解除阻止。当然值得做空。
另一种方法是创建一个 VM(如果您的平台支持虚拟化)部署一个非常小的规范 linux 机器，并将其用作代理。这应该很容易实现。顺便说一句，为什么不只使用linux？ .. :-)
(这应该是对@vaSTLysuperiorman 帖子的评论，但我没有足够的 SO 代表来评论其他人的帖子)Edited to suggest a possible apache 2.4 based solution: 在 apache 中转换 2.2 和 2.4 之间的 ACL 指令
2.2 语法

order Deny,Allow
include conf/IPList.conf
Allow from all

2.4 语法

DocumentRoot /some/local/dir

<Directory /some/local/dir/>
   <RequireAll>
      Require all granted
      Include conf/IPList.conf
   </RequireAll>
</Directory>

#this will also work
<Location />
   <RequireAll>
      Require all granted
      Include conf/IPList.conf
   </RequireAll>
</Directory>

# conf/IPLIst.com is actually in /etc/apache2/conf/IPList.conf 
#   (ie, paths are relative to where apache is installed.  
#    I guess you can also use the full path to the list.

在 conf/IPList.conf 中，您将有单独的行，其中包含如下条目

Require not ip 10.10.1.23Require not ip 192.168.22.199Require not ip 10.20.70.100

Using mod-rewrite and a list of IPs for banning

• For a redirect-to-another-page to work, you need to keep the RewriteRule outside the base URL you are guarding.
• For instance, the redirect would not work under a Directory directive on DocumentRoot or a Location directive on '/', because the ban affects the status page we want to display.
• So, best to keep this outside a Directory or Location directive, or link to a status page on another unprotected web server.

---

#Required set of rewrite rules
RewriteEngine on
RewriteMap    hosts-deny  txt:/etc/apache/banned-hosts
RewriteCond   ${hosts-deny:%{REMOTE_ADDR}|NOT-FOUND} !=NOT-FOUND [OR]
RewriteCond   ${hosts-deny:%{REMOTE_HOST}|NOT-FOUND} !=NOT-FOUND
RewriteRule   ^  /why-am-i-banned.html

##  inside our banned hosts file, we have:
## /etc/apache2/banned-hosts (maintain the format .. its not just a plain text file)
## 

193.102.180.41 -
192.168.111.45 -
www.example.com -
www.sumwia.net -

# inside our status page, could be html as below or a plain text file with '.txt' extension
#/var/www/html/why-am-i-banned.html
#
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
   <title>Why is my IP banned?</title>
</head>
<body>
<h2>Why is my IP address banned?</h2>
<p>
To manage spammers and for other security needs, our server automatically blocks      
suspicious IP address.  If however you reckon your IP address has been blocked 
wrongfully, please contact us.
</p>
</body>
</html>

当然，您可以解析您的日志文件并根据需要填充 conf/IPList.conf 或/etc/apache2/banned-hosts ..
作为短期解决方案
允许您使用 2.2 语法的替代方法是安装 mod_access_compat模块并继续使用您已弃用的 2.2 样式“拒绝，允许”指令。但这仅作为短期解决方案是可取的，因为该模块只是用于帮助过渡，并且可能会在 future 的 apache 2.4 版本中消失