Howtos

Bad thing has hapened to me this holliday. The server has been attacked from serveral ips or more precis they used my server as proxy for attacking other targets. Lucky for me that my server is not configured for this kind of attacks. However, they kept request my server and I wanted that apache would deny all requests from those ips. This one is really tricky. I have configured for denying all except some ips, such as local, but never configured for denying some ips and allow the rest. I started reading apache docs and tried to understand. The result is as following:

NameVirtualHost xxx.xxx.xxx:80
<VirtualHost xxx.xxx.xxx:80>
        ServerName example.com
 
        DocumentRoot /path/to/doc/root
        <Directory /path/to/doc/root/>
                Options Indexes MultiViews FollowSymLinks
                Order Deny,Allow
                Deny from xx.xxx.xxx.xxx
                Deny from xxx.xxx.xxx.xxx
                Deny from ...
                # ips that not matched deny list will be permitted
        </Directory>
...
</VirtualHost>

Be aware that you can not use “Allow from all” in the end since apache deny a request only if it does not match an allow condition. So we have a deny list to match against. Ips that are not matched ips in this list will be permitted.

It says that there are no good way to protect against this kind of attacks. I hope that I can get in touch with those ip-owners and hopefully they can help me.

Some good pages
http://wiki.apache.org/httpd/ProxyAbuse
http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html