3

In my Apache configuration, I want to allow only Host header based vhosts. That is, I'd like to block any traffic by IP address only. I have mod_security2 installed, but I am only using the default rule set. Is mod_security2 the best place to configure this, and if so, how?

Apache 2.4.7, Ubuntu 14.04, PHP 5.5.9

Mark Richman
  • 423
  • Could you post apache and ubuntu version? – Lety Sep 02 '14 at 16:03
  • Updated question. Apache 2.4.7, Ubuntu 14.04, PHP 5.5.9 – Mark Richman Sep 02 '14 at 18:18
  • If you defined Name based Virtual hosts, try disabling default site with sudo a2dissite default or comment all directive inside virtualhost defined in '/etc/apache2/sites-available/default.conf'. After restart your apache. – Lety Sep 02 '14 at 19:48
  • @Letizia if i disable the default site, then access my server by IP, one of the name-based sites comes up – Mark Richman Sep 02 '14 at 19:51
  • yes, in fact it was my doubt, what about comment directive inside default virtual host? – Lety Sep 02 '14 at 19:53
  • I think its because my vhosts are all <VirtualHost *:80> – Mark Richman Sep 02 '14 at 19:56
  • Did you define your vhost like Name based Virtual host? – Lety Sep 02 '14 at 20:00
  • Yes, the sites all respond fine as name-based. That's not my issue. I simply want to stop the server from responding by IP only. – Mark Richman Sep 02 '14 at 20:01
  • Okey, try to comment all directive in default virtual host so it would be like <VirtualHost *:80> </VirtualHost>. It is the first defined and so if apache doesn't match any vhosts, it will use this one and because of missing DocumentRoot it will result (I'm not sure) in 404 Not found. If you prefer 403 Forbidden, try insert Require All Denied – Lety Sep 02 '14 at 20:09
  • No that still serves up the next alphabetical enabled host in sites-enabled. – Mark Richman Sep 02 '14 at 20:12
  • I found this link. I'm not sure that you are right :) but I can't exec test now. – Lety Sep 02 '14 at 20:29

2 Answers2

0

Add this to your <Directories> chapters in your httpd.conf wherever you want it to apply (e.g. the /var/www and /var/www/html chapters on the default config)

 <RequireAll>
    Require expr ( -n %{HTTP_HOST} && %{HTTP_HOST} != "1.2.3.4" )
 </RequireAll>

-n matches "not empty" and the rest matches a Host: header not equal to your server's IP. You might need to repeat the second half with your public and internal IP, depending on your web routing setup.

WooShell
  • 101
0

I would suggest you to read my answer of the question I need rules to drop some malicious Apache, where is explained how to download and configure OWASP ModSecurity Core Rule Set 3.x. However, here is simple example of the rule that you are asking for:

# Deny requests without a host header
#
SecRule &REQUEST_HEADERS:Host "@eq 0" \
    "id:160, phase:2, log, drop, deny, status:403, \
        tag:'requests-without-host-header'"

The most important thing in the above rule is the parameter phase:2, thus the access will be denied before the response, but you will be able to white-list the rule at certain circumstances (if you need that) on phase:1. You can use nolog, also the final result of drop, deny and status:403 is almost identical and you can decide to leave only one of these three arguments.

Checkout rule id:160 in my repository pa4080/www-security-assistant for more complex example. Also you may want to read the section Missing/Empty Host Header in REQUEST-920-PROTOCOL-ENFORCEMENT from SpiderLabs/owasp-modsecurity-crs 3.x.

pa4080
  • 29,831