As we have stressed in earlier posts at Dedicated Server School, regularly checking Linux server log files is a crucial part of server management. Knowing what is going on in your logs is a great way to detect attempts to thwart your security and come up with early prevention methods. The question you might ask yourself, however, is what should you do when you see attempts to harm your server in your logs?
One thing you can do is block IP addresses and hosts that repeatedly cause problems, whether they are security related or otherwise. Unfortunately, this method is not fool proof, but it can help in situations where the attacker often uses the same IP or hostname and is not smart enough to mask it.
With Apache HTTP Server, there are a couple ways to block incoming user agents. One is to use a directive to block the IP address. The first thing to consider is whether you want to block the IP from the entire server (using the server configuration file) or from a specific website (using an htaccess file).
The directive will take the following format:
Deny from address
To deny the IP address 00.01.003.004, you would enter:
Deny from 00.01.003.004
Another method is to deny a hostname, which, at times, may be more effective than denying an IP address. Use the following format:
Deny from host.domain.tld
In some cases, you may want to deny everyone and only allow a certain group in, which you can accomplish with the “order” directive.
Deny from all
Allow from users.domain.tld
For more information about Apache access directives, consult the Apache 2 documentation online.