Deny Specific Incomming IP to Webserver

[Yogi_Bear_79]

I would like to be able to deny specific IPs from ever hitting my Apache web
server. I can Deny them via the httpd.conf file, but that only stops them
from getting my pages, they still know the server exists.

I tried via the IP Security Policies in MMC but my test computer still
showed up in the Apache log. Since I have port 80 forwarded through my SOHO
router to my WebServer, is it possible to actually deny a specifi IP from
seeing open port?

Any suggestions of a non overly intrusive software firewall, or a built in
ACL, or filter would be greatly appriciated.

 

[Steven L Umbach]

Ipsec should work if configured correctly and will block the IP at the
network layer before the application ever sees it. The link below may help
with ipsec filtering policy configuration. Your SOHO router may or may not
be able to do what you want depending on it's capabilities. "Real" firewalls
would allow you to add a firewall rule that blocks access from a specific IP
and the ordering of firewall rules is important to make sure the more
specific rules are processed before the general rules. Ipsec rules are not
dependant on the order they are listed but instead are assigned a weight
with more specific rules taking precedence over general rules. Let me know
if you still have problems with ipsec. --- Steve

http://www.securityfocus.com/infocus/1559

 

[Yogi_Bear_79]

Steve,

While I am reading the page you sent me, I wanted to let you know that
my SOHO is a Linksys BEFCMU10. It appears the the FIREWALL portion is only
for outbound..Seems odd that it wouldn't filter inbound

 

[Steven L Umbach]

Many of the consumer type devices do not allow you to create individual
rules for inbound exceptions as they generally allow you to port forward
only. I use a Netscreen 5XP here at home that can filter inbound
connections. I see them on Ebay [see link below] for as little as $69 used
for a unit that allows 10 outbound connections [unique IP addresses]. ---
Steve

http://cgi.ebay.com/NetScreen-5XP-N...837680629QQcategoryZ64020QQrdZ1QQcmdZViewItem

 

[Yogi_Bear_79]

Steven,

First off than you very much. With that site as a tutorial I was able to do
exaclty what I wanted. The unwanted IPs have stopped showing up in my Apache
logs. I also ran two independent port scans, then blcoked the port
scanners. On the second pass they found nothing! THe only thing that would
make this better is knowing where XP stores the info, I would like to
possible write a small script to add them quickly, all though, admitidly,
it doesn't take but a minute or so to add them via the MMC

Many of the consumer type devices do not allow you to create individual
rules for inbound exceptions as they generally allow you to port forward
only. I use a Netscreen 5XP here at home that can filter inbound
connections. I see them on Ebay [see link below] for as little as $69 used
for a unit that allows 10 outbound connections [unique IP
dresses]. --- Steve

http://cgi.ebay.com/NetScreen-5XP-N...837680629QQcategoryZ64020QQrdZ1QQcmdZViewItem

Steve,

While I am reading the page you sent me, I wanted to let you know that
my SOHO is a Linksys BEFCMU10. It appears the the FIREWALL portion is
only for outbound..Seems odd that it wouldn't filter inbound

 

[Steven L Umbach]

You can export ipsec policy and then import it into other computers via
Local Security Policy/Ip Security MMC or you can take a look at command line
scripting of ipsec policies which I avoid because it makes my head spin
since you have to use different command for W2K, XP Pro, and Windows 2003.
The links below may help if you want to try your had at that. --- Steve

http://www.microsoft.com/technet/community/columns/secmgmt/sm0105.mspx
http://support.microsoft.com/default.aspx?scid=kb;en-us;813878
http://www.philscanlan.net/firewalls.htm --- see part on ipsec

Steven,

First off than you very much. With that site as a tutorial I was able to
do exaclty what I wanted. The unwanted IPs have stopped showing up in my
Apache logs. I also ran two independent port scans, then blcoked the port
scanners. On the second pass they found nothing! THe only thing that
would make this better is knowing where XP stores the info, I would like
to possible write a small script to add them quickly, all though,
admitidly, it doesn't take but a minute or so to add them via the MMC

Many of the consumer type devices do not allow you to create individual
rules for inbound exceptions as they generally allow you to port forward
only. I use a Netscreen 5XP here at home that can filter inbound
connections. I see them on Ebay [see link below] for as little as $69
used for a unit that allows 10 outbound connections [unique IP
esses]. --- Steve

http://cgi.ebay.com/NetScreen-5XP-N...837680629QQcategoryZ64020QQrdZ1QQcmdZViewItem

Steve,

While I am reading the page you sent me, I wanted to let you know
that my SOHO is a Linksys BEFCMU10. It appears the the FIREWALL portion
is only for outbound..Seems odd that it wouldn't filter inbound



Ipsec should work if configured correctly and will block the IP at the
network layer before the application ever sees it. The link below may
help with ipsec filtering policy configuration. Your SOHO router may or
may not be able to do what you want depending on it's capabilities.
"Real" firewalls would allow you to add a firewall rule that blocks
access from a specific IP and the ordering of firewall rules is
important to make sure the more specific rules are processed before the
general rules. Ipsec rules are not dependant on the order they are
listed but instead are assigned a weight with more specific rules
taking precedence over general rules. Let me know if you still have
problems with ipsec. --- Steve

http://www.securityfocus.com/infocus/1559

I would like to be able to deny specific IPs from ever hitting my
Apache web server. I can Deny them via the httpd.conf file, but that
only stops them from getting my pages, they still know the server
exists.

I tried via the IP Security Policies in MMC but my test computer still
showed up in the Apache log. Since I have port 80 forwarded through
my SOHO router to my WebServer, is it possible to actually deny a
specifi IP from seeing open port?

Any suggestions of a non overly intrusive software firewall, or a
built in ACL, or filter would be greatly appriciated.

 

[Mike Fields]

I would like to be able to deny specific IPs from ever hitting my Apache web
server. I can Deny them via the httpd.conf file, but that only stops them
from getting my pages, they still know the server exists.

I tried via the IP Security Policies in MMC but my test computer still
showed up in the Apache log. Since I have port 80 forwarded through my SOHO
router to my WebServer, is it possible to actually deny a specifi IP from
seeing open port?

Any suggestions of a non overly intrusive software firewall, or a built in
ACL, or filter would be greatly appriciated.

Trying to keep your ISP from discovering you have a web server ?

I know Comcast in the past has often probed looking for that sort
of stuff.