Security: Apache: using tcp wrappers

(last edit: 2002-06-27)


Apache is a fine webserver but what if you would like to control who views your websites? You could setup a firewall or you could use tcpwrappers. This article describes how you can set this up.

Configuring apache

You don't have to recompile apache, you just have to alter you configuration. Apache doesn't come with tcpwrappers support (dunno if you can compile it in) but you can run it from inted. Somewhere in your configuration file is a line beginning with "ServerType" followed by "standalone". This means exactly what is says. Change the "standalone" to "inted". Stop apache with "apachectl stop" if it is runnen (don't forget to be root).

Configuring inetd

Add the following line to the "/etc/inetd.conf": http stream tcp nowait root /usr/local/sbin/httpd httpd Do a "killall -HUP inetd" as root and you're set.

Allowing ip's

You can allow / disallow ip's from connecting to the httpd. This is done with tcp wrappers. The configuration file is "/etc/hosts.allow". Make sure the last line in this file is "ALL : ALL : DENY". This makes sure that all ip's which don't match any line above this one are blocked. If you forget this line or you don't want to do this then you have to make sure you specify 'deny' rules for 'httpd'. Two setups: 1: httpd : : ALLOW ALL : ALL : DENY 2: httpd: : ALLOW httpd: ALL : DENY Setup 1 just denies all connections (not just to httpd) except the httpd ones we allow (this is the best setup IMHO). If you don't want to do this make sure you specify a 'deny' line for httpd like setup 2.


I've runed apache from inetd and the protection works great. The disavantage is the apache is slow and slows down more when more users connect to it. I guess this is the price you have to pay. If someone knows the answer to this let me know on i do get it. It isn't the 'nowait'/'wait' option in inetd, i've read the documentation and tried them both.

Click here to go back to the index.