Security: Apache: using tcp wrappers(last edit: 2002-06-27)
Apache is a fine webserver but what if you would like to control who views your
websites? You could setup a firewall or you could use tcpwrappers. This article
describes how you can set this up.
You don't have to recompile apache, you just have to alter you configuration.
Apache doesn't come with tcpwrappers support (dunno if you can compile it in) but
you can run it from inted.
Somewhere in your configuration file is a line beginning with "ServerType" followed
by "standalone". This means exactly what is says. Change the "standalone" to
"inted". Stop apache with "apachectl stop" if it is runnen (don't forget to be root).
Add the following line to the "/etc/inetd.conf":
http stream tcp nowait root /usr/local/sbin/httpd httpd
Do a "killall -HUP inetd" as root and you're set.
You can allow / disallow ip's from connecting to the httpd. This is done with
tcp wrappers. The configuration file is "/etc/hosts.allow".
Make sure the last line in this file is "ALL : ALL : DENY". This makes sure that all
ip's which don't match any line above this one are blocked. If you forget this line or
you don't want to do this then you have to make sure you specify 'deny' rules for
httpd : 220.127.116.11 18.104.22.168 22.214.171.124 : ALLOW
ALL : ALL : DENY
httpd: 126.96.36.199 188.8.131.52 184.108.40.206 : ALLOW
httpd: ALL : DENY
Setup 1 just denies all connections (not just to httpd) except the httpd ones we
allow (this is the best setup IMHO). If you don't want to do this make sure you
specify a 'deny' line for httpd like setup 2.
I've runed apache from inetd and the protection works great. The disavantage is the
apache is slow and slows down more when more users connect to it. I guess this
is the price you have to pay. If someone knows the answer to this let me know on
i do get it. It isn't the
'nowait'/'wait' option in inetd, i've read the documentation and tried them both.
Click here to go back to the index.