On Thu, 2014-10-02 at 09:44 -0700, Paul Heinlein wrote:
On Thu, 2 Oct 2014, jwyeth.arch@gmail.com wrote:
Another good trick to keep IP-based scanners off your back is to make sure that all HTTP requests have a valid Host: header. In Apache, it's easy. The first-listed <VirtualHost> declaration is the default if a client fails to provide a Host: header in the request. So the initial Virtual host is basically a deny-all container, e.g.,
<VirtualHost *:80> ServerSignature off
<Location /> <RequireAny> Require local Require ip [some administrative IP addr] </RequireAny> </Location> </VirtualHost>
<VirtualHost *:80> ServerName www.you.com # the real work happens here ...
</VirtualHost>
All my web sites are configured as virtual hosts. The 'empty' default web site (one on every server) redirects all requests to 127.0.0.1. Sometimes I change this a Chinese consumer site. Why give the hackers and pests an opportunity to annoy you - send them away before their requests can be done to your web site.
xx.xx.xx.xx is the web server's IP address. Some of the configuration relates to the previous system of banning every IP directly accessing the server's IP address.
<VirtualHost xx.xx.xx.xx:80> DocumentRoot /data/web/do/default/www ServerName xx.xx.xx.xx CustomLog /data/web/weblogs/acc.000118 combined ErrorLog /data/web/weblogs/err.000118.w DirectoryIndex banned.php HostnameLookups Off <Directory /data/web/do/default/www/> RedirectMatch permanent ^/(.*)$ http://127.0.0.1/ </Directory> </VirtualHost>
The real web sites have entries beginning with, for example, ...
<VirtualHost example.com:80 www.example.com:80>