Jump to content


Photo

Feature Suggestion


  • Please log in to reply
3 replies to this topic

#1 Yoni

Yoni

    Support Team Member

  • Support Team
  • PipPip
  • 97 posts
  • Gender:Male
  • Main OS: Other

Posted 06 March 2012 - 03:41 AM

Hi,

I would like to see an option in UniServer to deny access to specific IP addresses. I believe this would be a useful feature, specially for those running more than a single website. Is it something that could be considered for any upcoming release?

Yoni


#2 traxxus

traxxus

    Member

  • Member
  • PipPip
  • 80 posts
  • Location:Switzerland
  • Main OS: Windows 7

Posted 06 March 2012 - 04:40 AM

You can allow or deny IPs or IP ranges with the .htaccess file.

#3 Yoni

Yoni

    Support Team Member

  • Support Team
  • PipPip
  • 97 posts
  • Gender:Male
  • Main OS: Other

Posted 06 March 2012 - 06:22 AM

You can allow or deny IPs or IP ranges with the .htaccess file.

We can go that route. Even though there are things to consider when implementing .htaccess to do this.

1- Inconvenience.
In the case of vhosts, you do have more than one site running in your server, so it is painful to go update .htaccess rules for each one of them to block a certain IP that has been misbehaving. You never wait for that IP to hit any other of your sites so you want to block it from accessing your server, period. This is common practice in production environments. Otherwise you will have to work for script kiddies and bad bots 24/7.


2- Performance
In general, you should never use .htaccess files unless you don't have access to the main server configuration file. htaccess can degrade your server's performance considerably. When AllowOverride is set to allow the use of .htaccess files, Apache will look in every directory for .htaccess files. Thus, permitting .htaccess files causes a performance hit, whether or not you actually even use them! So every time you create an .htaccess file on a directory remember that apache will be cycling over it over and over again.

Let's say for example you have a structure as following:

/.htaccess
/www/.htaccess
/www/site1/.htaccess
/www/site1/example/.htaccess

For each file access out of that directory (/www/site1/example/) apache actually cycles over 4 additional file-system accesses, even if none of those files are present.

On the other hand, putting this configuration in your server configuration file will result in less of a performance hit, as the configuration is loaded once when Apache starts, rather than every time a file is requested.

This is the reason why I'm requesting the DEV team to consider a simple way to add/block specific IPs by using the GUI to make it less of a hassle to add IPs to a config file.

Also, I'm asking this because users can edit the server root config file from within UniServer's console but not the vhosts.conf file which is where many of your site's config will reside.

Last but not least, I try to skip the www folder to host any site 99.99% of the time. Many people running UniServer open to the world leave much info available for the bad guys to do their job. Let me give you a concrete example to make it clearer.

Admins use vhosts for convenience so in the case of UniServer a user browsing to http://unlockforus.com will hit a vhost, that's fine. What happens in the case of the bad guys? They completely ignore your domain name and istead they always focus in your server's IP.

Pinging unlockforus.com resolves to 75.74.61.88. So if you browse to http://75.74.61.88 you will in fact hit the UniServer page of the UniServer installation and not unlockforus.com, providing the bad guy a lot of information you certainly do not want to make easy for them to figure out.

Let me show you a live example

http://rogerstuart.com/ --> This guy is running on Uniform Server 7.1.2-Orion, Apache 2.2.19, MySQL 5.5.14 , PHP 5.3.6. It was just a matter of browsing to it's IP address instead of the domain name...
http://66.116.74.45/

Yoni


#4 BobS

BobS

    Project Helper

  • Super Moderator
  • PipPipPip
  • 334 posts
  • Location:Santiago Chile
  • Interests:Retiring, computer systems, system design, model railroads....
  • Wiki ID: BobS
  • Main OS: Windows 7

Posted 06 March 2012 - 08:25 AM

Okay,
So there are two issues here.
One is to put an IP-block in httpd.conf, which should avoid the .htaccess situation. I assume (for now) that you want a GUI interface rather than just editing the conf file directly.
However, I'm having a problem with this statement:

Also, I'm asking this because users can edit the server root config file from within UniServer's console but not the vhosts.conf file which is where many of your site's config will reside.


Since Windows has a god/peons approach to security, this can't be achieved in a default Windows environment. It goes against our "Don't change Windows" directive. That's why I suggest Wiki articless to describe hardening in detail. It's left as an exercise for the user. :)

The other issue is the security aspect of IP vs name. If, however, I remove the ability to see the normal info in www by doing some hardening, then we have at least plugged an information leak, right? Your example shows that too much stuff is available in www.
Sounds like yet another page for the Wiki to me.

Regards,
BobS




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users