IPSET-NG Apache access module

IPSET-NG Apache module is part of the package IPSET-NG, and is designed for filtering traffic based on IP addresses by different criteria. Possible to transmit module additional fields, such as User-Agent, Referrer, Cookie, Authorization, etc. Also, filtering based on Geo data, it would require a library from the MaxMind company. The module requires a connection with the IPSETD-NG server during operation, and it is part of the remote.

To construct this Apache module from the package IPSET-NG, unpack download archive and run the command:

  • make clean ; make apache for build standalone version.
  • make clean ; make apachessl for build SSL version.

Read more about the build process, keys and options can be found in the section: tuning and compile options

Configuration in Apache httpd.conf:

Main parameters in global configuration:

field description
IPSNGEngine select: on | off
IPSNGLog write access state to log, select: on | off
IPSNGServer remote server IP address (only for compile in flag -DIPSET_NG_INET_ADDR)
IPSNGPort remote server UDP/TCP-SSL port number
IPSNGHttpDefaultReturn default HTTP return code: 403 | 444 | 0 (for access) | etc..
IPSNGSSL select: on | off, connect to remote server for SSL protocol
IPSNGSSLCert path to SSL certificate + ca + key
IPSNGSSLTimeout SSL session timeout, default 15 seconds

Directory/Location parameters in host configuration:

field description
IPSNGList is server table name
IPSNGType type of ipset table, select: black | white | add
IPSNGCommand ipset command from IP to table, select: test | add
IPSNGTimeoutIP timeout from ip alive in ipset table, select: 0 -> 655000 (only else IPSNGCommand eq add)
IPSNGHttpReturnCode HTTP return code: 403 | 444 | 0 (for granted access) | etc..
IPSNGHttpURLRedirect redirect URL string, example: /path/to/file.html
IPSNGDnsbl secondary check in DNSBL list, is IP in server table not found, select: on | off
IPSNGGeoType type of GeoIP result, select: black | white
IPSNGGeoCommand GeoIP command, select: asn | isp | country2 | country3 | city
IPSNGGeoCompare string compare from return GeoIP command
IPSNGUserScript name of script.js, ipset-ng search script in directory from configuration file [userscript] -> base
IPSNGUserScriptType type of JS user-side script param, select: black | white
IPSNGUserScriptCompare send to user-side JS script string in header request

Apache header request field for possible use in IPSNGUserScriptCompare:

field description
Accept Lists acceptable media types for the server to present in response
Accept-Charset Lists character sets the client will accept
Accept-Encoding Lists encodings the client will accept
Accept-Language Lists languages the client is most interested in
Authorization A series of authorization fields
Cookie Decribes a client cookie
Host Name of the requested host server
If-Match The entity tag of the client's cached version of the requested resource
If-Modified-Since An HTTP-formatted date for the server to use in resource comparisons
If-None-Match A list of entity tags representing the client's possible cached resources
If-Unmodified-Since An HTTP-formatted date for the server to use in resource comparisons
Referer An absolute or partial URI of the resource from which the current request was obtained
User-Agent A string identifying the client software

Examples easy VirtualHost settings in httpd.conf:

    
    <VirtualHost *:80>
        ServerAdmin admin@server.ru
        DocumentRoot "/var/www/TEST"
        ServerName test.server.ru

        <IfModule mod_ipsetng.c>
        # general parameters setting
            IPSNGEngine off
            IPSNGLog on
            IPSNGServer 127.0.0.1
            IPSNGPort 1919
            IPSNGHttpDefaultReturn 403
        </IfModule>
    
        <Directory "/var/www/TEST">
            Options FollowSymLinks +Includes ExecCGI
            AllowOverride all
            Order allow,deny
            Allow from all
        </Directory>

        <Directory "/var/www/TEST/0">
            <IfModule mod_ipsetng.c>
            # check IP address in black list,
            # if found - access denied
                IPSNGEngine on
                IPSNGLog on
                IPSNGList black blacklist 403
                IPSNGDnsbl on
            </IfModule>
        </Directory>

        <Directory "/var/www/TEST/1">
            <IfModule mod_ipsetng.c>
            # check IP address in white list,
            # if not found - access denied
                IPSNGEngine on
                IPSNGLog on
                IPSNGList white whitelist 403
                IPSNGDnsbl on
            </IfModule>
        </Directory>

        <Directory "/var/www/TEST/2">
            <IfModule mod_ipsetng.c>
            # check the IP address using a JavaScript,
            # set type for processing 'black list'
            # and sent compare string 'User-Agent'
                IPSNGEngine on
                IPSNGUserScript black test.js User-Agent
            </IfModule>
        </Directory>

        <Directory "/var/www/TEST/3">
            <IfModule mod_ipsetng.c>
            # flush server table testtbl2
                IPSNGEngine on
                IPSNGTable flush testtbl2
            </IfModule>
        </Directory>

        <Directory "/var/www/TEST/4">
            <IfModule mod_ipsetng.c>
            # check IP address in white list,
            # if not found - redirect to /redir/test-redir.html
                IPSNGEngine on
                IPSNGLog on
                IPSNGList white testtbl1 /redir/test-redir.html
            </IfModule>
        </Directory>

        <Directory "/var/www/TEST/5">
            <IfModule mod_ipsetng.c>
            # check IP address in white list,
            # if not found - redirect to http://www.site.ru/
                IPSNGEngine on
                IPSNGLog on
                IPSNGList white testtbl1 http://www.site.ru/
                IPSNGDnsbl off
            </IfModule>
        </Directory>

        <Directory "/Clients/WWW/TEST/6">
            <IfModule mod_ipsetng.c>
            # check the IP address using a Geo Locations,
            # set type for processing 'black list'
            # if compare ok in list parameter 'IPSNGGeoCompare' - access denied
                IPSNGEngine on
                IPSNGLog on
                IPSNGGeo black asn
                IPSNGGeoCompare AS4123 AS5432 AS8976 AS3267 AS6547 AS93521 AS5004
                IPSNGDnsbl off
            </IfModule>
        </Directory>

        <Directory "/Clients/WWW/TEST/7">
            <IfModule mod_ipsetng.c>
            # check the IP address using a Geo Locations,
            # set type for processing 'white list'
            # if compare ok in list parameter 'IPSNGGeoCompare' - access grant
                IPSNGEngine on
                IPSNGLog on
                IPSNGGeo white asn
                IPSNGGeoCompare AS4123 AS5432 AS8976 AS3267 AS6547 AS93521 AS5004
                IPSNGDnsbl off
            </IfModule>
        </Directory>

    </VirtualHost>


Example string compare from return GeoIP command:

        <Directory "/Clients/WWW/TEST/77">
            <IfModule mod_ipsetng.c>
            IPSNGGeoCommand asn
            IPSNGGeoCompare AS4321 AS765 AS9876 AS... etc
            IPSNGGeoType white
            </IfModule>
        </Directory>

        <Directory "/Clients/WWW/TEST/88">
            <IfModule mod_ipsetng.c>
            IPSNGGeoCommand isp
            IPSNGGeoCompare "Prov of chaos" "Net of corse..." etc
            IPSNGGeoType black
            </IfModule>
        </Directory>

        <Directory "/Clients/WWW/TEST/99">
            <IfModule mod_ipsetng.c>
            IPSNGGeoCommand city
            IPSNGGeoCompare Rostov-na-Dony Moscow Sevastopol
            IPSNGGeoType white
            </IfModule>
        </Directory>

        <Directory "/Clients/WWW/TEST/100">
            <IfModule mod_ipsetng.c>
            IPSNGGeoCommand country3
            IPSNGGeoCompare USA ENG FRA
            IPSNGGeoType black
            IPSNGHttpURLRedirect /pindosia_go_home.html
            </IfModule>
        </Directory>


Examples SSL connection VirtualHost settings in httpd.conf:

    
    <VirtualHost *:80>
        ServerAdmin admin@server.ru
        DocumentRoot "/var/www/TEST"
        ServerName test.server.ru

        <IfModule mod_ipsetng.c>
        # general parameters setting
            IPSNGEngine off
            IPSNGLog on
            IPSNGServer 127.0.0.1
            IPSNGPort 5000
            IPSNGHttpDefaultReturn 403
            IPSNGSSL yes
            IPSNGSSLCert /etc/ipset-ng/ssl/cert.client-full.pem
            IPSNGSSLTimeout 30
        </IfModule>
    ...    

    </VirtualHost>



Trap spam bots and bad robots

    <LocationMatch /(wp-|webadmin|webmaster|phpadmin|bitrix)/>
            Header set Cache-Control "no-store, no-cache, must-revalidate"
            IPSNGCommand add
            IPSNGType add
            IPSNGList hackweb
            IPSNGHttpURLRedirect /hucker_suxx.html
    </LocationMatch>


and edit robots.txt:

    User-Agent: *
        Allow: /
        Disallow: /webadmin/
        Disallow: /webmaster/
        Disallow: /phpadmin/
        Disallow: /bitrix/
        Disallow: /wp-config.php
        Disallow: /wp-login.php


Mainly analyze malicious robots including robots.tht to detect the set of one or another assurance program subject to hacking and have vulnerabilities.
In the case of simple scanning, enumeration URL, will help you analyze log files - that increasingly requesting on your system. This URL should be added to a separate <Locations>, and prescribe the rules for adding to the blacklist when accessing this URL.

  Meta Tags: IPSET-NG Apache module