Re: 2.4 named virtual hosts question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 12/09/16 12:03, Rainer Canavan wrote:

I'm not 100% sure, but that may not deny access to absolutely everything, in case you have global
directives such as cgi aliases or proxy constructs, possibly with mod_rewrite and [P] which point
to non-directory resources.

Therefore it may be better to use <Location> instead of <Directory>.
Thanks for noticing! Of course all other directives are supposed to be within virtualhosts, but worth changing just to be extra sure.

Additionally, if you bind any further vhosts to specific IP addresses, e.g. 
<VirtualHost 192.0.2.1:80>, then that virtualhost will have precedence for
requests to 192.0.2.1:80 over the *:80 virtualhost.
In this case you'll have create separate default deny configuration for each IP address, right?

Overall, I'd say that such a construct is more likely to increase the attack surface
instead of reducing it.
I don't think _denying_ something can _increase_ attack surface. But since there's seemingly demand for this kind of configuration it'd be nice if community helped make it better and more secure. What extra steps do you think one should take to securely deny (and subsequently ban) clients (mostly bots) that do not even know domain name they are accessing?

--

With Best Regards,
Marat Khalili

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux