On 12/09/16 12:03, Rainer Canavan wrote:
I'm not 100% sure, but that may not deny access to absolutely
everything, in case you have global
directives such as cgi aliases or proxy constructs, possibly with
mod_rewrite and [P] which point
to non-directory resources.
Therefore it may be better to use <Location> instead of <Directory>.
Thanks for noticing! Of course all other directives are supposed to be
within virtualhosts, but worth changing just to be extra sure.
Additionally, if you bind any further vhosts to specific IP addresses,
e.g.
<VirtualHost 192.0.2.1:80 <http://192.0.2.1:80>>, then that
virtualhost will have precedence for
requests to 192.0.2.1:80 <http://192.0.2.1:80> over the *:80 virtualhost.
In this case you'll have create separate default deny configuration for
each IP address, right?
Overall, I'd say that such a construct is more likely to increase the
attack surface
instead of reducing it.
I don't think _denying_ something can _increase_ attack surface. But
since there's seemingly demand for this kind of configuration it'd be
nice if community helped make it better and more secure. What extra
steps do you think one should take to securely deny (and subsequently
ban) clients (mostly bots) that do not even know domain name they are
accessing?
--
With Best Regards,
Marat Khalili
