A simple Apache module to blacklist remote hosts.
A simple Apache 2 module to blacklist remote visitors, by IP address.
This is a simple Apache module which will perform an ACL check on each incoming HTTP request. If the remote visitor has been blacklisted each access will result in a 403
forbidden response.
Access is tested, trivially, via a lookup of their remote IP address in a particular directory, which defaults to /etc/blacklist.d/
.
For example to blacklist the remote IP 1.2.3.4:
touch /etc/blacklist.d/1.2.3.4
This is 100% dynamic, and changes will be reflected immediately. Removing a previously blacklisted entry can be achieved via:
rm /etc/blacklist.d/1.2.3.4
The module is pretty lightweight, a single extra stat()
call for each visitor will be made to perform the access-test.
In a low-traffic server, which is not otherwise I/O bound, this overhead should be minimal.
Assume you have the appropriate Apache-development package(s) installed upon your host it can be compiled apxs
:
apxs2 -c mod_blacklist.c
The Makefile
does that for you.
Once compiled copy the .so
file from .libs
to /usr/lib/apache2/modules
, or your local module path.
To cause the module to be loaded by Apache create the file /etc/apache2/mods-enabled/blacklist.load
with the following contents (adjusting your local path if different):
LoadModule blacklist_module /usr/lib/apache2/modules/mod_blacklist.so
If you wish to change the prefix-directory in which blacklisted IP addresses are stored then you can use the BlacklistPrefix
setting. This is a global setting, which you could add to the file /etc/apache2/mods-enabled/blacklist.conf
:
# Change the blacklist prefix.
BlacklistPrefix /root/blacklist.d/