Solved

Website Security

Posted on 2009-04-15
5
750 Views
Last Modified: 2013-11-16
I've got a website running from home that's private and not there for the world to see but actually for myself and some friends.

I checked the logs this weekend and noticed 9 or so attempts on the site with several vulnerability scanners.

So I'm trying to improve security. Using the robots.txt method, I've blocked access from user agents such as googlebots etc. I can see that this is working.

What I want to do now is block entire countries from accessing the site. I know about .htaccess and guess the easiest & most efficient way would be to put a single rule of;
"allow UK"
rather than
"block ip address range of the world"

What can I do to simply allow UK (& if poss Ireland) IP access only, while keeping the bandwidth to a minimum.
I found a site that creates rules for you, but it seems a bit tacky, so I don't know wether to trust it.

I've added the htaccess file I'll be using with the full IP range list for the UK & Ireland from another source. Would .htaccess with the following code work? Or can you suggest a better method.

Note: Bear in mind I've excluded the majority of the code/ips on this page.
<Limit GET HEAD POST>
order deny,allow
# Country: UNITED KINGDOM
# ISO Code: GB
# Total Networks: 3,691
# Total Subnets:  70,634,584
allow from 91.209.254.0/24
allow from 91.210.68.0/22
allow from 91.210.100.0/22
allow fr.................... - Several Hundred lines of ip's
............om 217.204.0.0/14
#
# Country: IRELAND
# ISO Code: IE
# Total Networks: 221
# Total Subnets:  4,200,096
#
......................... - More ip's
............om 7.115.112.0/20
allow from 217.173.208.0/20
#
deny from all
</Limit>

Open in new window

htaccess.txt
0
Comment
Question by:moosecaboose
  • 2
  • 2
5 Comments
 
LVL 33

Expert Comment

by:Dave Howe
ID: 24152054
there is no master requirement that all uk sites use a specific IP range - really, you are better off just using something like .htaccess to require a user/pass to access the site - or use site software like a bboard that has built-in user/pass support.  If you want to, you can even make a site SSL only *and* require that a specific client certificate be used to access it, but that is usually overkill for a hobby site.
0
 
LVL 4

Expert Comment

by:TurboBorland
ID: 24153840
What benefit do you think there will be if you only allow an entire country's ip range in forms of security?  Not only that, but it's rather easy to spoof yourself to have come from a United Kingdom ip address.  If you let me know a bit more about your intentions, I might be able to help a bit more with what you want.
0
 

Author Comment

by:moosecaboose
ID: 24155831
Well the problem I'm having is mainly with attempts on security of my website. As I'm running this from a computer at home I don't want people to get onto my webserver or network who I'm not allowing. If people are going to continue testing my site for vulnerabilities then I want to restrict access for them completely.

There is no point in adding a bulletin board as I don't currently have one and don't intend on it. Plus that's not the attacks I'm getting. Vulnerability scanners are attempting on the site. Also adding php or whatever gives more room for attacks through SQL injection etc plus I have no need to add all that. SSL is all fine too, but that means people will then need to have been issued a certificate or I get one signed, and this still allows people access, that just encypts information. Spoofing is ok as it's more work for them, and most of them being script kiddies would prob not know what they are doing with their automated bits of software. It's mainly FTP/SFTP, with an already htaccess'd members area on a basic HTML site. The problem with htaccess is it's open to DOS attacks.

I don't want to htaccess the complete site as I do have a public section, but it's only worth showing this to the Uk.
The IP Ranges I have are ok for me as all friendly ips (although dynamic) are within these ranges. All one's that have attacked my webserver are not.

Back to the original question.... Don't worry about the ranges. I know the ranges I've got listed are fine for me. Is the code correct?
0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 250 total points
ID: 24155850
SSL can require a *client side* certificate, and disallow access without one - you still need to create and issue them though (you act as a CA)

however yes - your file is correct as listed.
0
 

Author Comment

by:moosecaboose
ID: 24167471
Thanks
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
where is software market online? 7 111
Antivirus - Webroot vs Symantec? 6 140
Mobile penetration testing 2 119
WEB Farm 6 70
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

822 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question