How to limit server/Apache access to our team?

If none of the more specific forums is the right place to ask

How to limit server/Apache access to our team?

Postby Chris8087 » 2019-10-25 02:57

Hello,

we've got a PHP web application running on Apache that we use internally for our team (secured by login) and it's running on a subdomain that we don't publish but we still get some traffic from all over the place which I'd like to completely exclude.

Our users are ca. 15 - 20 with different IPs, some from home with dynamic IPs
Additionally, we do have some software users (API, REST) which in two cases have static IPs and in two other cases dynamic (something like web forms which are sent via POST to our web app).

I thought about IP whitelisting the known countries in IPTables and drop everything else.
That might be difficult if an IP isn't listed/up to date or for the web form sending POST data.

Another thought was, to simply add a .htpasswd file into our Apache config. That would be working well if there wouldn't be that web form that sends POST data.
With Apache conditions, it might be possible to except the webform from the apache-auth, but I haven't found a good condition to do so, yet.

One more way would be, to use X.509 client certificates in our browsers. But then .. the webform and the other software users again ...

Any other idea?

Thanks,
Chris
Chris8087
 
Posts: 11
Joined: 2014-11-13 10:35

Re: How to limit server/Apache access to our team?

Postby TonyT » 2019-10-25 12:16

White listing countries won't work because user agent data can be spoofed easily.
Htpasswd is good but open to man-in-the-middle attacks because form info is sent unencrypted.
The unwanted traffic you are getting is probably failed logins?
I would:
Blacklist TOR browsers.
Limit login attempts to 3, then auto temporarily blacklist the IP that fails.
Display a message after 3 tries then bounce to some porn site or Disney. (& don't display the form anymore)
Above can easily be done in conjunction with a database table that stores the logins.
For bots accessing the form use a Captcha if necessary.
TonyT
 
Posts: 574
Joined: 2006-09-04 11:57

Re: How to limit server/Apache access to our team?

Postby reinob » 2019-10-25 19:24

Chris8087 wrote:Our users are ca. 15 - 20 with different IPs, some from home with dynamic IPs
Additionally, we do have some software users (API, REST) which in two cases have static IPs and in two other cases dynamic (something like web forms which are sent via POST to our web app).


You are really asking for a private network (VPN).

If the server listens only at the VPN interface, and you have your clients (whatever and wherever they connect from) connect to the server via the VPN, then you solve the problem of allowing only connections from the clients you want, while the rest of the Internet has no access to it.
reinob
 
Posts: 742
Joined: 2014-06-30 11:42

Re: How to limit server/Apache access to our team?

Postby Chris8087 » 2019-10-27 19:13

TonyT wrote:The unwanted traffic you are getting is probably failed logins?


It is not so much failed logins as it is more of a generic feeling:
This is a web app that we use internally but has to be online for our distributed team to access.

reinob wrote:You are really asking for a private network (VPN).


The web form wouldn't be working via VPN?
And the two software users that we have, not sure how configure those to "circumvent" the VPN.
But other than that, yes - that's exactly what we'd need.
Chris8087
 
Posts: 11
Joined: 2014-11-13 10:35

Re: How to limit server/Apache access to our team?

Postby reinob » 2019-10-28 09:33

Chris8087 wrote:The web form wouldn't be working via VPN?
And the two software users that we have, not sure how configure those to "circumvent" the VPN.
But other than that, yes - that's exactly what we'd need.


I'm not sure I have understood your issue with the web form.

Let's say your server has a VPN interface (tun0, wg0, whatever),
your web app/form is configured to be listening on that interface, and not on eth0 or such ("public" Internet)
any client not having a corresponding address/route via your VPN won't be able to connect
your authorized clients (your team, your 15-20 users, etc.) connect via the VPN.

Or is it a problem for your users to be required to use a VPN for this?

(I'm not sure if those users qualify as being in your "team" or are completely random external users who somehow nevertheless need access to your web app, but then your statement of the problem "we still get some traffic from all over the place which I'd like to completely exclude" cannto be solved, as your users will be "from all over the place", by definition).

I guess you'd need to clarify how you define who is a user and who is not. If you have some control over the users, then of course VPN (or client certificate, as you suggested) would work OK. If you cannot tell in advance who is a user and who is not a user, then you have another problem to solve before you tackle this one.
reinob
 
Posts: 742
Joined: 2014-06-30 11:42

Re: How to limit server/Apache access to our team?

Postby Chris8087 » 2019-10-28 20:59

Thank you for the detailed answer.

Yes, the 15 users could use VPN.

Then we've got a web form for people from the internet on our website.
When they submit the form, the data is sent via POST directly into our web application.
So I guess the best thing would be to store the submitted data on the website somewhere and pull it into the web application database every 15 min or so.
Chris8087
 
Posts: 11
Joined: 2014-11-13 10:35


Return to General Questions

Who is online

Users browsing this forum: No registered users and 11 guests

fashionable