5.12 Ensure IP Address Based Requests Are Disallowed - 'httpd.conf RewriteEngine = on'

Information

The Apache module 'mod_rewrite' should disallow access for requests that use an IP address instead of a host name for the URL. Most normal access to the website from browsers and automated software will use a hostname, and will therefore include the hostname in the HTTP HOST header.

Refer to the Apache 2.2 documentation for details:
[http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html](http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html)

Rationale:

A common malware propagation and automated network scanning technique is to use IP addresses rather than hostnames for web requests, since it's simpler to automate. By denying IP-based web requests, these automated techniques will be denied access to the website. Malicious web scanning techniques continue to evolve, and many are now using hostnames, but denying access to IP-based requests is still a worthwhile defensive measure.

Solution

Perform the following to implement the recommended state:

1. Load the 'mod_rewrite' module for Apache by doing either one of the following:
- Build Apache with 'mod_rewrite' statically loaded during the build by adding the '--enable-rewrite'option to the './configure' script.

/configure --enable-rewrite

- Or, dynamically load the module with the 'LoadModule' directive in the 'httpd.conf' configuration file.

LoadModule rewrite_module modules/mod_rewrite.so

2. Add the 'RewriteEngine' directive to the configuration within the global server context with the value of 'on' so the rewrite engine is enabled.

RewriteEngine On

3. Locate the Apache configuration file such as 'httpd.conf' and add the following rewrite condition to match the expected host name of the top server level configuration.

RewriteCond %{HTTP_HOST} !^www.example.com [NC]
RewriteCond %{REQUEST_URI} !^/error [NC]
RewriteRule ^.(.*) - [L,F]

See Also

https://workbench.cisecurity.org/files/2378

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-4, CSCv6|9.1, CSCv7|9.2

Plugin: Unix

Control ID: 5c899a38a5c9d10be3638fd18cb4ed57e63051b9e30540eeb5ac3e3127b81f92