5.14 Ensure IP Address Based Requests Are Disallowed - 'httpd.conf RewriteCond %{REQUEST_URI} exists'

Information

The Apache module mod_rewrite can be used to disallow access for requests that use an IP address instead of a host name for the URL. Most normal access to the website from browsers and automated software will use a host name which will therefore include the host name in the HTTP HOST header.

Rationale:

A common malware propagation and automated network scanning technique is to use IP addresses rather than host names for web requests, since it's much simpler to automate. By denying IP based web requests, these automated techniques will be denied access to the website. Of course, malicious web scanning techniques continue to evolve, and many are now using hostnames, however denying access to the IP based requests is still a worthwhile defense.

Solution

Perform the following to implement the recommended state:

Load the mod_rewrite module for Apache by doing either one of the following:

Build Apache with mod_rewrite statically loaded during the build, by adding the --enable-rewrite option to the ./configure script.

./configure --enable-rewrite

Or, dynamically loading the module with the LoadModule directive in the httpd.conf configuration file.

LoadModule rewrite_module modules/mod_rewrite.so

Add the RewriteEngine directive to the configuration within the global server context with the value of on so that the rewrite engine is enabled.

RewriteEngine On

Locate the Apache configuration file such as httpd.conf and add the following rewrite condition to match the expected host name of the top server level configuration.

RewriteCond %{HTTP_HOST} !^www.example.com [NC]
RewriteCond %{REQUEST_URI} !^/error [NC]
RewriteRule ^.(.*) - [L,F]

Default Value:

RewriteEngine off

See Also

https://workbench.cisecurity.org/files/4548

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CM-10, 800-53|CM-11, 800-53|SC-18, CSCv7|9.2, CSCv7|18.2

Plugin: Unix

Control ID: 889c046c2e34d3bda444e4a72a52612130f4076d1c061895aa75916ea0fcf91b