Apache provides several robust methods for blocking malicious IP addresses at the web server level. This creates an effective first line of defense against attackers, bots, and unwanted traffic. The optimal method depends on your IP list size, Apache version, and performance requirements.
For the complete official documentation, see Apache Access Control.
Method 1: The Require Directive (Apache 2.4+)
This is the modern, recommended approach for Apache 2.4 and later. Use Require directives inside your <VirtualHost>, <Directory>, or <Location> blocks.
<VirtualHost *:80>
ServerName example.com
DocumentRoot /var/www/html
# Block specific AI bot IP ranges
<RequireAll>
Require all granted
Require not ip 142.44.220.0/24
Require not ip 148.113.128.0/24
Require not ip 15.235.27.0/24
Require not ip 198.244.168.0/24
</RequireAll>
# Alternative: Allow only specific IPs
# <RequireAll>
# Require ip 192.168.1.50
# Require ip 10.0.0.0/8
# </RequireAll>
</VirtualHost>
Method 2: Legacy Allow/Deny Directives (Apache 2.2)
Important: The Allow, Deny, and Order directives are deprecated and should be avoided. They were used in Apache 2.2 but are no longer recommended even for legacy installations. Use the Require directive instead.
<VirtualHost *:80>
ServerName example.com
DocumentRoot /var/www/html
<Directory "/var/www/html">
Order Allow,Deny
Allow from all
# Block specific AI bot IP ranges
Deny from 142.44.220.0/24
Deny from 148.113.128.0/24
Deny from 15.235.27.0/24
Deny from 198.244.168.0/24
</Directory>
</VirtualHost>
Method 3: External Blocklist File
Keep your main configuration clean by using external files with the Include directive. This approach scales well for large lists and frequent updates.
Create /etc/apache2/conf-available/blocklist.conf for Apache 2.4:
# AI bot IP ranges from botective.json
<RequireAll>
Require all granted
Require not ip 142.44.220.0/24
Require not ip 148.113.128.0/24
Require not ip 15.235.27.0/24
Require not ip 198.244.168.0/24
</RequireAll>
Include it in your virtual host:
<VirtualHost *:80>
ServerName example.com
DocumentRoot /var/www/html
Include /etc/apache2/conf-available/blocklist.conf
</VirtualHost>
For Apache 2.2, create /etc/apache2/conf-available/blocklist-legacy.conf:
# AI bot IP ranges from botective.json
<Directory "/var/www/html">
Order Allow,Deny
Allow from all
Deny from 142.44.220.0/24
Deny from 148.113.128.0/24
Deny from 15.235.27.0/24
Deny from 198.244.168.0/24
</Directory>
Method 4: Enhanced Security with Rate Limiting
Combine IP blocking with the mod_reqtimeout module to defend against brute-force attacks and provide comprehensive protection.
<VirtualHost *:80>
ServerName example.com
DocumentRoot /var/www/html
# Block malicious IPs first
<RequireAll>
Require all granted
Require not ip 142.44.220.0/24
Require not ip 198.244.168.0/24
</RequireAll>
# Configure request timeouts
RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500
# Rate limiting for login endpoints
<Location "/login">
# Limit concurrent connections per IP
<IfModule mod_reqtimeout.c>
RequestReadTimeout header=10-20,MinRate=500
</IfModule>
# Additional security headers
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
</Location>
</VirtualHost>
Dynamic IP Blocking with fail2ban
Integrate Apache with Fail2ban for automated IP blocking. This monitors Apache logs and dynamically blocks IPs that exceed failure thresholds.
Create /etc/fail2ban/filter.d/apache-auth.conf:
[Definition]
failregex = ^<HOST> -.*"\S+ \S+.*" 401 .*$
^<HOST> -.*"\S+ \S+.*" 403 .*$
ignoreregex =
Add a jail to /etc/fail2ban/jail.local:
[apache-auth]
enabled = true
port = http,https
filter = apache-auth
action = %(action_mwl)s
logpath = /var/log/apache2/*access.log
maxretry = 5
bantime = 3600
findtime = 600
For blocking based on 404 errors, create /etc/fail2ban/filter.d/apache-noscript.conf:
[Definition]
failregex = ^<HOST> -.*"\S+ \S+.*" 404 .*$
ignoreregex =
Testing Configuration with apachectl
The apachectl configtest command validates your configuration before applying changes, preventing service disruptions from syntax errors.
# Test configuration syntax
apachectl configtest
# Alternative command
apache2ctl configtest
# Test and show loaded modules
apachectl -M
# Test specific configuration file
apache2ctl -t -f /path/to/apache2.conf
What apachectl configtest checks:
- Configuration file syntax errors
- Virtual host conflicts
- Module dependencies
- File path validity (document roots, log files)
- Directive compatibility
- Include file accessibility
Example output:
Syntax OK
If there are errors, you'll see specific details:
AH00526: Syntax error on line 15 of /etc/apache2/sites-enabled/000-default.conf:
Invalid command 'RequireNotIP', perhaps misspelled or defined by a module not included in the server configuration
# Note: The correct directive is 'Require not ip', not 'RequireNotIP'
Always test before reloading:
# Safe workflow
apachectl configtest && systemctl reload apache2
Module Requirements
Ensure required modules are enabled for IP blocking functionality:
# Enable required modules (Ubuntu/Debian)
a2enmod authz_core
a2enmod authz_host
# Optional: for advanced features
a2enmod reqtimeout
a2enmod rewrite
# Reload Apache
systemctl reload apache2
Best Practices
- Monitor access logs: Review what IPs you're blocking and their behavior
- Keep lists updated: Regularly review and update blocklists
- Consider performance: Large IP lists can impact server performance
- Test before applying: Always run
apachectl configtestbefore reloading configuration - Use modern directives: Always use
Requiredirectives instead of deprecatedAllow/Deny - Enable security modules: Consider
mod_reqtimeoutfor comprehensive protection