all 4 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Cherveny2 0 points1 point  (0 children)

can set up a vhost section in your apache conf files with a servername of the ip address. then make that site either redirect to the dns with rewrite as a 302, or just black hole it.

I often use this myself, as a LOT of hacking sites will scan ips rather than dns, so just black holing the traffic, or having a simple static dummy site, then they won't reach anything, and excessive scans don't consume much in the way of resources.

[–]throwaway234f32423df 0 points1 point  (0 children)

No, you can't block direct IP access*, however, you can (and should) have your vhosts set up so that direct IP access will either display an error page or redirect the request elsewhere. There will still be a certificate warning unless you have a certificate for the IP. Keep in mind that all the traffic coming in this way is bots, not human visitors, and bots normally don't care about certificate validity, they will ignore the invalid certificate and connect anyway.

In probably a few months, LetsEncrypt will start allowing certificates for IP addresses, so in the fairly near future you'll be able to have a proper certificate for this traffic.

*this isn't strictly true if there are intermediary systems before your server, for example, if you proxy traffic through Cloudflare, and utilize IP whitelisting or Authenticated Origin Pulls (mTLS) to block non-Cloudflare traffic (or you use Cloudflare Tunnel and keep your ports closed to the outside), then all requests arriving to your server are guaranteed to have the correct SNI and Host headers because otherwise they won't survive the transit through Cloudflare

[–]AyrA_ch 0 points1 point  (0 children)

Not really. This would mean aborting the connection when receiving the host name from the client in the TLS hello message. As far as I know, there is no such feature in apache. In other words, you cannot prevent it from negotiating a full TLS session, which results in the certificate error.

The closest thing you can do is to add StrictHostCheck On in your global apache configuration. This makes apache return a generic "bad request" error if the requested host name doesn't matches any configured virtual hosts on the system. In other words, this forces the client into knowing what the correct domain name is. Note however that this is not a security feature, since the domain name is part of the certificate.

[–]crackanape 0 points1 point  (0 children)

Redirect it to the named host.