How To Protect Web Server On Kali Linux From Unauthorized Access

Suppose you installed Mutillidae, or DVWA, or something similar for penetration test training (by the way, see “How to install OWASP Mutillidae II and Damn Vulnerable Web Application DVWA) in Kali Linux”.

These applications have various vulnerabilities, some of them allow file uploading (backdoors) and SQL injection. Such scripts can lead to complete compromise of your the web server as well as the entire computer. Therefore, the most secure is to restrict access to the web server from outside.

Access control (which IP addresses are allowed or not allowed to connect) is configured in the .htaccess file. But by default, support for this file is disabled – that is, settings from this file are not taken into account.

To enable .htaccess on Kali Linux, open the /etc/apache2/apache2.conf file:

1 sudo gedit /etc/apache2/apache2 .conf

Find the lines there:

1 <Directory /var/www/>
2 Options Indexes FollowSymLinks
3 AllowOverride None
4 Require all granted
5 </Directory>

And replace them with:

1 <Directory /var/www/>
2 Options Indexes FollowSymLinks
3 AllowOverride All
4 Require all granted
5 </Directory>

Now restart the web server for the changes to take effect:

1 sudo systemctl restart apache2

The root folder of the sites is /var/www/html/ , so create a .htaccess file there:

1 sudo gedit /var/www/html/ .htaccess

In fact, a .htaccess file can be created in any folder with sites. Remember that access to any folder on the web server is affected by both the .htaccess file in the current directory and the .htaccess files in the parent directories.

If you need to restrict access for all IPs, except for local ones, then use:

1 Require ip 10 172.20 192.168.2

You can prohibit all remote connections with the directive:

1 Require local


Please note that despite the name local, only connections from the same computer (localhost) are allowed and any other remote connections are prohibited, even from the local network.


Using “ Require ip ”, you can specify single IP or network ranges in various notations:

1 Require ip

2 # OR

3 Require ip 10.1

4 # OR

5 Require ip

6 # OR

7 Require ip

8 # OR

9 Require ip ::1

It is allowed multiple use of “ Require ip ” directive.

Vulnerable web applications for penetration testing:

  • bWAPP
  • Damn Vulnerable Web Application (DVWA)
  • Damn Vulnerable Web Services
  • OWASP Broken Web Applications Project
  • OWASP Mutillidae II
  • Samurai Web Testing Framework
  • Web security dojo

Source: miloserdov