Skip to main content

Blocking an IP by accessed url

Mister9
So I'm receiving emails of hack attempts by trying to upload malicious files to a bunch of domains on my server. I usually manually enter the IP into CSF and block it but I was wondering if there is a way to automatically block an IP address if the hacker trying to access a specific url. Example: example.com/wp-content/plugins/dzs-videogallery/upload.php So I would like to set.. If user tries to access /wp-content/plugins/dzs-videogallery/upload.php automatically block this IP. Is this possible?

Comments

12 comments

Date Votes
  • Tearabite
    There may be other ways, but you can do this with the combination of ModSecurity and CSF. You would have to make a custom ModSecurity rule to block that specific URL, then set CSF to block the IP after 1 ModSecurity hit. We have dozens of custom rules that do exactly that.
    0
  • cPanelMichael
    Hello, The previous post offers a useful solution. Let us know if you have additional questions. Thank you.
    0
  • Mister9
    There may be other ways, but you can do this with the combination of ModSecurity and CSF. You would have to make a custom ModSecurity rule to block that specific URL, then set CSF to block the IP after 1 ModSecurity hit. We have dozens of custom rules that do exactly that.

    Thank you for this info Tearabite. This solution is what I suspected but I wasn't sure that ModSecurity can communicate to CSF. Do you know where I find more information on how this needs to be set up/programmed?
    0
  • Mister9
    Also slightly off topic, I was wondering why someone would use CSF to block the IP instead of blocking the IP in ModSecurity. Is this a performance preference?
    0
  • cPanelMichael
    Hello, There's a recent thread linked below you may find helpful: Thanks!
    0
  • Mister9
    Thank you Michael! That post has been very helpful.
    0
  • fuzzylogic
    I have received similar emails about uploads to /wp-content/plugins/dzs-videogallery/upload.php being quarantined. In the subject line of the emails is cxs Scan on... In the body of the email is Quarantined : Yes [/home/fort_denison/cxscgi... and NOTE: This alert may be a ModSecurity false-positive... (as the Web upload script does not exist) OK. So this email is generated by Configserver Exploit Scanner when it's modsecurity rule (it only has one rule) is enabled. The rule ID is 1010101. This rule sends the temp file name of the upload to the csx script so that the upload can be scrutinised. For you to receive this email means that rule 1010101 triggered and that the request was blocked with "Access denied with code 403" being written to the apache error_log.
    0
  • Tearabite
    Also slightly off topic, I was wondering why someone would use CSF to block the IP instead of blocking the IP in ModSecurity. Is this a performance preference?

    ModSecurity cannot/does not block IPs - at least not easily and not fully. ModSecurity blocks HTTP page requests only. So even though you could (manually) create a rule that IP XYZ cannot access a page, that IP could still access FTP, email, etc. Whereas CSF can block the IP from the entire server/all services. Because CSF seamlessly blocks IP"s of repeat Mod_Security hits via a simple configuration setting, it"s a great way to deal with the OP"s request.
    0
  • jeffschips
    I have the exact same need. Could someone pipe in and supply an example of the mod_sec rule which ONLY activates the block after X attempts on a specific URL. I have csf operating but can't find the section that deals with blocking based on a mod_sec rule. I see LF_MODSEC =X but that deals with login failures, I'm simply looking for a specific URL, not login.
    0
  • fuzzylogic
    @jeffschips Mod-security is an efficient HTTP request parser. It is designed to run in the Apache process of a single request, block or allow the request, then log what happened then exit as the process ends. Configserver LFD is an efficient log file parser. It is designed to search for and count patterns in log files, then respond by sending the IP address of a pattern match to CSF which manages adding IP entries to iptables. LFD (login failure daemon) while its original purpose was to find login failure patterns in log files it is just as good finding other patterns in log files. You seem to misunderstand the LF_MODSEC settings. Its comment says this...
  • Enable failure detection of repeated Apache mod_security rule triggers To get a permanent block in CSF the CSF settings should be... MODSEC_LOG = /usr/local/apache/logs/error_log LF_INTERVAL = 86400 ( No. of seconds over which to count. Default is 3600) LF_MODSEC = 5 (Count of string "Modsecurity: Access denied" per ip for block action) LF_MODSEC_PERM = 1 (0 = No blocking, 1 = Block Permanently, x = Block for x seconds except 1 or 0) With these settings LFD searches /usr/local/apache/logs/error_log for log lines with the fragment "ModSecurity: Access denied". If 5 istances are found within the LF_INTERVAL for the same IP then that IP is sent to CSF to be added to the iptables firewall. A modsecurity rule to make this work for a specific URL is as follows... # Deny requests to this url SecRule REQUEST_FILENAME "@contains my-funky-url" \ "msg:'Deny this funky URL',\ id:19000002,\ phase:1,\ t:none,\ log,\ auditlog,\ deny,\ status:403"
    Or more compact... SecRule REQUEST_FILENAME "@contains my-funky-url" "msg:'Deny this funky URL',id:19000002,phase:1,t:none,log,auditlog,deny,status:403"
    • 0
  • jeffschips
    @fuzzylogic that is the best explanation I've ever read. Thank you! Works perfectly!
    0
  • leonep
    Hi, this is useful but it ban after trigger LF_MODSEC const . LF_MODSEC affect all modsec rules i don't want set it to 1. In my personal case i am fighting against "pistacchietto" and it use always different IPs any ideas? thanks guys more info about this
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post