Skip to main content

Suspicious Apache Status requests

Comments

10 comments

  • GOT
    What HTTP code is it returning? I presume either a 5xx or a 404?
    0
  • globcom
    Thank you GOT It's return 404
    0
  • GOT
    Then its typically not an issue unless they are hammering you so hard that its causing a load issue. You can install and configure CSF firewall and enable 404 blocking if you want to block IPs that hit numerous 404 pages.
    0
  • globcom
    Thank you Got. I will try your solution. Eric
    0
  • cPanelMichael
    Hello Eric, I don't see the harm in blocking the traffic if it's not legitimate. Try searching the path that's being hit in the website files of the accounts you host to make sure it's not a poorly coded script that's leading to users making a connection attempt to the wrong path. Thank you.
    0
  • globcom
    Hello Michael and thank you for your reply ! The trouble (for me) is this traffic come to my.servername.com There isn't script, website, on it. cPanel recommendation (if I'm not mistaken) is that the subdomain should not be created for the name server on the server. Exemple of request : http/1.1 my.nameserver.com:80 GET /logos/NEW%20LOGOS/usa%20el%20ray%20network%20hd.png HTTP/1 All this traffic come from USA (and I can't block US country in CSF) At this time I have 3020 IPs in my CSF denylist. I don't know how much IPs is possible to block with CSF (server with 128 Go of ram) With the modsecurity rule, I don't have load issue. I hope this will stop by itself ! Eric
    0
  • cPanelMichael
    Hi Eric, One option to consider if RAM usage becomes an issue is to lower the DENY_IP_LIMIT value in the csf.conf file. If the same IP addresses are consistent in their attack on your server, then an abuse report to the data center/network provider that controls those IP addresses is a good idea as well. Thank you.
    0
  • globcom
    Hi Michael, it's always different IP addresses. Exemples : - Removed no need here - Thank you
    0
  • cPanelMichael
    Hi @globcom, If the IP addresses are different, then the DENY_IP_LIMIT value in the csf.conf file should allow you to avoid excessive RAM usage on the system. There's no need to keep the IP addresses blocked permanently if it's new IP addresses hitting your server each time. Thank you.
    0

Please sign in to leave a comment.