Severe attack case via POST /admin/ HTTP/1.1

user4629

• October 24, 2021 13:39

Hello, we have a rather difficult case of attacks to our VPS server (CLOUDLINUX 7.9 kvm [web] v98.0.9) Server Version: Apache/2.4.51 (cPanel) OpenSSL/1.1.1l Apache mod_bwlimited/1.4 mainly in the form: http/1.1 example-domain.com:443 POST /admin/ HTTP/1.1
that target the admin section of opencart installations in the server (~40 accounts). Example:

Srv

PID

Acc

M

CPU

SS

Req

Dur

Conn

Child

Slot

Client

Protocol

VHost

Request

0-5

26445

0/113/817

_

356.93

5

309

651215

0

2.79

16.72

xx.xx.xx.xx

http/1.1

domain.com:443

POST /admin/ HTTP/1.1

we have csf v14.11, mod security with GotRoot rules, but attacks cannot be stopped. we are also trying to block the attacks as per account editing the admin script to give HTTP/1.0 403 Forbidden
for these attacks. Any ideas or pointers?

• 

  cPanelAnthony

  • October 24, 2021 19:01

  Hello! Have you already reached out to your web hosting provider or systems administrator? There wouldn't be any functionality within cPanel to stop these types of attacks. However, the following article might help.

  0
• 

  user4629

  • October 25, 2021 00:23

  Yes I already have. The final question is: How can we block every IP that use POST /admin/ HTTP/1.1 as request and Protocol = http/1.1 any experts?

  0
• 

  dalem

  • October 25, 2021 03:41

  use mod security Warning use at your own risk this may block some legit users #Block requests to admin with no referring URL SecRule REQUEST_METHOD "POST" "deny,status:401,id:5000131,chain,msg:'index.php/admin request blocked, no referer'" SecRule &;HTTP_REFERER "@eq 0"
  

  0
• 

  user4629

  • October 25, 2021 05:22

  use mod security Warning use at your own risk this may block some legit users #Block requests to admin with no referring URL SecRule REQUEST_METHOD "POST" "deny,status:401,id:5000131,chain,msg:'index.php/admin request blocked, no referer'" SecRule &;HTTP_REFERER "@eq 0"
  

  
  Thank you very much for your answer, Can you please explain the id:5000131 how can this be targeted to all accounts for: public_html/admin/

  0
• 

  dalem

  • October 25, 2021 14:26

  that's the ID of the rule you can use any number that's not in use id:5000131

  0
• 

  cPanelAnthony

  • October 25, 2021 14:32

  Thanks for the suggestion @dalem !

  0
• 

  brandon7gr

  • June 24, 2022 21:48

  Just to add something here, since the above didn't worked for me. I have managed to block a huge DDOS attack of POST requests, by adding the following rule in Modsecurity rule (For beginner users, that means that you have to go to Security Center->Modsecurity Tools->Rules List-> Add rule) #Block any HTTP POST request that has no referring URL SecRule &HTTP_REFERER "@eq 0" "deny,status:411,id:88888,chain,msg:'POST is blocked' " SecRule REQUEST_METHOD "POST" (the id:88888 is a random number, you can write any number you want there) (same applies for the variable msg, you can write whatever you want)

  0

Please sign in to leave a comment.