What is recommended way to detect IP addresses that make junk httpd requests?
By junk request I mean a request where the first part is legit but the second part consists of folders/files/scripts that are not on my server. Sometimes the same IP will send many such requests.
I see these junk requests in the apache 2.4 error.log
Is there an automated way to detect these junk requests or do I need to write my own php script?
-
CSF allows you to set a limit of 404 errors, which can help to some degree. I usually go with a limit of 60 (the minimum) and a temporary ban of a few hours. Useful but not effective long-term. [You might lock out some poxy Mac that's polling for multiple non-existent favicons, plus perhaps missing files (background images in CSS, for example) by mistake.] I use a variation (customised by me over a decade ago) of IP Trap 0 -
Thanks for the IP Trap link. I will take a look at that. 0 -
Try version 5.3a - only minor changes required eg. change the variable DIR_WS_INCLUDES to a hard-coded includes. See the readme file, installation section, for details. 0 -
Hello! You can also look into implementing ModSecurity and/or mod_evasive if you haven't already. Both of those can be useful in blocking bad requests/brute force attacks: How to tune mod_evasive 0 -
Thanks. I have not yet looked into ModSecurity mod_evasive but will do so. 0 -
I always add ModSecurity, even if just for default OWASP rules (with some whitelisting/disabled, using ConfigServer ModSecurity Control). IME, it doesn't tackle what you asked i.e. detecting non-existent files, in a particular place. I haven't taken the time to explore mod_evasive but if @cPanelWilliam could explain the advantages, over CSF, that'd be handy. ;-) 0 -
We have a lot more details on mod_evasive here: Apache Module: Evasive | cPanel & WHM Documentation While it won't handle any large-scale attacks, it can help deal with smaller-scale DoS attacks. 0
Please sign in to leave a comment.
Comments
7 comments