Skip to main content

Mod_security and scan of port 443

Comments

12 comments

  • cPRex Jurassic Moderator
    Hey there! Even though the files may not exist on your server, someone can still make a request for them that ModSecurity will block. For example, I could visit
    0
  • khnaz35
    Thanks for the reply how do i get rid of this requester (show him/her middle finger) ? Because no matter what they are still eating up my system memory/bandwidth and when it comes to real user they are facing time out on the server.
    0
  • cPRex Jurassic Moderator
    If the requests always come from the same IP address, I would recommend just blocking the IP address in the server's firewall.
    0
  • khnaz35
    Currently i am seeing about 2000 hits under ModSecurity" Tools "Hits List, so i don't think so its possible to block them one by one. Is there anyway i can download this list and block them ? or what is the best way to get rid of these ips
    0
  • ejsolutions
    Install & use CSF to block ModSec hits.
    0
  • khnaz35
    I have installed & enabled CSF on my server. Can you provide more information on blocking ModSec hits in CSF? Thanks in advance.
    0
  • ciao70
    I recommend deleting the access links to your server Post n" 5
    0
  • cPRex Jurassic Moderator
    @ciao70 - edited, thanks!
    0
  • ejsolutions
    Can you provide more information on blocking ModSec hits in CSF?

    I highly recommend that you run through the readme that is a part of CSF. IIRC, by default, CSF blocks anyone temporarily with more than 5 ModSec hits - I set blocks as permanent, for example.
    0
  • khnaz35
    I set blocks as permanent, for example.

    How was this done?
    0
  • quietFinn
    LF_MODSEC = 5 LF_MODSEC_PERM = 1 means after 5 rule triggers it's permanent ban.
    0
  • ejsolutions
    I'll regurgitate my default setting for CSF, hopefully for the benefit of others.. csf --profile apply protection_high csf --profile apply disable_alerts
    <-- stops your server spamming your default email with every single alert. .. manually change a select few alerts, such as console access .. csf -r
    0

Please sign in to leave a comment.