how to block attempted security hacks
I am routinely seeing hackers trying to gain access to my server by trying to compromise HTTP server or CGI issues. Most are very similar, if not the same, to the logs posted below:
- [2023-07-03 06:40:45 -0400] info [cpaneld] 13.59.252.89 - - "OPTIONS /openid_connect/ HTTP/1.1" FAILED LOGIN cpaneld: openid connect: 'cpaneld' provider '' encountered an error: (XID ha8m8j) Provide the "provider"" parameter for the "Cpanel::Validate::AuthProvider::check_provider_name_or_die"" function.
- [2023-07-03 06:40:54 -0400] info [whostmgrd] 13.59.252.89 - - "GET /openid_connect/news.mdb HTTP/1.1" FAILED LOGIN whostmgrd: openid connect: 'whostmgrd' provider 'news.mdb' encountered an error: (XID defm5k) The requested provider "news.mdb"" is not valid.
- [2023-07-03 06:40:56 -0400] info [cpaneld] 13.59.252.89 - - "GET /openid_connect/news.mdb HTTP/1.1" FAILED LOGIN cpaneld: openid connect: 'cpaneld' provider 'news.mdb' encountered an error: (XID effupr) The requested provider "news.mdb"" is not valid.
- [2023-07-03 06:40:57 -0400] info [webmaild] 13.59.252.89 - - "GET /openid_connect/news.mdb HTTP/1.1" FAILED LOGIN webmaild: openid connect: 'webmaild' provider 'news.mdb' encountered an error: (XID vueh2q) The requested provider "news.mdb"" is not valid.
- [2023-07-03 06:41:00 -0400] info [whostmgrd] 13.59.252.89 - - "GET /openid_connect/zml.cgi?file=../../../../../../../../../../../../etc/passwd%00 HTTP/1.1" FAILED LOGIN whostmgrd: openid connect: 'whostmgrd' provider 'zml.cgi' encountered an error: (XID 4aamf3) The requested provider "zml.cgi"" is not valid.
-
Mod_security might block some of this, but they are mainly just automated attacks that literally every website on the internet experiences. You probably want to consider more sophisticated software like Imunify360 or Bitninja. For the WHM/cPanel services, make sure cphulkd is enabled in WHM. You can't stop these attacks from hitting your server but you can tell the server not to accept these requests. 0 -
If you run a server connected to the Internet, you may as well get used to seeing these automated attempts, because they are ongoing. I agree with @vanessa, using a security app like Imunify360 or Bitninja will help block a majority of these. 0
Please sign in to leave a comment.
Comments
2 comments