Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

attacked by 100s of POST requests

Discussion in 'Security' started by xbaha, Dec 30, 2014.

  1. xbaha

    xbaha Member

    Joined:
    Sep 30, 2014
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    hi,
    is there any module in cpanel that limits how may connections per ip per 1 minute?
    i am getting 100s of requests like these:

    Code:
    Srv	PID	Acc	M	CPU	SS	Req	Conn	Child	Slot	Client	VHost	Request
0-80	14688	0/10/494	_	2.34	0	881	0.0	0.14	6.82	54.243.185.88	xxxx.com:80	POST /holidays/ HTTP/1.1
1-80	14770	0/1/436	_	0.25	0	584	0.0	0.01	6.04	54.243.185.88	xxxx.com:80	POST /holidays/ HTTP/1.1
2-80	14696	0/12/224	_	2.65	1	1541	0.0	0.17	3.09	54.243.185.88	xxxx.com:80	POST /holidays/ HTTP/1.1
    and id like to ban this ip for X amount of time after he reaches the limit.

    please help, as these damn requests max the CPU, and for what?? god knows!!!
     
    #1 xbaha, Dec 30, 2014
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,352
    Likes Received:
    402
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Searching that IP I came across this:
    /http://support.tinfoilsecurity.com/customer/portal/articles/955062-scanning-through-a-firewall

    Do you have CSF installed?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 Infopro, Dec 30, 2014
  3. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    1,010
    Likes Received:
    87
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    Does the URI /holidays/ or the file /holidays/index.php actually need to accept POST data? Like is there a login form or anything?

    I see a lot of POST attacks trying for DoS, but usually just for "/" where they just post garbage data. The payload is literally something like AAAHHHHHHHHHHGGGGGGGGUUUUUUWWWWWWWBNNNNNNGGGGGGGGGGGGGGGG

    If the URL "/holidays/" does not need to accept POST requests, then this is very easy to deny with ModSecurity.

    Code:
    SecRule REQUEST_URI "^\/holidays\/$" "deny,id:178465,chain"
SecRule REQUEST_METHOD "POST"
     
    #3 quizknows, Dec 30, 2014
  4. xbaha

    xbaha Member

    Joined:
    Sep 30, 2014
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    /holiday has a post, i have a register form on all my website pages, so all the website can accept post.
    this ip address is scanning all my website pages and make 1000s of posts to each page,
    all the URLs this IP POSTs to are correct, i dont know of anyway to stop this attacker, so i was thinking to limit him after many requests per second!

    and i dont have CSF installed, not sure if it does what i want...

    - - - Updated - - -

    i think i did register with this company early today!
    i didnt know that it's going to be like this!
    but in anyway, that's good to be aware of such an attack...
     
    #4 xbaha, Dec 30, 2014
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,352
    Likes Received:
    402
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    You want CSF installed.

    It was a scan, it seems. If it had been an actual attack, you'd probably be in far more trouble. Guessing of course.

    Install CSF. It will be very helpful for many things you may not even know you want, yet.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #5 Infopro, Dec 30, 2014
  6. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    1,010
    Likes Received:
    87
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    Rate limiting is certainly one option.

    Another option is inspecting the POST data for things that should not be submitted. For example if the POST data contains invalid fields or the exact same data over and over, you can block requests based on those attributes using a more advanced ModSecurity rule.

    Another good option is in many cases, post requests from bots/scans/attacks are missing the referring URL. Check your domain access logs to see if there is a referring URL. If there is not, then I could give you an easy modsecurity rule to block the POSTs that are missing referrer data (any real visitor will submit POSTs with a referrer)
     
    #6 quizknows, Dec 30, 2014
  7. xbaha

    xbaha Member

    Joined:
    Sep 30, 2014
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    quiczknows, thank you.
    i guess that's exactly what i want...
    POSTs requests has no referring URL, please give me the method to block them...
    thanks!

    - - - Updated - - -

    thank you,
    i just installed CSF,
    didnt want to block the ip, rather limit his connection per 30 seconds to 300...
    lets see...
     
    #7 xbaha, Dec 30, 2014
  8. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    1,010
    Likes Received:
    87
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    Here is the rule to block the POSTs with no referrer. If you have cPanel/WHM 11.46 you can add it via WHM, otherwise add to your modsec2.user.conf file.

    Code:
    SecRule REQUEST_URI "^\/holidays\/$" "deny,id:178465,chain"
SecRule REQUEST_METHOD "POST" "chain"
SecRule &HTTP_REFERER "@eq 0"
    If they start attacking a different url, you can copy that whole rule (all 3 lines) to a new rule, and change the REQUEST_URI and the rule id: number.
     
    #8 quizknows, Dec 30, 2014
  9. xbaha

    xbaha Member

    Joined:
    Sep 30, 2014
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator

    what if i need to do this to all my pages in the website???
     
    #9 xbaha, Dec 31, 2014
  10. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    1,010
    Likes Received:
    87
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    You can easily deny all POST requests that don't have a referring URL. However, this occasionally stops legitimate things so you need to be prepared to make exceptions. For example, if you use wordpress, wp-cron.php posts to itself with no referrer.

    I actually do this on my own server. This code would need to be manually added to the file /usr/local/apache/conf/modsec2.user.conf :

    Code:
    #Block any HTTP POST request that has no referring URL
SecRule &HTTP_REFERER "@eq 0" "deny,status:411,id:18749459,chain,msg:'POST request blocked, no referer'"
SecRule REQUEST_METHOD "POST"

#Wordpress posts to it's own cron file with no referring URL, whitelisting that URI
<LocationMatch "/wp-cron.php">
  SecRuleRemoveById 18749459
</LocationMatch>
    I also use this rule too for general abuse prevention:

    Code:
    #Deny any HTTP request where both the user agent and referring URL are blank
SecRule &HTTP_REFERER "@eq 0" "deny,status:411,id:187945988,chain,msg:'No UA, No referer'"
SecRule &HTTP_User-Agent "@eq 0"
    I have had very good luck with these, but I do not use them widely on customer servers; only my own.
     
    #10 quizknows, Dec 31, 2014
(You must log in or sign up to post here.)

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice