The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

attacked by 100s of POST requests

Discussion in 'Security' started by xbaha, Dec 30, 2014.

  1. xbaha

    xbaha Member

    Joined:
    Sep 30, 2014
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    hi,
    is there any module in cpanel that limits how may connections per ip per 1 minute?
    i am getting 100s of requests like these:

    Code:
    Srv	PID	Acc	M	CPU	SS	Req	Conn	Child	Slot	Client	VHost	Request
    0-80	14688	0/10/494	_	2.34	0	881	0.0	0.14	6.82	54.243.185.88	xxxx.com:80	POST /holidays/ HTTP/1.1
    1-80	14770	0/1/436	_	0.25	0	584	0.0	0.01	6.04	54.243.185.88	xxxx.com:80	POST /holidays/ HTTP/1.1
    2-80	14696	0/12/224	_	2.65	1	1541	0.0	0.17	3.09	54.243.185.88	xxxx.com:80	POST /holidays/ HTTP/1.1
    and id like to ban this ip for X amount of time after he reaches the limit.

    please help, as these damn requests max the CPU, and for what?? god knows!!!
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,466
    Likes Received:
    196
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Searching that IP I came across this:
    /http://support.tinfoilsecurity.com/customer/portal/articles/955062-scanning-through-a-firewall

    Do you have CSF installed?
     
  3. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    941
    Likes Received:
    56
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Does the URI /holidays/ or the file /holidays/index.php actually need to accept POST data? Like is there a login form or anything?

    I see a lot of POST attacks trying for DoS, but usually just for "/" where they just post garbage data. The payload is literally something like AAAHHHHHHHHHHGGGGGGGGUUUUUUWWWWWWWBNNNNNNGGGGGGGGGGGGGGGG

    If the URL "/holidays/" does not need to accept POST requests, then this is very easy to deny with ModSecurity.

    Code:
    SecRule REQUEST_URI "^\/holidays\/$" "deny,id:178465,chain"
    SecRule REQUEST_METHOD "POST"
    
     
  4. xbaha

    xbaha Member

    Joined:
    Sep 30, 2014
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    /holiday has a post, i have a register form on all my website pages, so all the website can accept post.
    this ip address is scanning all my website pages and make 1000s of posts to each page,
    all the URLs this IP POSTs to are correct, i dont know of anyway to stop this attacker, so i was thinking to limit him after many requests per second!

    and i dont have CSF installed, not sure if it does what i want...

    - - - Updated - - -

    i think i did register with this company early today!
    i didnt know that it's going to be like this!
    but in anyway, that's good to be aware of such an attack...
     
  5. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,466
    Likes Received:
    196
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    You want CSF installed.

    It was a scan, it seems. If it had been an actual attack, you'd probably be in far more trouble. Guessing of course.

    Install CSF. It will be very helpful for many things you may not even know you want, yet.
     
  6. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    941
    Likes Received:
    56
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Rate limiting is certainly one option.

    Another option is inspecting the POST data for things that should not be submitted. For example if the POST data contains invalid fields or the exact same data over and over, you can block requests based on those attributes using a more advanced ModSecurity rule.

    Another good option is in many cases, post requests from bots/scans/attacks are missing the referring URL. Check your domain access logs to see if there is a referring URL. If there is not, then I could give you an easy modsecurity rule to block the POSTs that are missing referrer data (any real visitor will submit POSTs with a referrer)
     
  7. xbaha

    xbaha Member

    Joined:
    Sep 30, 2014
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    quiczknows, thank you.
    i guess that's exactly what i want...
    POSTs requests has no referring URL, please give me the method to block them...
    thanks!

    - - - Updated - - -

    thank you,
    i just installed CSF,
    didnt want to block the ip, rather limit his connection per 30 seconds to 300...
    lets see...
     
  8. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    941
    Likes Received:
    56
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    Here is the rule to block the POSTs with no referrer. If you have cPanel/WHM 11.46 you can add it via WHM, otherwise add to your modsec2.user.conf file.

    Code:
    SecRule REQUEST_URI "^\/holidays\/$" "deny,id:178465,chain"
    SecRule REQUEST_METHOD "POST" "chain"
    SecRule &HTTP_REFERER "@eq 0"
    
    If they start attacking a different url, you can copy that whole rule (all 3 lines) to a new rule, and change the REQUEST_URI and the rule id: number.
     
  9. xbaha

    xbaha Member

    Joined:
    Sep 30, 2014
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator

    what if i need to do this to all my pages in the website???
     
  10. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    941
    Likes Received:
    56
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    You can easily deny all POST requests that don't have a referring URL. However, this occasionally stops legitimate things so you need to be prepared to make exceptions. For example, if you use wordpress, wp-cron.php posts to itself with no referrer.

    I actually do this on my own server. This code would need to be manually added to the file /usr/local/apache/conf/modsec2.user.conf :

    Code:
    #Block any HTTP POST request that has no referring URL
    SecRule &HTTP_REFERER "@eq 0" "deny,status:411,id:18749459,chain,msg:'POST request blocked, no referer'"
    SecRule REQUEST_METHOD "POST"
    
    #Wordpress posts to it's own cron file with no referring URL, whitelisting that URI
    <LocationMatch "/wp-cron.php">
      SecRuleRemoveById 18749459
    </LocationMatch>
    
    I also use this rule too for general abuse prevention:

    Code:
    #Deny any HTTP request where both the user agent and referring URL are blank
    SecRule &HTTP_REFERER "@eq 0" "deny,status:411,id:187945988,chain,msg:'No UA, No referer'"
    SecRule &HTTP_User-Agent "@eq 0"
    
    I have had very good luck with these, but I do not use them widely on customer servers; only my own.
     
Loading...
Similar Threads - attacked 100s POST
  1. calvinphanctt
    Replies:
    10
    Views:
    711

Share This Page