Auto banning IPs snooping web root?

rolinger

Well-Known Member
Feb 13, 2017
45
3
58
Tampa
cPanel Access Level
Root Administrator
Looking through my apache error logs in /var/log/apache2/error_log I am seeing a ton of IPs trying access files that don't exist. I interpret these as bots probing my web server trying to find a vulnerability file to exploit

Files like:

Code:
/var/www/html/compress.php
/var/www/html/index.php
/var/www/html/wp-login.php
/var/www/hmtl/getcfg.php
I then go to look at the /var/www/ directory and do find the /cgi-bin and the /html subfolders in them. The /cgi-bin folder is empty, but the /html folder has a handful of files like: 400.shtml, 401.shtml, 403.shtml, 404.shtml and even index.html. I then read that these are apache created and owned - is this true? If so...what is the purpose of this folder/files?

Is there any apache...or ConfigServer (firewall) configuration that I can use that can detect these probing IPs and auto-block them? Any IP that keeps looking for multiple files that don't exist - implying its not a user (or even a bot) that is properly access the correct HTML pages - is malicious and should be blocked.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
12,499
1,971
363
cPanel Access Level
Root Administrator
Hey there! /var/www/html is a standard directory, created by cPanel and Apache for use on the system. This directory does get used as the "default" directory for Apache, so you'll find the default error files, the default index page, and the .well-known directory used for hostname SSL verification.

While the bots can be annoying, just checking for files doesn't harm anything, and there's really not a great way to block one-off checks. If you wanted to block repeated offenders, a tool like mod_evasive is the best way to go:


Let me know if that helps!
 

quietFinn

Well-Known Member
Feb 4, 2006
1,696
352
438
Finland
cPanel Access Level
Root Administrator
You might want to check setting LF_APACHE_404 in CSF.
 

rolinger

Well-Known Member
Feb 13, 2017
45
3
58
Tampa
cPanel Access Level
Root Administrator
Thanks. I will look into both. These aren't just a few random checks, sometimes a single IP is looking for 40 or 50 URLs, that don't exist, in a span of about 30 seconds. Sometimes I will see the same IP hitting other folders doing the same thing.