Auto banning IPs snooping web root?

R

rolinger

Well-Known Member
Feb 13, 2017
51
3
58
Tampa
cPanel Access Level
Root Administrator
Looking through my apache error logs in /var/log/apache2/error_log I am seeing a ton of IPs trying access files that don't exist. I interpret these as bots probing my web server trying to find a vulnerability file to exploit

Files like:

Code: 
/var/www/html/compress.php
/var/www/html/index.php
/var/www/html/wp-login.php
/var/www/hmtl/getcfg.php
I then go to look at the /var/www/ directory and do find the /cgi-bin and the /html subfolders in them. The /cgi-bin folder is empty, but the /html folder has a handful of files like: 400.shtml, 401.shtml, 403.shtml, 404.shtml and even index.html. I then read that these are apache created and owned - is this true? If so...what is the purpose of this folder/files?

Is there any apache...or ConfigServer (firewall) configuration that I can use that can detect these probing IPs and auto-block them? Any IP that keeps looking for multiple files that don't exist - implying its not a user (or even a bot) that is properly access the correct HTML pages - is malicious and should be blocked.
 
cPRex

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
15,216
2,417
363
cPanel Access Level
Root Administrator
Hey there! /var/www/html is a standard directory, created by cPanel and Apache for use on the system. This directory does get used as the "default" directory for Apache, so you'll find the default error files, the default index page, and the .well-known directory used for hostname SSL verification.

While the bots can be annoying, just checking for files doesn't harm anything, and there's really not a great way to block one-off checks. If you wanted to block repeated offenders, a tool like mod_evasive is the best way to go:

Apache Module: Evasive | cPanel & WHM Documentation

This module provides DoS, DDoS, and brute force attack protection.
docs.cpanel.net docs.cpanel.net

Let me know if that helps!
 
Q

quietFinn

Well-Known Member
Feb 4, 2006
1,894
464
438
Finland
cPanel Access Level
Root Administrator
You might want to check setting LF_APACHE_404 in CSF.
 
R

rolinger

Well-Known Member
Feb 13, 2017
51
3
58
Tampa
cPanel Access Level
Root Administrator
Thanks. I will look into both. These aren't just a few random checks, sometimes a single IP is looking for 40 or 50 URLs, that don't exist, in a span of about 30 seconds. Sometimes I will see the same IP hitting other folders doing the same thing.
 
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
L AutoSSL isues Security 1
A AutoSSL not generating certificate for domains with previous external certificates (cPanel or ZeroSSL), even after expiration or deletion Security 1
B AutoSSL / Wildcard / Error? / Can't Disable Request? Security 16
J AutoSSL Certificates Security 1
P Certificate for a delegated subdomain (AutoSSL + Let's Encrypt). Security 2
Similar threads
AutoSSL isues
AutoSSL not generating certificate for domains with previous external certificates (cPanel or ZeroSSL), even after expiration or deletion
AutoSSL / Wildcard / Error? / Can't Disable Request?
AutoSSL Certificates
Certificate for a delegated subdomain (AutoSSL + Let's Encrypt).
Top Bottom