Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Auto block IP address based on page visit

Discussion in 'Security' started by OttoM, Mar 12, 2019.

  1. OttoM

    OttoM Member

    Joined:
    Apr 4, 2018
    Messages:
    12
    Likes Received:
    3
    Trophy Points:
    3
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Hi there,

    I was wondering if there is a configuration mechanism to auto block IP addresses of visitors who visit pages with some criteria.
    For example block IP address if they visit a page like /wp-admin.php
    I don't have wordpress installed so this user could be a potential hacker.

    many thanks
    Otto
     
  2. GOT

    GOT Get Proactive! PartnerNOC

    Joined:
    Apr 8, 2003
    Messages:
    1,478
    Likes Received:
    185
    Trophy Points:
    193
    Location:
    Chesapeake, VA
    cPanel Access Level:
    DataCenter Provider
    If you have CSF installed you can enable 404 error blocking which would accomplish what you are describing.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    cPanelLauren and OttoM like this.
  3. OttoM

    OttoM Member

    Joined:
    Apr 4, 2018
    Messages:
    12
    Likes Received:
    3
    Trophy Points:
    3
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Hi GOT,

    I do actually have CSF. There is indeed the option of LF_APACHE_404 which sounds good. I'll try this for now and see how it goes.

    Thanks so much for the info.

    ps. You helped me previous time I wanted some help.
     
    cPanelLauren likes this.
  4. GeekOnTheHill

    GeekOnTheHill Member

    Joined:
    Feb 16, 2015
    Messages:
    23
    Likes Received:
    4
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    The problem with that is that something silly like a missing image could also trigger a 404. I was getting tons of 404s on a client's site, and the reason was a missing down arrow image in a menu.

    OP's idea isn't too different than what I've been working on in this thread: Use modsecurity / CSF to block all common cms logins? It seems to work so far.

    Richard
     
    OttoM likes this.
  5. OttoM

    OttoM Member

    Joined:
    Apr 4, 2018
    Messages:
    12
    Likes Received:
    3
    Trophy Points:
    3
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Hi Richard,

    Very interesting read the thread you posted.
    Thanks so much, I will have another think and perhaps change decision.

    thanks
    Otto
     
    GeekOnTheHill likes this.
  6. GeekOnTheHill

    GeekOnTheHill Member

    Joined:
    Feb 16, 2015
    Messages:
    23
    Likes Received:
    4
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Thank you, Otto.

    I'm currently working on another script to report other attacks (ssh, etc.). It works off csf's BLOCK_REPORT feature. It's working experimentally, but it's not ready to go live yet.

    Richard
     
  7. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,254
    Likes Received:
    479
    Trophy Points:
    233
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    You could also just lock down that page to a specific IP or set of IP addresses, that way you wouldn't need to worry about whether or not they do access the page.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. GeekOnTheHill

    GeekOnTheHill Member

    Joined:
    Feb 16, 2015
    Messages:
    23
    Likes Received:
    4
    Trophy Points:
    3
    cPanel Access Level:
    Root Administrator
    Okay, this is experimental and admittedly unpolished, but it does work:

    PHP:
    <?php
    date_default_timezone_set
    ('Your/Region');
    unset(
    $ip,$timeNow,$fresh,$currentDateTime);
    $ip=$_SERVER['REMOTE_ADDR'];
    //ip="127.0.0.2"; // for testing
    $timeNow time();
    $fresh time() - 900;
    $domain "yourdomain.com";
    $currentDateTime = (date("M d, Y h:i:s a"));
    $comment="Hit on CMS login honeypot"// for AbuseIPDB Report and database entry
    $categories="21"// for AbuseIPDB Report

    $con mysqli_connect("localhost","prefix_abuse-reporter","{password}","prefix_abuse-reports");
       if (!
    $con) {
          die(
    'Could not connect: ' mysqli_error($con));
    }
    $result mysqli_query($con"SELECT * FROM reports WHERE (ip4 LIKE '$ip' AND time >= '$fresh')");
    $row mysqli_fetch_array($result);
    $reportDate $row['datetime'];
    if (empty(
    $reportDate)) {
       
    // sanitize
       
    $timeNow mysqli_real_escape_string($con$timeNow);
       
    $ip mysqli_real_escape_string($con$ip);
       
    $domain mysqli_real_escape_string($con$domain);
       
    $currentDateTime mysqli_real_escape_string($concurrentDateTime);
       
    // insert to db mysqli_select_db($con, "prefix_abuse-reports");
       
    $sql "INSERT INTO reports (datetime, time, ip4, domain, comment)
          VALUES ('
    $currentDateTime','$timeNow','$ip','$domain','comment')";
       if (!
    mysqli_query($con,$sql)) {
          echo(
    "Error description: " mysqli_error($con));
       }
       
    $data = (array(
          
    "ip" => $ip,
          
    "categories" => $categories,
          
    "comment" => $comment
       
    ));
       
    $headers = array('Key: {Your AbuseIPDB API key goes here, without the brackets}''Accept: application/json');
       
    $ch curl_init("https://api.abuseipdb.com/api/v2/report");
          
    curl_setopt($chCURLOPT_RETURNTRANSFER); // Set to 0 for testing to display response from AbuseIPDB
          
    curl_setopt($chCURLOPT_POST);
          
    curl_setopt($chCURLOPT_POSTFIELDS$data);
          
    curl_setopt($chCURLOPT_HTTPHEADER$headers);
       
    $output=curl_exec($ch);
       
    curl_close($ch);
    }
    include(
    "401.php");
    die;
    ?>
    There's a bit more information about it here.

    This script violates the RFC's because it lands the miscreant on a 401 page without an explicit authentication failure. I doubt the bots will notice; and if it's properly returning status 401, you can configure CSF to block the IP after x-number of hits, if you like.

    My annoyance with hits on CMS login pages evolved from simply wanting to block them, to using the pages as honeypots -- and then blocking them.

    The other thing I suppose would work (and which would also violate the rules) would be simply to redirect all hits on wp-admin etc. to a proper 401 page in .htaccess, again letting CSF block them after a requisite number of hits.

    My feeling is that I owe no courtesy to malicious actors, be they humans or robots. The chances of someone accidentally hitting a non-existent CMS login page on a site they don't own are about the same as my chances of being in the Yankees' starting lineup this year (don't hold your breath); so as far as I'm concerned, anyone hitting those pages has malicious intent.

    Some may feel differently, in which case they should use a 403 rather than a 401.

    Richard
     
    #8 GeekOnTheHill, Mar 13, 2019
    Last edited: Mar 13, 2019
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice