Ban IP's that access too many 404 pages

[subtopic]

I am hosting sites with inmotionhosting, and have used up 2 hours of paid support, and they cannot configure CSF to ban IP's that request over 100 404 pages.

I am getting attacked daily from thousands of IP's requesting a file called chrqd.php, here is an example

1-0    -    0/0/1    .    0.04    679    0    0.0    0.00    0.00    94.23.196.106    http/1.1    vps.inmotionhosting.com:80    GET /xcns/chrqd.php?up=%C3%9A%C2%AF%C3%98%C2%B1%C3%99%CB%86%C3%

There are 10 other lines of IP's doing 679 requests to that file against my VPS and other domains I manage.

I can only think of using CSF to ban these IP's.

Is there a better solution?

This post was done on the CSF forum already located here. I just thought I would ask on here as well.

 

[Infopro]

I can only think of using CSF to ban these IP's.

Sure you can use CSF for this. Look for the section titled: LF_APACHE_404

 

[subtopic]

Sure you can use CSF for this. Look for the section titled: LF_APACHE_404

Yep, that is what IMH already did, they set that to 100, but as you can see above I am still getting over 600 * (at least) 8 other IP's requesting 404 files each minute it seems.

 

[Infopro]

Do you have mod security installed on this server?

This thread may be of some use to you:
LF_APACHE_404 Not Working - ConfigServer Community Forum

 

[subtopic]

I looked under

etc/modsecurity

And don't see that directory, so I take it I don't.

 

[Infopro]

Here is where you install it from:

WebHost Manager »Security Center »ModSecurity™ Vendors »Manage Vendors

 

[subtopic]

Looks like I have it in WHM. How do I configure the 404 banning in this?

/image.ibb.co/jfasL9/mod.png

Here is the vendors page

preview.ibb.co/gHhBDU/mod2.png

 

[Infopro]

You don’t but you should install it, mod security can help.

 

[subtopic]

Alright, I followed a guide and went into the EasyApache4 settings, and looked at the modules installed, and mod_security is installed it says. A little green box next to it says installed.

If you can tell me what I can do with mod_security to help with this issue, I can search into it.

I appreciate your help!

 

[Infopro]

In your screenshots posted above, you could see it stated Vendor not installed. Did you install it from there on that page? It's a few clicks.

Once mod security is installed properly, and you've configured it on the mod security settings page:
WebHost Manager »Security Center »ModSecurity™ Configuration »Configure Global Directives

You'll see a list of rule hits on this page as they get triggered by this sort of bad traffic:
WebHost Manager »Security Center »ModSecurity™ Tools »Hits List

You should also find the docs of some use for making your server more secure:
Recommended Security Settings - cPanel Knowledge Base - cPanel Documentation