Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Blocking an IP by accessed url

Discussion in 'Security' started by Mister9, Jan 23, 2018.

  1. Mister9

    Mister9 Member

    Joined:
    Apr 28, 2010
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    51
    cPanel Access Level:
    Root Administrator
    So I'm receiving emails of hack attempts by trying to upload malicious files to a bunch of domains on my server. I usually manually enter the IP into CSF and block it but I was wondering if there is a way to automatically block an IP address if the hacker trying to access a specific url.

    Example: example.com/wp-content/plugins/dzs-videogallery/upload.php

    So I would like to set.. If user tries to access /wp-content/plugins/dzs-videogallery/upload.php
    automatically block this IP.

    Is this possible?
     
    #1 Mister9, Jan 23, 2018
    Last edited by a moderator: Jan 24, 2018
  2. Tearabite

    Tearabite Well-Known Member

    Joined:
    Nov 28, 2010
    Messages:
    56
    Likes Received:
    9
    Trophy Points:
    58
    Location:
    Southern California
    cPanel Access Level:
    Root Administrator
    There may be other ways, but you can do this with the combination of ModSecurity and CSF.
    You would have to make a custom ModSecurity rule to block that specific URL, then set CSF to block the IP after 1 ModSecurity hit.
    We have dozens of custom rules that do exactly that.
     
    cPanelMichael likes this.
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    41,516
    Likes Received:
    1,616
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    The previous post offers a useful solution. Let us know if you have additional questions.

    Thank you.
     
  4. Mister9

    Mister9 Member

    Joined:
    Apr 28, 2010
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    51
    cPanel Access Level:
    Root Administrator
    Thank you for this info Tearabite.
    This solution is what I suspected but I wasn't sure that ModSecurity can communicate to CSF.
    Do you know where I find more information on how this needs to be set up/programmed?
     
  5. Mister9

    Mister9 Member

    Joined:
    Apr 28, 2010
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    51
    cPanel Access Level:
    Root Administrator
    Also slightly off topic, I was wondering why someone would use CSF to block the IP instead of blocking the IP in ModSecurity.
    Is this a performance preference?
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    41,516
    Likes Received:
    1,616
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
  7. Mister9

    Mister9 Member

    Joined:
    Apr 28, 2010
    Messages:
    23
    Likes Received:
    0
    Trophy Points:
    51
    cPanel Access Level:
    Root Administrator
    Thank you Michael!
    That post has been very helpful.
     
  8. fuzzylogic

    fuzzylogic Well-Known Member

    Joined:
    Nov 8, 2014
    Messages:
    61
    Likes Received:
    26
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    I have received similar emails about uploads to /wp-content/plugins/dzs-videogallery/upload.php being quarantined.
    In the subject line of the emails is cxs Scan on...
    In the body of the email is Quarantined : Yes [/home/fort_denison/cxscgi...
    and
    NOTE: This alert may be a ModSecurity false-positive... (as the Web upload script does not exist)

    OK. So this email is generated by Configserver Exploit Scanner when it's modsecurity rule (it only has one rule) is enabled. The rule ID is 1010101.
    This rule sends the temp file name of the upload to the csx script so that the upload can be scrutinised.
    For you to receive this email means that rule 1010101 triggered and that the request was blocked with "Access denied with code 403" being written to the apache error_log. See this post
    You can search for hits with the rule ID or hits from the IP in question using WHM » Security Center » ModSecurity™ Tools

    To get CSF permanent blocking of repeat offenders you just have to configure CFS to do that. See this post

    That said, the pattern of requests I saw in this vulnerability scan would not have been blocked this way because they were all from different IP addresses
     
  9. Tearabite

    Tearabite Well-Known Member

    Joined:
    Nov 28, 2010
    Messages:
    56
    Likes Received:
    9
    Trophy Points:
    58
    Location:
    Southern California
    cPanel Access Level:
    Root Administrator
    ModSecurity cannot/does not block IPs - at least not easily and not fully. ModSecurity blocks HTTP page requests only. So even though you could (manually) create a rule that IP XYZ cannot access a page, that IP could still access FTP, email, etc. Whereas CSF can block the IP from the entire server/all services.
    Because CSF seamlessly blocks IP’s of repeat Mod_Security hits via a simple configuration setting, it’s a great way to deal with the OP’s request.
     
    quizknows likes this.
Loading...

Share This Page