Blocking an IP by accessed url

[Mister9]

So I'm receiving emails of hack attempts by trying to upload malicious files to a bunch of domains on my server. I usually manually enter the IP into CSF and block it but I was wondering if there is a way to automatically block an IP address if the hacker trying to access a specific url.

Example: example.com/wp-content/plugins/dzs-videogallery/upload.php

So I would like to set.. If user tries to access /wp-content/plugins/dzs-videogallery/upload.php
automatically block this IP.

Is this possible?

 

[Tearabite]

There may be other ways, but you can do this with the combination of ModSecurity and CSF.
You would have to make a custom ModSecurity rule to block that specific URL, then set CSF to block the IP after 1 ModSecurity hit.
We have dozens of custom rules that do exactly that.

 

[cPanelMichael]

Hello,

The previous post offers a useful solution. Let us know if you have additional questions.

Thank you.

 

[Mister9]

There may be other ways, but you can do this with the combination of ModSecurity and CSF.
You would have to make a custom ModSecurity rule to block that specific URL, then set CSF to block the IP after 1 ModSecurity hit.
We have dozens of custom rules that do exactly that.

Thank you for this info Tearabite.
This solution is what I suspected but I wasn't sure that ModSecurity can communicate to CSF.
Do you know where I find more information on how this needs to be set up/programmed?

 

[Mister9]

Also slightly off topic, I was wondering why someone would use CSF to block the IP instead of blocking the IP in ModSecurity.
Is this a performance preference?

 

[cPanelMichael]

Hello,

There's a recent thread linked below you may find helpful:

SOLVED - Block abusive requests to website?

Thanks!

 

[Mister9]

Thank you Michael!
That post has been very helpful.

 

[fuzzylogic]

I have received similar emails about uploads to /wp-content/plugins/dzs-videogallery/upload.php being quarantined.
In the subject line of the emails is cxs Scan on...
In the body of the email is Quarantined : Yes [/home/fort_denison/cxscgi...
and
NOTE: This alert may be a ModSecurity false-positive... (as the Web upload script does not exist)

OK. So this email is generated by Configserver Exploit Scanner when it's modsecurity rule (it only has one rule) is enabled. The rule ID is 1010101.
This rule sends the temp file name of the upload to the csx script so that the upload can be scrutinised.
For you to receive this email means that rule 1010101 triggered and that the request was blocked with "Access denied with code 403" being written to the apache error_log. See this post
You can search for hits with the rule ID or hits from the IP in question using WHM » Security Center » ModSecurity™ Tools

To get CSF permanent blocking of repeat offenders you just have to configure CFS to do that. See this post

That said, the pattern of requests I saw in this vulnerability scan would not have been blocked this way because they were all from different IP addresses

 

[Tearabite]

Also slightly off topic, I was wondering why someone would use CSF to block the IP instead of blocking the IP in ModSecurity.
Is this a performance preference?

ModSecurity cannot/does not block IPs - at least not easily and not fully. ModSecurity blocks HTTP page requests only. So even though you could (manually) create a rule that IP XYZ cannot access a page, that IP could still access FTP, email, etc. Whereas CSF can block the IP from the entire server/all services.
Because CSF seamlessly blocks IP’s of repeat Mod_Security hits via a simple configuration setting, it’s a great way to deal with the OP’s request.

 

[jeffschips]

I have the exact same need. Could someone pipe in and supply an example of the mod_sec rule which ONLY activates the block after X attempts on a specific URL.

I have csf operating but can't find the section that deals with blocking based on a mod_sec rule. I see LF_MODSEC =X but that deals with login failures, I'm simply looking for a specific URL, not login.

 

[fuzzylogic]

@jeffschips
Mod-security is an efficient HTTP request parser.
It is designed to run in the Apache process of a single request, block or allow the request, then log what happened then exit as the process ends.

Configserver LFD is an efficient log file parser.
It is designed to search for and count patterns in log files, then respond by sending the IP address of a pattern match to CSF which manages adding IP entries to iptables.
LFD (login failure daemon) while its original purpose was to find login failure patterns in log files it is just as good finding other patterns in log files.

You seem to misunderstand the LF_MODSEC settings.
Its comment says this...
[*]Enable failure detection of repeated Apache mod_security rule triggers

To get a permanent block in CSF the CSF settings should be...
MODSEC_LOG = /usr/local/apache/logs/error_log
LF_INTERVAL = 86400 ( No. of seconds over which to count. Default is 3600)
LF_MODSEC = 5 (Count of string "Modsecurity: Access denied" per ip for block action)
LF_MODSEC_PERM = 1 (0 = No blocking, 1 = Block Permanently, x = Block for x seconds except 1 or 0)

With these settings LFD searches /usr/local/apache/logs/error_log for log lines with the fragment "ModSecurity: Access denied". If 5 istances are found within the LF_INTERVAL for the same IP then that IP is sent to CSF to be added to the iptables firewall.

A modsecurity rule to make this work for a specific URL is as follows...

# Deny requests to this url
SecRule REQUEST_FILENAME "@contains my-funky-url" \
    "msg:'Deny this funky URL',\
    id:19000002,\
    phase:1,\
    t:none,\
    log,\
    auditlog,\
    deny,\
    status:403"

Or more compact...

SecRule REQUEST_FILENAME "@contains my-funky-url" "msg:'Deny this funky URL',id:19000002,phase:1,t:none,log,auditlog,deny,status:403"

 

[jeffschips]

@fuzzylogic that is the best explanation I've ever read. Thank you! Works perfectly!

 

[leonep]

Hi , this is useful but it ban after trigger LF_MODSEC const . LF_MODSEC affect all modsec rules i don't want set it to 1.
In my personal case i am fighting against "pistacchietto" and it use always different IPs
any ideas? thanks guys

more info about this Pistacchietto