verdon

Well-Known Member
Nov 1, 2003
923
11
168
Northern Ontario, Canada
cPanel Access Level
Root Administrator
Hi,

I'm having an issue where one site on the server is being constantly flooded with httpd requests from ranges of IPs. Typically there might be 40 or 50 concurrent requests from 15 or 20 consecutive IP addresses from some random European hosting company. I do use CSF but I can't use the CT_Limit section to help with this, because it's distributed. If I set the limit low enough to catch any individual IP, I'm bound to get false positives. It would be ideal if CSF was only looking at the first 3 octets... that would be close enough :)

Any suggestions? It is just one site, and mostly all attacks from one region. I suppose I could try blocking a geo region in an htaccess file, so it's not effecting the entire server.
 

Muhammed Fasal

Well-Known Member
Aug 9, 2017
54
10
8
India
cPanel Access Level
Root Administrator
You can block an IP range via your CSF firewall, If you need to whitelist or block a range of IP addresses using CSF, it can be done, but you need to use the CIDR format.

For example, to block 192.168.0.0 to 192.168.0.255 you would add 192.168.0.0/24 to the blocked list.

If you are unsure how to convert a range of IP’s to CIDR, I find the following site helpful. You enter the starting IP, and ending IP, and it will create the CIDR entries for you.

ip2cidr.com
 
Last edited by a moderator:

verdon

Well-Known Member
Nov 1, 2003
923
11
168
Northern Ontario, Canada
cPanel Access Level
Root Administrator
You should use this. It will help.
I guess what I'm concerned about, is that I currently have it set to 300, which is the recommended value. These floods are being distributed across ranges of IP addresses. I would have to set the value to somewhere in the neighbourhood of 40 or 50 to catch any of the individual addresses, which I'm sure would lead to all sorts of false positives with IMAP/FTP and likely even HTTP connections. Am I understanding this wrong?
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
Have you considered using ModSecurity's connections engine? you can limit simultaneous read/write connection states per IP.

Reference Manual · SpiderLabs/ModSecurity Wiki · GitHub

Reference Manual · SpiderLabs/ModSecurity Wiki · GitHub

In short, turn on the connections engine in WHM modsecurity settings, and in your modsec2.user.conf file add the settings such as:

SecConnReadStateLimit 20 "[email protected] 127.0.0.1"
SecConnWriteStateLimit 20 "[email protected] 127.0.0.1"

This would limit individual IPs, other than localhost, to 20 apache connections in the read state or write state per IP address. It may not help with extremely distributed stuff but it's a good place to start. I have not tested it but you may get away trying to put those in a userdata / custom vhost config for the domain itself as opposed to modsec2.user.conf, so that tighter limits can be set affecting only one domain. I'm not sure that's supported but I don't see why it wouldn't be. Regardless I've seen a lot of people use these settings server-wide with some success. YMMV.
 

verdon

Well-Known Member
Nov 1, 2003
923
11
168
Northern Ontario, Canada
cPanel Access Level
Root Administrator
Ya. That's great for that. In my case, it's not distributed dictionary attacks... it's just bots endlessly crawling through events calendars and file download areas, ignoring robots.txt files, not even identifying themselves as bots.... just flooding with http requests, that look legit other than the pattern and the volume. I'll have a closer look at that area of CSF config though. It's been a while since I really read it through line-by-line. Thanks :)