Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Blocking httpd floods

Discussion in 'Security' started by verdon, Nov 13, 2017.

  1. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    862
    Likes Received:
    3
    Trophy Points:
    168
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
    Hi,

    I'm having an issue where one site on the server is being constantly flooded with httpd requests from ranges of IPs. Typically there might be 40 or 50 concurrent requests from 15 or 20 consecutive IP addresses from some random European hosting company. I do use CSF but I can't use the CT_Limit section to help with this, because it's distributed. If I set the limit low enough to catch any individual IP, I'm bound to get false positives. It would be ideal if CSF was only looking at the first 3 octets... that would be close enough :)

    Any suggestions? It is just one site, and mostly all attacks from one region. I suppose I could try blocking a geo region in an htaccess file, so it's not effecting the entire server.
     
  2. Muhammed Fasal

    Muhammed Fasal Active Member

    Joined:
    Aug 9, 2017
    Messages:
    39
    Likes Received:
    3
    Trophy Points:
    8
    Location:
    India
    cPanel Access Level:
    Root Administrator
    You can block an IP range via your CSF firewall, If you need to whitelist or block a range of IP addresses using CSF, it can be done, but you need to use the CIDR format.

    For example, to block 192.168.0.0 to 192.168.0.255 you would add 192.168.0.0/24 to the blocked list.

    If you are unsure how to convert a range of IP’s to CIDR, I find the following site helpful. You enter the starting IP, and ending IP, and it will create the CIDR entries for you.

    ip2cidr.com
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 Muhammed Fasal, Nov 14, 2017
    Last edited by a moderator: Nov 14, 2017
  3. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    862
    Likes Received:
    3
    Trophy Points:
    168
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
    Thanks Muhammed. I know (and do) that... it's identifying the ranges programatically that would be nice. Monitoring logs and then manually blocking them is like playing 'whack a mole'.
     
  4. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,168
    Likes Received:
    370
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    You should use this. It will help.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    862
    Likes Received:
    3
    Trophy Points:
    168
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
    I guess what I'm concerned about, is that I currently have it set to 300, which is the recommended value. These floods are being distributed across ranges of IP addresses. I would have to set the value to somewhere in the neighbourhood of 40 or 50 to catch any of the individual addresses, which I'm sure would lead to all sorts of false positives with IMAP/FTP and likely even HTTP connections. Am I understanding this wrong?
     
  6. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,168
    Likes Received:
    370
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    I use the default settings as well. I also use very low numbers for Login Failure Blocking and Alerts options.

    X failed logins, and you're kicked to the curb.

    Searching my inbox for: blocked distributed attack
     

    Attached Files:

    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    1,010
    Likes Received:
    87
    Trophy Points:
    78
    cPanel Access Level:
    DataCenter Provider
    Have you considered using ModSecurity's connections engine? you can limit simultaneous read/write connection states per IP.

    Reference Manual · SpiderLabs/ModSecurity Wiki · GitHub

    Reference Manual · SpiderLabs/ModSecurity Wiki · GitHub

    In short, turn on the connections engine in WHM modsecurity settings, and in your modsec2.user.conf file add the settings such as:

    SecConnReadStateLimit 20 "!@ipMatch 127.0.0.1"
    SecConnWriteStateLimit 20 "!@ipMatch 127.0.0.1"

    This would limit individual IPs, other than localhost, to 20 apache connections in the read state or write state per IP address. It may not help with extremely distributed stuff but it's a good place to start. I have not tested it but you may get away trying to put those in a userdata / custom vhost config for the domain itself as opposed to modsec2.user.conf, so that tighter limits can be set affecting only one domain. I'm not sure that's supported but I don't see why it wouldn't be. Regardless I've seen a lot of people use these settings server-wide with some success. YMMV.
     
  8. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    862
    Likes Received:
    3
    Trophy Points:
    168
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
    Ya. That's great for that. In my case, it's not distributed dictionary attacks... it's just bots endlessly crawling through events calendars and file download areas, ignoring robots.txt files, not even identifying themselves as bots.... just flooding with http requests, that look legit other than the pattern and the volume. I'll have a closer look at that area of CSF config though. It's been a while since I really read it through line-by-line. Thanks :)
     
  9. verdon

    verdon Well-Known Member

    Joined:
    Nov 1, 2003
    Messages:
    862
    Likes Received:
    3
    Trophy Points:
    168
    Location:
    Northern Ontario, Canada
    cPanel Access Level:
    Root Administrator
    I wasn't aware of that. Thanks for the pointer!
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice