The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to ban by domain name

Discussion in 'Security' started by panit, Aug 15, 2013.

  1. panit

    panit Member

    Joined:
    Aug 14, 2013
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Reseller Owner
    The site of one of my hosting members is getting bombarded by a particular domain name. A typical access log entry is
    The log shows about 60,000 - 80,000 hits per day so I would really like to stop that. I've tried adding deny from .server.domain.net and deny from .domain.net to the .htaccess file but it didn't make any difference, perhaps because the domain name does not resolve. I tried looking up its IP's and blocking those but I must not have gotten them all since it didn't make any difference. I tried adding some code on the site that checks the user agent and remote address entries in $_SERVER but if didn't catch any. Is there any way to stop this domain name from accessing the server?
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,694
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    I recommend installing a third-party firewall such as CSF:

    ConfigServer Security & Firewall

    While you will not be able to block a hostname directly, it's a better method of blocking specific IP addresses compared to using a .htaccess file.

    Thank you.
     
  3. panit

    panit Member

    Joined:
    Aug 14, 2013
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Reseller Owner
    Thanks for the suggestion. CSF is already installed.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,694
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    I recommend blocking the IP addresses directly through CSF.

    Thank you.
     
  5. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,146
    Likes Received:
    34
    Trophy Points:
    48
    Location:
    India
    cPanel Access Level:
    Root Administrator
    Hello,

    Yes, Check the access logs and block the IP if you found many hits from single IP OR any IP range. Also I will suggest you try (D)DoS Deflate on your server (D)DoS Deflate - deflate.medialayer.com
     
  6. panit

    panit Member

    Joined:
    Aug 14, 2013
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Reseller Owner
    Thanks for the suggestions. Unfortunately, I can't find its IP, or at least all of them. My host applied a mod security change and I blocked more IP's I ran across so the accesses are down to around 25,000/day. Still not good but much better than what it was.
     
  7. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Finland
    cPanel Access Level:
    Root Administrator

    Seems that HostnameLookups directive is On in Apache config.
    That is not recommended.
    Log Files - Apache HTTP Server

    In this case it's a very bad idea, because obviously those IP addresses where the connections are coming from (reverse)resolve to the hostname server.domain.net , but server.domain.net does not resolve to any IP address(es).

    You must ask your hosting provider to turn HostnameLookups Off, so that you can see the IP addresses instead of the hostname.
     
  8. harmeet

    harmeet Member

    Joined:
    Apr 18, 2013
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi,

    You can use netstat and iptraf utility to check how many in coming connections are being made to the server, If any IP looks suspicious you can block it !

    Thanks !
     
Loading...

Share This Page