The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to defend against GET and POST attacks?

Discussion in 'Security' started by rousseau, Nov 13, 2014.

  1. rousseau

    rousseau Registered

    Joined:
    Jun 11, 2014
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hello,

    I am seeing this in the logs of my server, running WHM 11.46.0 (build 14) on CentOS 6.6, Apache+MySQL (5.5.40) (without ModSecurity right now). I have CSF enabled.

    Enable modules:
    bwlimited + bw_+ cloudflare_+ ruid2_ + php5 + reqtimeout_ + pagespeed with usual requirements for WordPress.

    Code:
    120.174.97.2 - - [14/Nov/2014:02:22:48 +0100] "GET /?0Nge=XVlqFWYs2vciua HTTP/1.1" 200 14097 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_1_1) Gecko/20051207 Firefox/11.0"
    120.174.97.3 - - [14/Nov/2014:02:22:48 +0100] "GET /?KP7Ue=00Oi202DUtt324&2g8=siID&ekrAyQuHHp=51IaLuKdvTkKVE HTTP/1.1" 200 14152 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 11_3_2) Gecko/20091405 Firefox/20.0"
    120.174.97.4 - - [14/Nov/2014:02:22:48 +0100] "GET /?FH5VROBx=wCPRiMOw7FliIpv&8mo8o=mhfx231Y8Re HTTP/1.1" 200 14130 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) Gecko/20011708 Firefox/13.0"
    120.174.97.5 - - [14/Nov/2014:02:22:48 +0100] "GET /?lk5k=vyB3vc0gcCnXnY&7pxqt0Mn=Oi7PBoT&j37W=cqKYEsoskSffwQ5&j6i8E=MjmYe HTTP/1.1" 200 14177 "http://www.yandex.com/2jvFA7mlMl?4nD=mUwl1&8AC=Fny2ol4bsQ&4sJPcw=bHdSQIMBwF8" "Mozilla/5.0 (Linux x86_64; X11) Gecko/20032806 Firefox/21.0"
    120.174.97.6 - - [14/Nov/2014:02:22:48 +0100] "GET /?4nBbx=A3wo6QHgDhkxGHoCP&F661Cjrdq=5Gc5c4bAtOa2eHG8BYME HTTP/1.1" 200 14145 "http://www.bing.com/lDM2x7" "Mozilla/5.0 (Macintosh; Intel Mac OS X 11_7_4) Gecko/20063109 Firefox/17.0"
    120.174.97.7 - - [14/Nov/2014:02:22:48 +0100] "GET /?jeluv=ikqsqFiE8UU8Wun1&b1eoi=PQXLo1RnjnHU2&xljC=VmnnL3gJTiwRW0q2FCAs&wWR8xOp=pTw&oIel=tutSwEfcN0G77 HTTP/1.1" 200 11499 "-" "Mozilla/5.0 (compatible; MSIE 6.1; Linux i386; Trident/4.0; X11)"
    120.174.97.8 - - [14/Nov/2014:02:22:48 +0100] "GET /?PWA=sDsWlD66oTp888&bXaWu6XPM=mxeGP7FPUbKwqQ8&pk05aq=KBG2GaLpsJq5KeS8x HTTP/1.1" 200 11469 "http://www.bing.com/HXWt0Rw?3s7L6h=l0h8oOoxlHGf2y2i&RWl=fqmGoRjqejj&HV4Rgtupj=IiALPfNUueGhFFFElv&SSb=WBrqb2kkyuYIuuTlQ8&x23fK0O=VbaR&EtiQRLkcT=rrocq0436jBvWdI34K3&5wMF=pRe2DIQyIYdMKc2JY7W&Ij2vn=gtPHEn&3Uf=2FxeqL&Aa4j=RqGIaypXbbp" "Mozilla/5.0 (compatible; MSIE 6.1; Linux i386; .NET CLR 1.3.22475; X11)"
    120.174.97.9 - - [14/Nov/2014:02:22:48 +0100] "GET /?NExOFIqNAG=CdRHqqccwLPj&LN1Qct=fc80yxrQ&1f333UOK7b=2FyHDBtRX&kPURRV0=7XPjXFOacKRohyWV1 HTTP/1.1" 200 14201 "-" "Mozilla/5.0 (Linux i386; X11) AppleWebKit/536.19 (KHTML, like Gecko) Version/5.1.0 Safari/536.29"
    
    How do you block this attack? Though the above logs shows GET request only, I've also seen POST requests in the logs. All from different IP address. CSF is not picking up the attack due to large different IP and slow attack rate, but it is exhausting my servers resources quickly.

    Any idea how this can be achieved? Any help/suggestions are appreciated.

    Regards,
     
  2. qwerty

    qwerty Well-Known Member

    Joined:
    Jan 21, 2003
    Messages:
    213
    Likes Received:
    0
    Trophy Points:
    16
    enable modsec and get the atomic (paid) rules installed. Also enable ipset and all the CSF blocklists ..as they block 10's of thousands of known attackers (with IPSET enabled in CSF it's not a problem blocking 10s or hundred of thousands of IPs)
     
  3. rousseau

    rousseau Registered

    Joined:
    Jun 11, 2014
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thanks for your response qwerty. Yes, of course you can get paid atomic rules or free Comodo WAF to defend against these types of attacks. Unfortunately, these IP's were not in a known blacklist/bogon, so conventional blocklists were quite useless.

    My dirty fix seems to work better and without the overhead of massive ModSec rules.

    Code:
    77.19.65.35 - - [05/Dec/2014:12:25:51 +1100] "GET /?gynqBT=UM7QkyDVXHsEc2ceS&Jwod1oCrH=qQlnGT1wp&L1r8a0=tqOa5W5qoYVGQhdh&ajGU4oU=06NeOO6b2H2FSbyrXnJT HTTP/1.1" 301 195 "-" "Mozilla/5.0 (Windows; U; MSIE 6.1; Windows NT 6.3; .NET CLR 2.3.17605; WOW64)"
    77.19.65.36 - - [05/Dec/2014:12:25:51 +1100] "GET /?pArXJOGnYs=ttdbDRRTkGH&Uxjy=d0XIBQujmPjJ8up HTTP/1.1" 301 195 "http://www.yandex.com/tyM6d?M7KAn8tL=ck24XlpA8XQt&K270qe=yfuX2YtYu3sdToJd7nd" "Mozilla/5.0 (Windows; U; MSIE 9.0; Linux i386; .NET CLR 2.0.5113; X11)"
    77.19.65.37 - - [05/Dec/2014:12:25:51 +1100] "GET /?cFP7lHLxC=8UPl4yyUVJCPsxlYi&xvs2YQ4kPu=vJOsra&y6k2MujvNy=SA8eVdFgB5mBngW&FRpm=AtOAsn5C HTTP/1.1" 301 195 "http://www.google.com/DnylnB" "Mozilla/5.0 (Macintosh; Intel Mac OS X 11_0_2) AppleWebKit/537.20 (KHTML, like Gecko) Chrome/10.0.1522.27 Safari/535.1"
    77.19.65.38 - - [05/Dec/2014:12:25:51 +1100] "GET /?C2c3Clssjj=gUep0J4W7jleFlxjpf&Y4Vn=vjedaA2PrH5fhUIM2dVy HTTP/1.1" 301 195 "http://www.baidu.com/Nkpl3?OkCa1J=2iuth&exnhyYEb5=5nPCKK7U4s1IcBXOFm&SM8myEnmq=k7APeETd5oBeUSLUJ&SwYDmD33=MliFgJk1Nxr3d4KKmQ&17bSdB=NdDBFNb8lrdt" "Mozilla/5.0 (Windows; U; MSIE 10.0; Windows NT 6.3; .NET CLR 3.5.24615; Win64; x64)"
    77.19.65.39 - - [05/Dec/2014:12:25:51 +1100] "GET /?arxbROdDhH=FAbe3VlWhqcUnVIC&Xbi7G=txKEd3L3rRuw6LuO80T&T2oymH0=ovt HTTP/1.1" 301 195 "-" "Mozilla/5.0 (Windows; U; MSIE 9.0; Linux i386; .NET CLR 1.4.24122; X11)"
    77.19.65.40 - - [05/Dec/2014:12:25:51 +1100] "GET /?44C=pa0U0ISSO4h0fciOyBN&DlRcJI6I=2U1O7DWgof&dcv=83PxLbKH&RbA=6goFw6JWBuH2VMfr&AbgL=5u4jsp70 HTTP/1.1" 301 195 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 11_8_0) Gecko/20021008 Firefox/11.0"
    77.19.65.41 - - [05/Dec/2014:12:25:51 +1100] "GET /?K6HfewjI=KFwfklm8ORE&OGaCQXWmh=mK0by5Ei1g&D2KjAA=MeDst77J&YEBfaBR=BrYRUAq341b HTTP/1.1" 301 195 "http://www.google.com/JPjcN?807=XehfHOAmoSy&FxABniE6qn=Jsl4VhKsHDeYI" "Mozilla/5.0 (Windows; U; MSIE 10.0; Windows NT 6.3; .NET CLR 3.5.24615; Win64; x64)"
    
     
Loading...
Similar Threads - defend against POST
  1. tui
    Replies:
    10
    Views:
    1,294
  2. stoner
    Replies:
    5
    Views:
    620

Share This Page