The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

mod_sec rules to drop this...

Discussion in 'cPanel Developers' started by chae, Nov 12, 2006.

  1. chae

    chae Well-Known Member

    Joined:
    Apr 19, 2003
    Messages:
    145
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Auckland, New Zealand
    Hi Yah,

    Apache continually dying and error logs show this over & over again...

    [error] [client 84.137.32.94] request failed: erroneous characters after protocol string: $MyNick galaxy1205|$Lock EXTENDEDPROTOCOLABCABCABCABCABCABC Pk=DCPLUSPLUS0.674ABCABC|
    [Sun Nov 12 17:24:16 2006] [error] [client 84.137.32.94] request failed: erroneous characters after protocol string: $MyNick galaxy1205|$Lock EXTENDEDPROTOCOLABCABCABCABCABCABC Pk=DCPLUSPLUS0.674ABCABC|
    [Sun Nov 12 17:24:16 2006] [error] [client 84.137.32.94] request failed: erroneous characters after protocol string: $MyNick galaxy1205|$Lock EXTENDEDPROTOCOLABCABCABCABCABCABC Pk=DCPLUSPLUS0.674ABCABC|
    [Sun Nov 12 17:24:18 2006] [error] [client 83.27.85.210] request failed: erroneous characters after protocol string: $MyNick BOSS|$Lock EXTENDEDPROTOCOLABCABCABCABCABCABC Pk=DCPLUSPLUS0.698ABCABC|
    [Sun Nov 12 17:24:18 2006] [error] [client 83.27.85.210] request failed: erroneous characters after protocol string: $MyNick BOSS|$Lock EXTENDEDPROTOCOLABCABCABCABCABCABC Pk=DCPLUSPLUS0.698ABCABC|
    [Sun Nov 12 17:24:18 2006] [error] [client 83.27.85.210] request failed: erroneous characters after protocol string: $MyNick BOSS|$Lock EXTENDEDPROTOCOLABCABCABCABCABCABC Pk=DCPLUSPLUS0.698ABCABC|

    All from different IP's etc etc. Had a search through Google for this and only one other post & nothing resolved for them. Has anyone got a mod_sec rule that would drop this ???
    Have already increased the maxclient & dropped the timeout in httpd.conf to relieve the server a bit

    Thanks in advance

    Chae
     
  2. chae

    chae Well-Known Member

    Joined:
    Apr 19, 2003
    Messages:
    145
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Auckland, New Zealand
    As a follow up to typing this the techsupport from the Datacentre where the servers are housed have basically said that they can't do anything their side to help...

    "Unfortunately most networks don't implement solutions like TopLayer to prevent these kind of outbound attacks..." then they basically tell me that I can add the IP's into our firewall which of course doesn't help as they're (hundreds up hundreds) spoofed (sigh)

    So now we've got a crippled server because of these requests
     
  3. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    Could you not add something like this with mod-security?

    secfilter $MyNick
     
  4. IPSecureNetwork

    IPSecureNetwork Well-Known Member

    Joined:
    May 28, 2005
    Messages:
    99
    Likes Received:
    0
    Trophy Points:
    6
    buddy you are under attack of botnets thats why the apache marks nicks like IRC .. coz that things are botnets hosted in one irc server to attack.

    i recomend you some thing like mod security, mod_choke and mod_ddosevasive

    i recomend you one idc with firewall like ipsecurenetwork.com or something like that .. to prevent DDoS attacks
     
  5. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    If your server is under good DDoS attack, none would would stop it including APF, BFD, Mod security and Mod Evasive, or any other software-based firewall. You have to have hardware-based firewall such as Cisco Guard.
     

Share This Page