Prevent or block specific files from uploading to server

[profilnet]

Hi,

is there any way to prevent or block specific files from being uploaded to the server ..i keep on deleting a file "bb.html" from all of my clients, which spams continuously. I have blocked more than 300+ IPs from the apache logs. So is there a way to block specific files?

 

[24x7server]

I will suggest you to block "bb.html" file in your ModSecurity rules on your server. You may try now with the following steps

add following line in /usr/local/apache/conf/modsec2.user.conf

SecRule REQUEST_URI "bb.html" "id:1234123459"

And restart the httpd service on your server so that when some one try to access "bb.html" file they will get 403 Forbidden page and you will get the following logs in your error logs file

[###########] [error] [client XXX.XXX.XXX.XXX] ModSecurity: Access denied with code 403 (phase 2). Pattern match "bb.html" at REQUEST_URI. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "31"] [id "1234123459"] [hostname "XX.XXX.XX.XXX"] [uri "/bb.html"] [unique_id "[email protected]"]

 

[profilnet]

Thanks a lot! I'll try it and ill inform you

 

[profilnet]

I will suggest you to block "bb.html" file in your ModSecurity rules on your server. You may try now with the following steps

add following line in /usr/local/apache/conf/modsec2.user.conf



And restart the httpd service on your server so that when some one try to access "bb.html" file they will get 403 Forbidden page and you will get the following logs in your error logs file

If i want additional files to be blocked i only change the ID number right?

 

[24x7server]

Yes, You are right,

You will have to change file name and ID number in /usr/local/apache/conf/modsec2.user.conf

SecRule REQUEST_URI "NEWFILENAME" "id:NEW-ID"

 

[profilnet]

I will suggest you to block "bb.html" file in your ModSecurity rules on your server. You may try now with the following steps

add following line in /usr/local/apache/conf/modsec2.user.conf



And restart the httpd service on your server so that when some one try to access "bb.html" file they will get 403 Forbidden page and you will get the following logs in your error logs file

unfortunately the file bb.html appeared again in public_html folder ..what should i do?

 

[24x7server]

With the above mod_sec rules no one can access " bb.html " file through your web server and you will have to remove "bb.html" files from your all account

 

[quizknows]

profilnet, you need to take the 'stat' of the file when it appears. note the change and modify times. Then check the FTP logs (/var/log/messages) and the domains RAW access log for that time. You should be able to find how it is being uploaded. As 24x7server said, even though it's there, with the modsec rule in place it can't be accessed via Apache.