The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Safe to block POST request with no referers?

Discussion in 'Security' started by MediaServe, Mar 16, 2013.

  1. MediaServe

    MediaServe Well-Known Member
    PartnerNOC

    Joined:
    Apr 9, 2004
    Messages:
    126
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Nashville, TN USA
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    With a LOT of clients using WordPress, we're getting hammered with brute force login activity that generates additional server load. Joomla use causes some as well, but not quite as bad (for now).

    I was looking into using snort to combat this, but on CloudLinux 5 there are so many dependencies on libraries I can't get installed to get the latest snort source compiled. I think even if I did, I might have to do manual work to each wordpress site to get snort tracking the activity anyway. I'd rather have a global solution.

    I've noticed that all the brute force traffic seems to have no referrer. I can't think of a case where a legit POST request would have no referer. I've written a script that runs every minute via cron and checks all users' apache logs that have been modified in the last minute, and blackholes any IP that is POSTing, isn't local, and has no referer. (I could use mod_security for this, but this lets me blackhole the IP entirely from any access to the server.)

    My concern is whether a legit POST with no referer is common. The RFC suggests it might be okay in some cases. The section covering POST requests has a final sentence that says "See section 15.1.3 for security considerations", which contains:

    In addition to blackholing immediately when finding a POST with no referrer, I'm also checking for POST frequency to URIs with wp-login.php, wp-admin, /administrator/index.php. etc. when there is a referer, and blocking on heavy activity (with a threshold set high enough to hopefully not block legitimate traffic.) I suppose if POST requests with no referer are common enough, I could stop the immediate block and instead perhaps include a heavier weight to those requests when deciding to block on frequency.

    At any rate, I though I'd pose this question and see what other folks think about the legitimacy of POST requests with no referer. Thanks in advance for any feedback you can provide!
     
    #1 MediaServe, Mar 16, 2013
    Last edited: Mar 16, 2013
  2. MediaServe

    MediaServe Well-Known Member
    PartnerNOC

    Joined:
    Apr 9, 2004
    Messages:
    126
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Nashville, TN USA
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Well, it didn't take too long to answer my own question after putting the system in place. Frontpage (unfortunately we still support it) POSTs with no referer when publishing via the extensions, and we had an instance of a customers external script that POSTed data to his website get blocked. I had to tweak the code and use a weighted threshold where a POST with no referer gets an extra point (if no author.exe present to avoid problems with Frontpage) rather than simply blocking immediately.
     
Loading...

Share This Page