Severe attack case via POST /admin/ HTTP/1.1

[user4629]

Hello,

we have a rather difficult case of attacks to our VPS server

(CLOUDLINUX 7.9 kvm [web] v98.0.9)
Server Version: Apache/2.4.51 (cPanel) OpenSSL/1.1.1l Apache mod_bwlimited/1.4

mainly in the form:

    http/1.1    example-domain.com:443    POST /admin/ HTTP/1.1

that target the admin section of opencart installations in the server (~40 accounts).

Example:

Srv

PID

Acc

M

CPU

SS

Req

Dur

Conn

Child

Slot

Client

Protocol

VHost

Request

0-5

26445​

0/113/817

_

356.93​

5​

309​

651215​

0​

2.79​

16.72​

xx.xx.xx.xx

http/1.1

domain.com:443

POST /admin/ HTTP/1.1

we have csf v14.11, mod security with GotRoot rules, but attacks cannot be stopped.

we are also trying to block the attacks as per account editing the admin script to give

HTTP/1.0 403 Forbidden

for these attacks.

Any ideas or pointers?

 

[cPanelAnthony]

Hello! Have you already reached out to your web hosting provider or systems administrator? There wouldn't be any functionality within cPanel to stop these types of attacks. However, the following article might help.

How To Survive a DDoS Attack | cPanel Blog

Learn how to survive a DDoS attack against your sites and servers. We examine what DDoS attacks are and what you can do to mitigate their impact.

blog.cpanel.com

Perhaps some other users here will have some suggestions as well.

 

[user4629]

Yes I already have.

The final question is:

How can we block every IP that use

POST /admin/ HTTP/1.1 as request

and Protocol = http/1.1

any experts?

 

[dalem]

use mod security

Warning use at your own risk this may block some legit users

#Block requests to  admin with no referring URL
SecRule REQUEST_METHOD "POST" "deny,status:401,id:5000131,chain,msg:'index.php/admin request blocked, no referer'"
SecRule &;HTTP_REFERER "@eq 0"

 

[user4629]

use mod security

Warning use at your own risk this may block some legit users

#Block requests to  admin with no referring URL
SecRule REQUEST_METHOD "POST" "deny,status:401,id:5000131,chain,msg:'index.php/admin request blocked, no referer'"
SecRule &;HTTP_REFERER "@eq 0"

Thank you very much for your answer,

Can you please explain the
id:5000131

how can this be targeted to all accounts for:

public_html/admin/

 

[dalem]

that's the ID of the rule you can use any number that's not in use

id:5000131

 

[cPanelAnthony]

Thanks for the suggestion @dalem !

 

[brandon7gr]

Just to add something here, since the above didn't worked for me.

I have managed to block a huge DDOS attack of POST requests, by adding the following rule in Modsecurity rule (For beginner users, that means that you have to go to Security Center->Modsecurity Tools->Rules List-> Add rule)

#Block any HTTP POST request that has no referring URL
SecRule &HTTP_REFERER "@eq 0" "deny,status:411,id:88888,chain,msg:'POST is blocked' "
SecRule REQUEST_METHOD "POST"

(the id:88888 is a random number, you can write any number you want there)
(same applies for the variable msg, you can write whatever you want)