Severe attack case via POST /admin/ HTTP/1.1

Operating System & Version
CLOUDLINUX 7.9 kvm [web] v98.0.9
cPanel & WHM Version
CLOUDLINUX 7.9 kvm [web] v98.0.9

user4629

Active Member
May 25, 2015
26
1
53
Thessaloniki
cPanel Access Level
Root Administrator
Hello,

we have a rather difficult case of attacks to our VPS server

(CLOUDLINUX 7.9 kvm [web] v98.0.9)
Server Version: Apache/2.4.51 (cPanel) OpenSSL/1.1.1l Apache mod_bwlimited/1.4

mainly in the form:

Code:
    http/1.1    example-domain.com:443    POST /admin/ HTTP/1.1
that target the admin section of opencart installations in the server (~40 accounts).

Example:

SrvPIDAccMCPUSSReqDurConnChildSlotClientProtocolVHostRequest
0-5
26445​
0/113/817_
356.93​
5​
309​
651215​
0​
2.79​
16.72​
xx.xx.xx.xxhttp/1.1domain.com:443POST /admin/ HTTP/1.1


we have csf v14.11, mod security with GotRoot rules, but attacks cannot be stopped.

we are also trying to block the attacks as per account editing the admin script to give

Code:
HTTP/1.0 403 Forbidden
for these attacks.

Any ideas or pointers?
 

cPanelAnthony

Administrator
Staff member
Oct 18, 2021
1,041
112
118
Houston, TX
cPanel Access Level
Root Administrator
Hello! Have you already reached out to your web hosting provider or systems administrator? There wouldn't be any functionality within cPanel to stop these types of attacks. However, the following article might help.


Perhaps some other users here will have some suggestions as well.
 

user4629

Active Member
May 25, 2015
26
1
53
Thessaloniki
cPanel Access Level
Root Administrator
Yes I already have.

The final question is:

How can we block every IP that use

POST /admin/ HTTP/1.1 as request

and Protocol = http/1.1

any experts?
 

dalem

Well-Known Member
PartnerNOC
Oct 24, 2003
2,983
159
368
SLC
cPanel Access Level
DataCenter Provider
use mod security

Warning use at your own risk this may block some legit users

Code:
#Block requests to  admin with no referring URL
SecRule REQUEST_METHOD "POST" "deny,status:401,id:5000131,chain,msg:'index.php/admin request blocked, no referer'"
SecRule &;HTTP_REFERER "@eq 0"
 

user4629

Active Member
May 25, 2015
26
1
53
Thessaloniki
cPanel Access Level
Root Administrator
use mod security

Warning use at your own risk this may block some legit users

Code:
#Block requests to  admin with no referring URL
SecRule REQUEST_METHOD "POST" "deny,status:401,id:5000131,chain,msg:'index.php/admin request blocked, no referer'"
SecRule &;HTTP_REFERER "@eq 0"
Thank you very much for your answer,

Can you please explain the
id:5000131

how can this be targeted to all accounts for:

public_html/admin/
 

brandon7gr

Registered
Dec 16, 2014
2
2
53
cPanel Access Level
Root Administrator
Just to add something here, since the above didn't worked for me.

I have managed to block a huge DDOS attack of POST requests, by adding the following rule in Modsecurity rule (For beginner users, that means that you have to go to Security Center->Modsecurity Tools->Rules List-> Add rule)

#Block any HTTP POST request that has no referring URL
SecRule &HTTP_REFERER "@eq 0" "deny,status:411,id:88888,chain,msg:'POST is blocked' "
SecRule REQUEST_METHOD "POST"

(the id:88888 is a random number, you can write any number you want there)
(same applies for the variable msg, you can write whatever you want)
 
  • Like
Reactions: GOT and ejsolutions