Severe attack case via POST /admin/ HTTP/1.1

Operating System & Version
CLOUDLINUX 7.9 kvm [web] v98.0.9
cPanel & WHM Version
CLOUDLINUX 7.9 kvm [web] v98.0.9

user4629

Member
May 25, 2015
21
1
53
Thessaloniki
cPanel Access Level
Root Administrator
Hello,

we have a rather difficult case of attacks to our VPS server

(CLOUDLINUX 7.9 kvm [web] v98.0.9)
Server Version: Apache/2.4.51 (cPanel) OpenSSL/1.1.1l Apache mod_bwlimited/1.4

mainly in the form:

Code:
    http/1.1    example-domain.com:443    POST /admin/ HTTP/1.1
that target the admin section of opencart installations in the server (~40 accounts).

Example:

SrvPIDAccMCPUSSReqDurConnChildSlotClientProtocolVHostRequest
0-5
26445​
0/113/817_
356.93​
5​
309​
651215​
0​
2.79​
16.72​
xx.xx.xx.xxhttp/1.1domain.com:443POST /admin/ HTTP/1.1


we have csf v14.11, mod security with GotRoot rules, but attacks cannot be stopped.

we are also trying to block the attacks as per account editing the admin script to give

Code:
HTTP/1.0 403 Forbidden
for these attacks.

Any ideas or pointers?
 

cPanelAnthony

Administrator
Staff member
Oct 18, 2021
583
54
103
Houston, TX
cPanel Access Level
Root Administrator
Hello! Have you already reached out to your web hosting provider or systems administrator? There wouldn't be any functionality within cPanel to stop these types of attacks. However, the following article might help.


Perhaps some other users here will have some suggestions as well.
 

user4629

Member
May 25, 2015
21
1
53
Thessaloniki
cPanel Access Level
Root Administrator
Yes I already have.

The final question is:

How can we block every IP that use

POST /admin/ HTTP/1.1 as request

and Protocol = http/1.1

any experts?
 

dalem

Well-Known Member
PartnerNOC
Oct 24, 2003
2,983
157
368
SLC
cPanel Access Level
DataCenter Provider
use mod security

Warning use at your own risk this may block some legit users

Code:
#Block requests to  admin with no referring URL
SecRule REQUEST_METHOD "POST" "deny,status:401,id:5000131,chain,msg:'index.php/admin request blocked, no referer'"
SecRule &;HTTP_REFERER "@eq 0"
 

user4629

Member
May 25, 2015
21
1
53
Thessaloniki
cPanel Access Level
Root Administrator
use mod security

Warning use at your own risk this may block some legit users

Code:
#Block requests to  admin with no referring URL
SecRule REQUEST_METHOD "POST" "deny,status:401,id:5000131,chain,msg:'index.php/admin request blocked, no referer'"
SecRule &;HTTP_REFERER "@eq 0"
Thank you very much for your answer,

Can you please explain the
id:5000131

how can this be targeted to all accounts for:

public_html/admin/