some form of scanning going on

keat63

Well-Known Member
Nov 20, 2014
1,916
263
113
cPanel Access Level
Root Administrator
I've returned in to the office this morning to find a number of entries that i'm concerned with.

CSF is blocking based on 60 x 404 hits, this I'm fine with.

However, I have entries for a number of IP's (probably proxies), where they've been scouring /usr/local/apache/htdocs.

They are obviously looking for something, but what.
And is there anything I can do to block them earlier in thier scanning process, ie if they even attempt to look inside /usr

Code:
[Sat Oct 22 05:01:58 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/mysql
[Sat Oct 22 05:01:59 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/mysql
[Sat Oct 22 05:02:00 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/mysql
[Sat Oct 22 05:02:01 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpmyadmin
[Sat Oct 22 05:02:01 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpMyadmin
[Sat Oct 22 05:02:02 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpMyAdmin
[Sat Oct 22 05:02:03 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpmyAdmin
[Sat Oct 22 05:02:04 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpmyadmin2
[Sat Oct 22 05:02:05 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpmyadmin3
[Sat Oct 22 05:02:05 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpmyadmin4
[Sat Oct 22 05:02:06 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/2phpmyadmin
[Sat Oct 22 05:02:07 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpmy
[Sat Oct 22 05:02:08 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phppma
[Sat Oct 22 05:02:08 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/myadmin
[Sat Oct 22 05:02:09 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/shopdb
[Sat Oct 22 05:02:10 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/MyAdmin
[Sat Oct 22 05:02:10 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/mysql
[Sat Oct 22 05:02:10 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/program
[Sat Oct 22 05:02:11 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/mysql
[Sat Oct 22 05:02:11 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/PMA
[Sat Oct 22 05:02:11 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/mysql
[Sat Oct 22 05:02:12 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/dbadmin
[Sat Oct 22 05:02:12 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpmyadmin
[Sat Oct 22 05:02:13 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/pma
[Sat Oct 22 05:02:13 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpMyadmin
[Sat Oct 22 05:02:13 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/db
[Sat Oct 22 05:02:13 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpMyAdmin
[Sat Oct 22 05:02:14 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/admin
[Sat Oct 22 05:02:14 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpmyAdmin
[Sat Oct 22 05:02:15 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/mysql
[Sat Oct 22 05:02:15 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpmyadmin2
[Sat Oct 22 05:02:15 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/database
[Sat Oct 22 05:02:16 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpmyadmin3
[Sat Oct 22 05:02:16 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/db
[Sat Oct 22 05:02:16 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpmyadmin4
[Sat Oct 22 05:02:17 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/db
[Sat Oct 22 05:02:17 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/2phpmyadmin
[Sat Oct 22 05:02:18 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/sqlmanager
[Sat Oct 22 05:02:18 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpmy
[Sat Oct 22 05:02:18 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/mysqlmanager
[Sat Oct 22 05:02:18 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phppma
[Sat Oct 22 05:02:19 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/php-myadmin
[Sat Oct 22 05:02:19 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/myadmin
[Sat Oct 22 05:02:20 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/phpmy-admin
[Sat Oct 22 05:02:20 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/shopdb
[Sat Oct 22 05:02:20 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/mysqladmin
[Sat Oct 22 05:02:21 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/MyAdmin
[Sat Oct 22 05:02:21 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/mysql-admin
[Sat Oct 22 05:02:21 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/program
[Sat Oct 22 05:02:22 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/admin
[Sat Oct 22 05:02:22 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/PMA
[Sat Oct 22 05:02:23 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/admin
[Sat Oct 22 05:02:23 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/dbadmin
[Sat Oct 22 05:02:23 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/admin
[Sat Oct 22 05:02:23 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/pma
[Sat Oct 22 05:02:24 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/admin
[Sat Oct 22 05:02:24 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/db
[Sat Oct 22 05:02:25 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/admin
[Sat Oct 22 05:02:25 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/admin
[Sat Oct 22 05:02:25 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/admin
[Sat Oct 22 05:02:26 2016] [error] [client xxx.xx.36.154] File does not exist: /usr/local/apache/htdocs/mysql
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
Hello,

I'm referring to your own custom ruleset, or a vendor such as OWASP or Comodo. If OWASP rules don't block this by default, then the best course of action here is to lower the threshold configured with CSF if you'd like to see the IP address blocked sooner in the process. I'll leave this thread open for others to add their feedback or advice.

Thank you.
 

danielpmc

Well-Known Member
Nov 3, 2016
78
33
18
usa
cPanel Access Level
Reseller Owner
Hello keat63,

These settings will auto block IPs according to the settings you enter. I use this and it works really well against repeat attacks from an IP. You can check your CSF Firewall Deny IPs each day to see if and what IPs have been blocked after setting these.

whm/plugins/configserver security and firewall/firewall configuration/Login Failure Blocking and Alerts/LF_APACHE_404

whm/plugins/configserver security and firewall/firewall configuration/Login Failure Blocking and Alerts/LF_APACHE_403

Personally i set these at:

Alerts/LF_APACHE_404 at 3
LF_APACHE_404_PERM at 86,400 (24hours)

LF_APACHE_403 at 5
LF_APACHE_403_PERM AT 84,600 (24hours)
 
  • Like
Reactions: cPanelMichael