Here is my situation -
Long story short, hackers got into several Joomla based sites on my server and installed some scripts which are now being called by what I presume to be infected computers as part of a zombie botnet. I have had two abuse reports sent and have been working hard on removing the issues.
I have installed CSF which I have a love/hate relationship with. In the past, it has locked me out for no reason at all (or so I have figured), but right now, is being a good friend and has been dropping well over 500 IP's that I have put in there as they are part of what I believe to be a botnet.
Where I am running into issues is - I am monitoring one account (My personal site which was Joomla), and recording each and every IP that is attempting to access the now removed file (Site is now a blank 1 page HTML), then pasting them into the CSF block. That has slowed down traffic to my site quite nicely and I am sure will be beneficial. BUT....I know that some of these IP's are legit users and are probably infected and don't even know it. I don't want to risk blocking these people as some might be my customer's clients.
What I want to know is if you have used Atomic Linux to secure your server, does it allow you to block continual failed accesses (404's)? This is the only way I know to trap these people. Or another way to do this? I am using the Latest Visitors plugin for Cpanel to get my IP info to block with.
Long story short, hackers got into several Joomla based sites on my server and installed some scripts which are now being called by what I presume to be infected computers as part of a zombie botnet. I have had two abuse reports sent and have been working hard on removing the issues.
I have installed CSF which I have a love/hate relationship with. In the past, it has locked me out for no reason at all (or so I have figured), but right now, is being a good friend and has been dropping well over 500 IP's that I have put in there as they are part of what I believe to be a botnet.
Where I am running into issues is - I am monitoring one account (My personal site which was Joomla), and recording each and every IP that is attempting to access the now removed file (Site is now a blank 1 page HTML), then pasting them into the CSF block. That has slowed down traffic to my site quite nicely and I am sure will be beneficial. BUT....I know that some of these IP's are legit users and are probably infected and don't even know it. I don't want to risk blocking these people as some might be my customer's clients.
What I want to know is if you have used Atomic Linux to secure your server, does it allow you to block continual failed accesses (404's)? This is the only way I know to trap these people. Or another way to do this? I am using the Latest Visitors plugin for Cpanel to get my IP info to block with.
