Spam IPs vs Legit Ones /Atomic Linux vs. CSF

medfordite

Member
Dec 13, 2011
18
0
51
cPanel Access Level
Root Administrator
Here is my situation -
Long story short, hackers got into several Joomla based sites on my server and installed some scripts which are now being called by what I presume to be infected computers as part of a zombie botnet. I have had two abuse reports sent and have been working hard on removing the issues.

I have installed CSF which I have a love/hate relationship with. In the past, it has locked me out for no reason at all (or so I have figured), but right now, is being a good friend and has been dropping well over 500 IP's that I have put in there as they are part of what I believe to be a botnet.

Where I am running into issues is - I am monitoring one account (My personal site which was Joomla), and recording each and every IP that is attempting to access the now removed file (Site is now a blank 1 page HTML), then pasting them into the CSF block. That has slowed down traffic to my site quite nicely and I am sure will be beneficial. BUT....I know that some of these IP's are legit users and are probably infected and don't even know it. I don't want to risk blocking these people as some might be my customer's clients.

What I want to know is if you have used Atomic Linux to secure your server, does it allow you to block continual failed accesses (404's)? This is the only way I know to trap these people. Or another way to do this? I am using the Latest Visitors plugin for Cpanel to get my IP info to block with.
 

Infopro

Well-Known Member
May 20, 2003
17,113
507
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
My apologies for any misunderstandings. You have CSF installed, knowing what it does, is important. From the CSF change log some time ago:

Added new options LF_APACHE_404 and LF_APACHE_404_PERM. This option
will keep track of the number of "File does not exist" errors in
HTACCESS_LOG. If the number of hits is more than LF_APACHE_404 in
LF_INTERVAL seconds then the IP address will be blocked. See csf.conf
for more information
The best place to start is with the docs:
http://www.configserver.com/free/csf/readme.txt

Starting somewhere is good, of course. These forums are not the mod_security or CSF, or even linux administration support forums though.

So, although there is nothing at all wrong with your question:
What I want to know is if you have used Atomic Linux to secure your server, does it allow you to block continual failed accesses (404's)?
Reading up on how your security works is your best bet. Far better than asking someone to explain it to you. The CSF config page is commented throughout for better understanding of each setting. The problem is there are many settings, so, getting familiar with them all is, IMHO, a good tip. I'm not trying to be dismissive here at all, sorry.