Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Suspicious Apache Status requests

Discussion in 'Security' started by globcom, Oct 27, 2018.

  1. globcom

    globcom Well-Known Member

    Joined:
    May 24, 2008
    Messages:
    55
    Likes Received:
    3
    Trophy Points:
    58
    Hello,

    on new server I see lot of requests in "Server status" > "Apache status" with :

    GET /logos/NEW%20LOGOS/usa%20cmt%20hd.png HTTP/1.1

    on my.nameserver.com:80 (vhost)

    What is it ? and how can I block these queries if there illegimate traffic ?

    Thank you for you replies.
    Eric
     
  2. GOT

    GOT Get Proactive! PartnerNOC

    Joined:
    Apr 8, 2003
    Messages:
    1,484
    Likes Received:
    187
    Trophy Points:
    193
    Location:
    Chesapeake, VA
    cPanel Access Level:
    DataCenter Provider
    What HTTP code is it returning? I presume either a 5xx or a 404?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. globcom

    globcom Well-Known Member

    Joined:
    May 24, 2008
    Messages:
    55
    Likes Received:
    3
    Trophy Points:
    58
    Thank you GOT

    It's return 404
     
  4. GOT

    GOT Get Proactive! PartnerNOC

    Joined:
    Apr 8, 2003
    Messages:
    1,484
    Likes Received:
    187
    Trophy Points:
    193
    Location:
    Chesapeake, VA
    cPanel Access Level:
    DataCenter Provider
    Then its typically not an issue unless they are hammering you so hard that its causing a load issue.

    You can install and configure CSF firewall and enable 404 blocking if you want to block IPs that hit numerous 404 pages.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. globcom

    globcom Well-Known Member

    Joined:
    May 24, 2008
    Messages:
    55
    Likes Received:
    3
    Trophy Points:
    58
    Thank you Got. I will try your solution.
    Eric
     
  6. globcom

    globcom Well-Known Member

    Joined:
    May 24, 2008
    Messages:
    55
    Likes Received:
    3
    Trophy Points:
    58
    The solution with CSF doesn't work directly.

    I created a modsecurity rule based on this : mod security rules to block get requests by url

    SecRule REQUEST_URI "/logos/NEW%20LOGOS/" "deny,id:18478,phase:1,status:411,msg:'logos'"

    The IPs are blocked in CSF denylist and I have hundred IP in list and is growing up...

    I don't know what is better :
    - try to block this traffic
    or
    - nothing ?

    Eric
     
  7. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,529
    Likes Received:
    2,181
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello Eric,

    I don't see the harm in blocking the traffic if it's not legitimate. Try searching the path that's being hit in the website files of the accounts you host to make sure it's not a poorly coded script that's leading to users making a connection attempt to the wrong path.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. globcom

    globcom Well-Known Member

    Joined:
    May 24, 2008
    Messages:
    55
    Likes Received:
    3
    Trophy Points:
    58
    Hello Michael and thank you for your reply !

    The trouble (for me) is this traffic come to my.servername.com
    There isn't script, website, on it.
    cPanel recommendation (if I'm not mistaken) is that the subdomain should not be created for the name server on the server.

    Exemple of request :

    http/1.1 my.nameserver.com:80 GET /logos/NEW%20LOGOS/usa%20el%20ray%20network%20hd.png HTTP/1

    All this traffic come from USA (and I can't block US country in CSF)

    At this time I have 3020 IPs in my CSF denylist.
    I don't know how much IPs is possible to block with CSF (server with 128 Go of ram)

    With the modsecurity rule, I don't have load issue.

    I hope this will stop by itself !

    Eric
     
    cPanelMichael likes this.
  9. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,529
    Likes Received:
    2,181
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hi Eric,

    One option to consider if RAM usage becomes an issue is to lower the DENY_IP_LIMIT value in the csf.conf file. If the same IP addresses are consistent in their attack on your server, then an abuse report to the data center/network provider that controls those IP addresses is a good idea as well.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. globcom

    globcom Well-Known Member

    Joined:
    May 24, 2008
    Messages:
    55
    Likes Received:
    3
    Trophy Points:
    58
    Hi Michael,

    it's always different IP addresses.

    Exemples :

    - Removed no need here -

    Thank you
     
  11. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,529
    Likes Received:
    2,181
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hi @globcom,

    If the IP addresses are different, then the DENY_IP_LIMIT value in the csf.conf file should allow you to avoid excessive RAM usage on the system. There's no need to keep the IP addresses blocked permanently if it's new IP addresses hitting your server each time.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice