Mod_security and scan of port 443

khnaz35 · Jan 31, 2023

Anyway i notice one thing more unusual under

ModSecurity™ Tools »
Hits List
Screenshot & Screenshot and even these files doesn't exist on my server.

cPRex · Feb 1, 2023

Hey there! Even though the files may not exist on your server, someone can still make a request for them that ModSecurity will block. For example, I could visit https://cpanel.net/totally-random-url.jpg and get a 404 error, but if I try and make an odd request it's possible our security tools would detect that. I believe that is what is happening in this case since the requester is trying various common hidden directory names to see if they can access anything on your site.

khnaz35 · Feb 1, 2023

Thanks for the reply how do i get rid of this requester (show him/her middle finger) ? Because no matter what they are still eating up my system memory/bandwidth and when it comes to real user they are facing time out on the server.

cPRex · Feb 1, 2023

If the requests always come from the same IP address, I would recommend just blocking the IP address in the server's firewall.

khnaz35 · Feb 1, 2023

Currently i am seeing about 2000 hits under ModSecurity™ Tools »Hits List , so i don't think so its possible to block them one by one.
Is there anyway i can download this list and block them ? or what is the best way to get rid of these ips

ejsolutions · Feb 1, 2023

Install & use CSF to block ModSec hits.

khnaz35 · Feb 1, 2023

I have installed & enabled CSF on my server. Can you provide more information on blocking ModSec hits in CSF?
Thanks in advance.

ciao70 · Feb 1, 2023

I recommend deleting the access links to your server

Post n° 5

cPRex · Feb 1, 2023

@ciao70 - edited, thanks!

ejsolutions · Feb 1, 2023

khnaz35 said:
Can you provide more information on blocking ModSec hits in CSF?

I highly recommend that you run through the readme that is a part of CSF. IIRC, by default, CSF blocks anyone temporarily with more than 5 ModSec hits - I set blocks as permanent, for example.

khnaz35 · Feb 14, 2023

ejsolutions said:
I set blocks as permanent, for example.

How was this done?

quietFinn · Feb 14, 2023

LF_MODSEC = 5
LF_MODSEC_PERM = 1
means after 5 rule triggers it's permanent ban.

ejsolutions · Feb 15, 2023

I'll regurgitate my default setting for CSF, hopefully for the benefit of others..

csf --profile apply protection_high

csf --profile apply disable_alerts

<-- stops your server spamming your default email with every single alert.
.. manually change a select few alerts, such as console access ..
csf -r

Thread starter	Similar threads	Forum	Replies	Date
J	deciphering mod_security logs	Security	9	Dec 15, 2022
S	In Progress EA-10889 - mod_security disabled by default? Why?	Security	9	Aug 16, 2022
C	Mod_Security rules for Joomla login failures	Security	2	Apr 4, 2022
7	Mod_Security Block Time and CSF	Security	4	Sep 23, 2021
W	How to block Acunetix scanner with mod_security ?	Security	0	Aug 12, 2007

Search

Search

Mod_security and scan of port 443

khnaz35

Member

cPRex

Jurassic Moderator

khnaz35

Member

cPRex

Jurassic Moderator

khnaz35

Member

ejsolutions

Well-Known Member

khnaz35

Member

ciao70

Well-Known Member

cPRex

Jurassic Moderator

ejsolutions

Well-Known Member

khnaz35

Member

quietFinn

Well-Known Member

ejsolutions

Well-Known Member