How to automatically block with MODSEC or CSF an IP Address when it tries to access a URL

Question

We have in our server logs every day continuos bot trying to access the below for example:

Requests with error response codes 404 Not Found /favicon.ico: 3 Time(s) /3ckkB-ZOp30: 2 Time(s) /adminer-3.7.1.php: 2 Time(s) /eGfLqNJOuqgur2f: 2 Time(s) /robots.txt: 2 Time(s) /winter.php?9e1ii8rtztula2_75ebd41oqp_kf3w9lj-dm99: 2 Time(s) /0XvFhDrIXxN41.html: 1 Time(s) /0xgjFcQBKZz03.jp: 1 Time(s) /2MOlzgwdyon73: 1 Time(s) /2QMQR_rCWb_kb92.jp: 1 Time(s) /3uuTp_iPYvTc9.jp: 1 Time(s) /4MavbQXKsSFWv59: 1 Time(s) /winter.php?00ee8z48c8fb9e2666: 1 Time(s) /winter.php?01gxbe714bacoxx7by: 1 Time(s) /winter.php?01u9e6e7d85d0c10gn: 1 Time(s) /winter.php?02qlwkyd8afe5250m2: 1 Time(s) /winter.php?03rdhtzje8fc1d4rs4o_52wku: 1 Time(s) /winter.php?05rihk899bc7emlvrb: 1 Time(s) /winter.php?07re1w9178292nc48m: 1 Time(s) /winter.php?09r2nc68agkcy61d6cz1e59347jhmg6dkb5l33p: 1 Time(s) /winter.php?0BRawvhp-cSbd.html: 1 Time(s) /winter.php?0apmvkq0ujtbu4c9be9fr7pvtopnulf: 1 Time(s) /winter.php?0b9sgs0cc9c13_2_h1: 1 Time(s) /winter.php?0csi0z322a5c3hki00: 1 Time(s) /winter.php?0cu5f7_jh_f79e8e2ucwzk-6: 1 Time(s) /winter.php?12evai16c8b044n19x: 1 Time(s) /winter.php?13sj8i7047ec3h0d2c: 1 Time(s) /winter.php?146-7p5e00132l6bpj: 1 Time(s) /winter.php?186h0k872ed9fhuvsf-g: 1 Time(s) /winter.php?18kd5nyab949edi8tc: 1 Time(s) /winter.php?19jba6lhacd8d9c59xpte: 1 Time(s) /winter.php?1ac7r752cf18gpy4_p: 1 Time(s) /winter.php?1db_7sef6ba39l-j3v: 1 Time(s) /winter.php?22fag93b32433iiy41: 1 Time(s) /winter.php?27f_25875b67mw38v: 1 Time(s) /winter.php?27jec856a8212twr1xz: 1 Time(s) /winter.php?27lyf5ba10d8lip-: 1 Time(s) /winter.php?2cl4ggnd841aa036a0: 1 Time(s) /winter.php?2dcf40b6db43o7wfdi: 1 Time(s) /winter.php?2de1tinttb844952gss6wbz: 1 Time(s) /winter.php?31t1y7d26701kyan50: 1 Time(s) /winter.php?34-9fac19903svqmyk: 1 Time(s) /winter.php?341oxzrdd48ab3n3d_: 1 Time(s) /winter.php?38-zqhi465bb8fs0ux: 1 Time(s) /winter.php?3cdh21002e4cd34-0: 1 Time(s) /winter.php?3ee3wok207-zfde226e6k28p79ttmusn15imep5xz: 1 Time(s) /winter.php?3evyze4m7083b5eitm7a6: 1 Time(s) /winter.php?42oz53c7291a39or30: 1 Time(s) /winter.php?48k61e8e95800fcfi0: 1 Time(s) /winter.php?48wcak3-jypn569253992dlfwn63xya32m_: 1 Time(s) /winter.php?4alg5wbf16f51d5tzcs8_l5yh45d: 1 Time(s) /winter.php?4bjjlked5b5a9lfb52: 1 Time(s)

We are using WHM / cPanel with CSF firewall and MODSEC how can I set a rule to automatically completely block the IP Address of what ever tries to access /winter.php********* so does not matter what is where the ***** is . as long as it starts with /winter.php in the url then it can be blocked?

Any ideas?

Answer 1

This can be achieved using .htaccess if you want but IP blocking can not be done you can block people from accessing the mentioned file if you want to block IP address accessing the mentioned file you make use of the below

Edit your regex.custom.pm file:

nano -w /usr/local/csf/bin/regex.custom.pm

Close to the end of the file, you will see an empty space. That is where we are going to place our new rule

 # XMLRPC Defense, block IP if 1 requests in 3600 sec
    if (($globlogs{CUSTOM2_LOG}{$lgfile}) and ($line =~ /(\S+).*] "\w*(?:GET|POST) \/winter\.php.*" /)) {
    return ("You have been banned, please do not attack us",$1,"XmlrpcAttackDetected","10","80,443,21,25,22,23","1");
    }

Save the file, and edit CSF Configuration ,as you see here:

nano -w /etc/csf/csf.conf

Search for this variable: CUSTOM2_LOG and set is as you see below:

CUSTOM2_LOG = "/var/log/winterattacks"

Save the changes and create your log file:

touch /var/log/winterattacks

Now restart CSF and LFD to apply changes:

csf -r service lfd restart

You can refer the this link to know how to do this several ways the blog features access to xmlrpc file I guess it would work on all files