Hi Lat9,
As I was reviewing my website logs I discovered 588 files which are not supposed to be there. Looking into the files I found in each one a first line like this :
All these are attempts to break in the host using zen-cart and php, especially the last one which tries to get the /etc/passwd file.Code:[17-Dec-2018 14:28:57 America/New_York] Request URI: /index.php?main_page=discount_coupon'A=0, IP address: 185.235.15.140 or [17-Dec-2018 22:04:17 America/New_York] Request URI: /index.php?main_page=index'A=0&cPath=66, IP address: 35.236.99.80 or [18-Dec-2018 23:59:31 America/New_York] Request URI: /index.php?main_page=site_map'[0], IP address: 173.44.37.114 or [21-Dec-2018 23:58:14 America/New_York] Request URI: /index.php?cPath=70_126&main_page=index2121121121212.1, IP address: 47.91.241.128 [21-Dec-2018 23:58:17 America/New_York] Request URI: /index.php?cPath=70_126&main_page=index%20and%201%3E1, IP address: 47.91.241.128 or even [30-Dec-2018 12:31:27 America/New_York] Request URI: /index.php?main_page=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd%00&cPath=90, IP address: 14.185.32.246
Fortunately zen-cart didn't answer these attempts but the repeated requests did put the machine on knees.
As I have fail2ban installed, I looked why fail2ban didn't deal with these.
The answer is because fail2ban doesn't know anything about zen-cart log files.
So that fail2ban manages these attempts I have to make a fail2ban configuration file, where I tell it which log file to monitor and , using a regex, how to identify bad attempts and get the ip.
With these infos, fail2ban jails the IP for a delay. Means it add the ip to the deny list of either ufw or iptables (linux firewalls).
So... I was thinking... Would it be difficult to mimic the fail2ban behaviour, i.e. monitor zen-cart log files and when a attempt is done add the IP to the block list ?
That's just a suggestion. As I have fail2ban, I will try to make a configuration file for it, but not everybody has access to this kind of tool, especially if the website is on a shared host.
thanks for reading.
Hub
P.S. : if you need my 588 log files with all kind of attempts, just tell me.
Thread: IP Blocker for v1.5.x
Results 1 to 10 of 124
Threaded View
-
9 Feb 2019, 08:38 PM #19
Zen Follower
- Join Date
- Mar 2005
- Posts
- 229
- Plugin Contributions
- 0
Re: IP Blocker 1.5.1
Reply With QuoteSimilar Threads
-
v139h Pop up blocker blocking new window
By kitten091182 in forum Templates, Stylesheets, Page LayoutReplies: 2Last Post: 20 Nov 2013, 02:07 PM -
v139g ip blocker mod problem
By michelleodin in forum All Other Contributions/AddonsReplies: 2Last Post: 24 Nov 2012, 04:54 PM -
IP Blocker for Admin side?
By fe1lho in forum Basic ConfigurationReplies: 3Last Post: 18 May 2010, 04:48 PM
Bookmarks