Mort-lemur Posted November 22, 2014 Share Posted November 22, 2014 I have just been looking through my cpanel error log and noticed that something had been "sniffing" around the site by the following error codes: File does not exist: /home/username/public_html/shop there are also errors where they tried to find forum, administrator, test, site, joomla, shop etc etc I know that IP banning is not the total solution to things like this but Im sure it would help, my question is : Is there a simple way to create a rule that bans the ip address if a certain file or files is searched for? Many Thanks Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members. Link to comment Share on other sites More sharing options...
oscMarket Posted November 22, 2014 Share Posted November 22, 2014 A very simple one (not directory specific): <?php $deny = array("111.111.111", "222.222.222", "333.333.333"); if (in_array ($_SERVER['REMOTE_ADDR'], $deny)) { header("location: http://www.google.com/"); exit(); } ?> Link to comment Share on other sites More sharing options...
♥14steve14 Posted November 22, 2014 Share Posted November 22, 2014 There are many addons, see http://addons.oscommerce.com/info/7509/v,22 http://addons.oscommerce.com/info/5914 http://addons.oscommerce.com/info/5276 http://addons.oscommerce.com/info/6066 There are many more. The only one I have ever used as the IP trap one, and it did what it was supposed to. REMEMBER BACKUP, BACKUP AND BACKUP Link to comment Share on other sites More sharing options...
MrPhil Posted November 22, 2014 Share Posted November 22, 2014 Banning by IP address is best done in .htaccess with DENY entries. It's the highest in the "food chain" that you can go, and the least negative impact on server performance. If an address is poking around doing suspicious things, what's the problem with totaling banning them? They're trying to break your site. Don't give them any outs. Link to comment Share on other sites More sharing options...
Jack_mcs Posted November 22, 2014 Share Posted November 22, 2014 @@Mort-lemur If the locations you want to ban are not to be seen by anyone, then you can use something like this in the .htaccess file RewriteCond %{REQUEST_URI} "/forum" [OR] RewriteCond %{REQUEST_URI} "/test" RewriteRule ^(.*)$ http://127.0.0.1 [L] You can add as many conditions as you like. Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. All of My Addons Get the latest versions of my addons Recommended SEO Addons Link to comment Share on other sites More sharing options...
greasemonkey Posted November 22, 2014 Share Posted November 22, 2014 For anyone using cloudflare or other upstream like cdn providers you can block, ip's (including ip ranges and or countries) before they ever get to your server. Link to comment Share on other sites More sharing options...
Taipo Posted November 22, 2014 Share Posted November 22, 2014 These days if you are banning IPs you will find after a month or so that you have a very large list of IPs in htaccess. Mass spam styled attackers regularly update their extensive proxy lists with new IP addresses so the chances of them hitting your site multiple times with the same IP list is low. Also apache already sends a fairly low resource 404 header file not found anyways if a file does not exist, so there is little real advantage when banning an IP other than the aesthetic sense that you have taken action. My general approach is to 403 ban any malicious requests targeted at the actual site code i.e index.php ( even if its a blind exploit request for another CMS ), and just let the webserver deal with the masses of other blind exploit requests to files that do not exist using as little server resources as possible. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Taipo Posted November 22, 2014 Share Posted November 22, 2014 @@Mort-lemur If the locations you want to ban are not to be seen by anyone, then you can use something like this in the .htaccess file RewriteCond %{REQUEST_URI} "/forum" [OR] RewriteCond %{REQUEST_URI} "/test" RewriteRule ^(.*)$ http://127.0.0.1 [L] You can add as many conditions as you like. Another end game is RewriteRule ^.* - [F,L] SetEnvIf Request_URI would also be another way to address this. Example: SetEnvIfNoCase Request_URI "/shop/$" badrequest SetEnvIfNoCase Request_URI "/forum/$" badrequest SetEnvIfNoCase Request_URI "/administrator/$" badrequest order allow,deny allow from all deny from env=badrequest - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Mort-lemur Posted November 23, 2014 Author Share Posted November 23, 2014 @@14steve14 @@Jack_mcs @@Taipo Thank you all for the suggestions, I have elected to try out IP Trap Seems to be working well so far - never realised what a load of rubbish requests were aimed at sites until I checked the logs today....... And it also helped me correct a couple of errors I was not aware of (missing logo images for payment systems etc) Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members. Link to comment Share on other sites More sharing options...
vmn Posted November 24, 2014 Share Posted November 24, 2014 Hi, I think that fail2ban http://www.fail2ban.org is quite a good choice for Linux. I'm using it. The good thing is that no change or addons are needed to your application software. Link to comment Share on other sites More sharing options...
Mort-lemur Posted November 25, 2014 Author Share Posted November 25, 2014 Update: I have uninstalled the ip trap, for two main reasons: 1) as mentioned by @@Taipo the logs were rapidly filling up (16 pages MINIMUM of 404 errors per day!) and it was becoming a chore to delete them one by one 2) The mod was giving some unpredictable results especially with respect to the whos online screen and some customers had complained they were seeing "strange error pages" So I will probably revert to letting the server handle the 404 requests with a couple of .htaccess entries as above by @@Jack_mcs and @@Taipo for some of the more frequently occuring "dodgy" requests. Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members. Link to comment Share on other sites More sharing options...
Jack_mcs Posted November 25, 2014 Share Posted November 25, 2014 You may want to look at View Counter. You can see such connections and ban them via admin so it can save you some work. Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. All of My Addons Get the latest versions of my addons Recommended SEO Addons Link to comment Share on other sites More sharing options...
oscMarket Posted December 16, 2014 Share Posted December 16, 2014 i just found an article that offers a solution to "block" bots sniffing directory's not even exist on your server: http://perishablepress.com/blackhole-bad-bots/ Link to comment Share on other sites More sharing options...
Jack_mcs Posted December 16, 2014 Share Posted December 16, 2014 @@wHiTeHaT That method is included in View Counter and, I think, the IP Block addon. But you need to be careful with it because the search engines don't always honor those rules. When I was developing View Counter, I had many hits on the trap directory from Bing. I contacted them about and, at first, they said I was mistaken. But then they ran a test and acknowledged it. If someone is going to use that method, I suggest changing the code so that it doesn't automatically block and sends an email to you instead so you can decide, or create a list of known good bots so that they are skipped. The latter can be difficult because the search engines use many different agent names, though they are knowable. Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. All of My Addons Get the latest versions of my addons Recommended SEO Addons Link to comment Share on other sites More sharing options...
oscMarket Posted December 16, 2014 Share Posted December 16, 2014 @@Jack_mcs, as far as i read the article , it first lookup the valid bots (robots.txt). i think you should actually READ the article ;) Link to comment Share on other sites More sharing options...
Jack_mcs Posted December 16, 2014 Share Posted December 16, 2014 I did read it. It has been around for years, or one like it. The script does a whois search to see if it is a search engine and then bans it. But it will ban all of them. Later in the article it says you can whitelist the ones you don't want banned, which is what I stated in my reply. Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. All of My Addons Get the latest versions of my addons Recommended SEO Addons Link to comment Share on other sites More sharing options...
Roklia123 Posted July 24, 2016 Share Posted July 24, 2016 There are many addons, see http://addons.oscommerce.com/info/7509/v,22 http://addons.oscommerce.com/info/5914 http://addons.oscommerce.com/info/5276 http://addons.oscommerce.com/info/6066 There are many more. The only one I have ever used as the IP trap one, and it did what it was supposed to. Thank you man !!! No links Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.