0

I have a server with WHM + CPanel and 5 of my costumer got infected with zbot.

This means that the domains they have are constantly receiving requests to certain destinations.

I tried to use mod_security but seems that it can't filter every requests... I don't really know why?

I still see in the access log the connection comming in and it's consuming a LOT of bandwidth and server load

Those accounts have already been clean so all of those requests go to error 404 (the ones catched on mod_security I am dropping the connection).

Is there anymore ways to defend against this requests?

Killercode
  • 133
  • 1
  • 1
  • 5

2 Answers2

1

I would recommend you install a firewall on your server. I would go with CSF - ConfigServer Security and Firewall CSF Website. You can also try something like APF, but my personal basis is CSF. It has a nice web interface via WHM and supports more features then APF. Google CSF .vs APF for more history. But I digress.

For CSF, go ahead and install it using the instructions in the install.txt file from the CSF website. Make sure you disable cPanel's cPHulk Brute Force Protection via WHM Main >> Security Center >> cPHulk Brute Force Protection

Once installed, you can configure CSF to monitor bot requests and help prevent *bot requests. mod_security is a step in the right direction, but CSF will help further.

Note: Do spend the ~20 minutes reading the config file via WHM for CSF and setup the firewall.

Adam
  • 368
  • 3
  • 7
0

If you already cleaned the accounts and you know for sure that most of the requests directed to the removed sites are botnet request just write a script (php,python, whatever) which fetch the IP address of the abusive client and blacklist it with iptables for N min.

Thought there is a chance that you can block some legitimate traffic.

golja
  • 1,621
  • 10
  • 14