apache security - detecting and blocking probing IP addresses

Question

Looking through my apache error logs in /var/log/apache2/error_log I am seeing a ton of IPs trying access files that don't exist. I interpret these as bots probing my web server trying to find a vulnerability file to exploit

Files like:

/var/www/html/compress.php
/var/www/html/index.php
/var/www/html/wp-login.php
/var/www/hmtl/getcfg.php

I then go to look at the /var/www/ directory and do find the /cgi-bin and the /html subfolders in them. The /cgi-bin folder is empty, but the /html folder has a handful of files like: 400.shtml, 401.shtml, 403.shtml, 404.shtml and even index.html. I then read that these are apache created and owned - is this true? If so...what is the purpose of this folder/files?

Is there any apache...or ConfigServer (firewall) configuration that I can use that can detect these probing IPs and auto-block them? Any IP that keeps looking for multiple files that don't exist - implying its not a user (or even a bot) that is properly access the correct HTML pages - is malicious and should be blocked.

score 0 · Answer 1 · answered Jan 17 '22 at 22:57

Don't know about CSF, but there is an Apache module, mod_evasive that will help. With some tweaks, it will do anything you want.

https://blog.cpanel.com/blocking-attacks-with-easyapache-4s-mod_evasive/ https://docs.cpanel.net/ea4/apache/apache-module-evasive/

apache security - detecting and blocking probing IP addresses

1 Answers1