Using CSF to block IPs sending GET/POST request multiple times

Post Reply
caisc
Junior Member
Posts: 21
Joined: 03 Oct 2011, 07:38

Using CSF to block IPs sending GET/POST request multiple times

Post by caisc »

Hi,

Can I use CSF to block IPs involved in this sort of attacks -


141.101.81.104 - - [13/Feb/2017:19:39:19 +0530] "GET /rss/catalog/notifystock/ HTTP/1.1" 302 - "-" "-"
141.101.81.104 - - [13/Feb/2017:19:39:20 +0530] "GET /rss/catalog/notifystock/ HTTP/1.1" 302 - "-" "-"
141.101.81.62 - - [13/Feb/2017:19:39:22 +0530] "GET /rss/catalog/notifystock/ HTTP/1.1" 302 - "-" "-"
141.101.81.62 - - [13/Feb/2017:19:39:23 +0530] "GET /rss/catalog/notifystock/ HTTP/1.1" 302 - "-" "-"
141.101.81.62 - - [13/Feb/2017:19:39:24 +0530] "GET /rss/catalog/notifystock/ HTTP/1.1" 302 - "-" "-"
141.101.80.139 - - [13/Feb/2017:19:39:30 +0530] "GET /rss/catalog/notifystock/ HTTP/1.1" 302 - "-" "-"
141.101.80.97 - - [13/Feb/2017:19:39:31 +0530] "GET /rss/catalog/notifystock/ HTTP/1.1" 302 - "-" "-"
141.101.81.104 - - [13/Feb/2017:19:39:34 +0530] "GET /rss/catalog/notifystock/ HTTP/1.1" 302 - "-" "-"
141.101.81.44 - - [13/Feb/2017:19:39:34 +0530] "GET /rss/catalog/notifystock/ HTTP/1.1" 302 - "-" "-"
141.101.80.139 - - [13/Feb/2017:19:39:39 +0530] "GET /rss/catalog/notifystock/ HTTP/1.1" 302 - "-" "-"
141.101.81.44 - - [13/Feb/2017:19:39:40 +0530] "GET /rss/catalog/notifystock/ HTTP/1.1" 302 - "-" "-"
141.101.80.139 - - [13/Feb/2017:19:39:42 +0530] "GET /rss/catalog/notifystock/ HTTP/1.1" 302 - "-" "-"
141.101.80.139 - - [13/Feb/2017:19:39:42 +0530] "GET /rss/catalog/notifystock/ HTTP/1.1" 302 - "-" "-"
141.101.81.44 - - [13/Feb/2017:19:39:46 +0530] "GET /rss/catalog/notifystock/ HTTP/1.1" 302 - "-" "-"
141.101.80.139 - - [13/Feb/2017:19:39:47 +0530] "GET /rss/catalog/notifystock/ HTTP/1.1" 302 - "-" "-"
141.101.80.139 - - [13/Feb/2017:19:39:51 +0530] "GET /rss/catalog/notifystock/ HTTP/1.1" 302 - "-" "-"
141.101.80.139 - - [13/Feb/2017:19:39:51 +0530] "GET /rss/catalog/notifystock/ HTTP/1.1" 302 - "-" "-"
141.101.80.139 - - [13/Feb/2017:19:39:55 +0530] "GET /rss/catalog/notifystock/ HTTP/1.1" 302 - "-" "-"
141.101.80.139 - - [13/Feb/2017:19:39:57 +0530] "GET /rss/catalog/notifystock/ HTTP/1.1" 302 - "-" "-"
141.101.80.139 - - [13/Feb/2017:19:39:59 +0530] "GET /rss/catalog/notifystock/ HTTP/1.1" 302 - "-" "-"
141.101.80.139 - - [13/Feb/2017:19:40:00 +0530] "GET /rss/catalog/notifystock/ HTTP/1.1" 302 - "-" "-"
141.101.80.97 - - [13/Feb/2017:19:40:01 +0530] "GET /rss/catalog/notifystock/ HTTP/1.1" 302 - "-" "-"


IPs are changing and continuously sending out requests to the account, finally this causes resource limit exceed error on website.

What settings should I change in CSF to stop these sort of attacks.

Thanks
caisc
Junior Member
Posts: 21
Joined: 03 Oct 2011, 07:38

Re: Using CSF to block IPs sending GET/POST request multiple times

Post by caisc »

Here is another example -

Code: Select all

124.253.12.70 - - [15/Feb/2017:22:59:36 +0530] "POST /wp-admin/admin-ajax.php?action=wpmlimportsubscribers HTTP/1.1" 200 53 "http://domain-name.com/wp-admin/admin.php?page=newsletters-importexport&method=import" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
124.253.12.70 - - [15/Feb/2017:22:59:37 +0530] "POST /wp-admin/admin-ajax.php?action=wpmlimportsubscribers HTTP/1.1" 200 62 "http://domain-name.com/wp-admin/admin.php?page=newsletters-importexport&method=import" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
124.253.12.70 - - [15/Feb/2017:22:59:37 +0530] "POST /wp-admin/admin-ajax.php?action=wpmlimportsubscribers HTTP/1.1" 200 56 "http://domain-name.com/wp-admin/admin.php?page=newsletters-importexport&method=import" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
124.253.12.70 - - [15/Feb/2017:22:59:38 +0530] "POST /wp-admin/admin-ajax.php?action=wpmlimportsubscribers HTTP/1.1" 200 48 "http://domain-name.com/wp-admin/admin.php?page=newsletters-importexport&method=import" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
124.253.12.70 - - [15/Feb/2017:22:59:38 +0530] "POST /wp-admin/admin-ajax.php?action=wpmlimportsubscribers HTTP/1.1" 200 48 "http://domain-name.com/wp-admin/admin.php?page=newsletters-importexport&method=import" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
124.253.12.70 - - [15/Feb/2017:22:59:38 +0530] "POST /wp-admin/admin-ajax.php?action=wpmlimportsubscribers HTTP/1.1" 200 47 "http://domain-name.com/wp-admin/admin.php?page=newsletters-importexport&method=import" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
124.253.12.70 - - [15/Feb/2017:22:59:38 +0530] "POST /wp-admin/admin-ajax.php?action=wpmlimportsubscribers HTTP/1.1" 200 52 "http://domain-name.com/wp-admin/admin.php?page=newsletters-importexport&method=import" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
124.253.12.70 - - [15/Feb/2017:22:59:39 +0530] "POST /wp-admin/admin-ajax.php?action=wpmlimportsubscribers HTTP/1.1" 200 58 "http://domain-name.com/wp-admin/admin.php?page=newsletters-importexport&method=import" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
124.253.12.70 - - [15/Feb/2017:22:59:39 +0530] "POST /wp-admin/admin-ajax.php?action=wpmlimportsubscribers HTTP/1.1" 200 52 "http://domain-name.com/wp-admin/admin.php?page=newsletters-importexport&method=import" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
124.253.12.70 - - [15/Feb/2017:22:59:39 +0530] "POST /wp-admin/admin-ajax.php?action=wpmlimportsubscribers HTTP/1.1" 200 52 "http://domain-name.com/wp-admin/admin.php?page=newsletters-importexport&method=import" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
124.253.12.70 - - [15/Feb/2017:22:59:39 +0530] "POST /wp-admin/admin-ajax.php?action=wpmlimportsubscribers HTTP/1.1" 200 50 "http://domain-name.com/wp-admin/admin.php?page=newsletters-importexport&method=import" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
124.253.12.70 - - [15/Feb/2017:22:59:40 +0530] "POST /wp-admin/admin-ajax.php?action=wpmlimportsubscribers HTTP/1.1" 200 53 "http://domain-name.com/wp-admin/admin.php?page=newsletters-importexport&method=import" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
124.253.12.70 - - [15/Feb/2017:22:59:40 +0530] "POST /wp-admin/admin-ajax.php?action=wpmlimportsubscribers HTTP/1.1" 200 53 "http://domain-name.com/wp-admin/admin.php?page=newsletters-importexport&method=import" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
124.253.12.70 - - [15/Feb/2017:22:59:41 +0530] "POST /wp-admin/admin-ajax.php?action=wpmlimportsubscribers HTTP/1.1" 200 48 "http://domain-name.com/wp-admin/admin.php?page=newsletters-importexport&method=import" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
124.253.12.70 - - [15/Feb/2017:22:59:41 +0530] "POST /wp-admin/admin-ajax.php?action=wpmlimportsubscribers HTTP/1.1" 200 55 "http://domain-name.com/wp-admin/admin.php?page=newsletters-importexport&method=import" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
124.253.12.70 - - [15/Feb/2017:22:59:41 +0530] "POST /wp-admin/admin-ajax.php?action=wpmlimportsubscribers HTTP/1.1" 200 51 "http://domain-name.com/wp-admin/admin.php?page=newsletters-importexport&method=import" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
124.253.12.70 - - [15/Feb/2017:22:59:41 +0530] "POST /wp-admin/admin-ajax.php?action=wpmlimportsubscribers HTTP/1.1" 200 47 "http://domain-name.com/wp-admin/admin.php?page=newsletters-importexport&method=import" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
124.253.12.70 - - [15/Feb/2017:22:59:41 +0530] "POST /wp-admin/admin-ajax.php?action=wpmlimportsubscribers HTTP/1.1" 200 51 "http://domain-name.com/wp-admin/admin.php?page=newsletters-importexport&method=import" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
124.253.12.70 - - [15/Feb/2017:22:59:42 +0530] "POST /wp-admin/admin-ajax.php?action=wpmlimportsubscribers HTTP/1.1" 200 50 "http://domain-name.com/wp-admin/admin.php?page=newsletters-importexport&method=import" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
124.253.12.70 - - [15/Feb/2017:22:59:42 +0530] "POST /wp-admin/admin-ajax.php?action=wpmlimportsubscribers HTTP/1.1" 200 52 "http://domain-name.com/wp-admin/admin.php?page=newsletters-importexport&method=import" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
124.253.12.70 - - [15/Feb/2017:22:59:42 +0530] "POST /wp-admin/admin-ajax.php?action=wpmlimportsubscribers HTTP/1.1" 200 49 "http://domain-name.com/wp-admin/admin.php?page=newsletters-importexport&method=import" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
124.253.12.70 - - [15/Feb/2017:22:59:43 +0530] "POST /wp-admin/admin-ajax.php?action=wpmlimportsubscribers HTTP/1.1" 200 49 "http://domain-name.com/wp-admin/admin.php?page=newsletters-importexport&method=import" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
124.253.12.70 - - [15/Feb/2017:22:59:43 +0530] "POST /wp-admin/admin-ajax.php?action=wpmlimportsubscribers HTTP/1.1" 200 53 "http://domain-name.com/wp-admin/admin.php?page=newsletters-importexport&method=import" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
124.253.12.70 - - [15/Feb/2017:22:59:43 +0530] "POST /wp-admin/admin-ajax.php?action=wpmlimportsubscribers HTTP/1.1" 200 53 "http://domain-name.com/wp-admin/admin.php?page=newsletters-importexport&method=import" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
124.253.12.70 - - [15/Feb/2017:22:59:43 +0530] "POST /wp-admin/admin-ajax.php?action=wpmlimportsubscribers HTTP/1.1" 200 48 "http://domain-name.com/wp-admin/admin.php?page=newsletters-importexport&method=import" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
124.253.12.70 - - [15/Feb/2017:22:59:44 +0530] "POST /wp-admin/admin-ajax.php?action=wpmlimportsubscribers HTTP/1.1" 200 49 "http://domain-name.com/wp-admin/admin.php?page=newsletters-importexport&method=import" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
124.253.12.70 - - [15/Feb/2017:22:59:44 +0530] "POST /wp-admin/admin-ajax.php?action=wpmlimportsubscribers HTTP/1.1" 200 57 "http://domain-name.com/wp-admin/admin.php?page=newsletters-importexport&method=import" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
124.253.12.70 - - [15/Feb/2017:22:59:44 +0530] "POST /wp-admin/admin-ajax.php?action=wpmlimportsubscribers HTTP/1.1" 200 56 "http://domain-name.com/wp-admin/admin.php?page=newsletters-importexport&method=import" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
124.253.12.70 - - [15/Feb/2017:22:59:45 +0530] "POST /wp-admin/admin-ajax.php?action=wpmlimportsubscribers HTTP/1.1" 200 50 "http://domain-name.com/wp-admin/admin.php?page=newsletters-importexport&method=import" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
124.253.12.70 - - [15/Feb/2017:22:59:45 +0530] "POST /wp-admin/admin-ajax.php?action=wpmlimportsubscribers HTTP/1.1" 200 54 "http://domain-name.com/wp-admin/admin.php?page=newsletters-importexport&method=import" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
124.253.12.70 - - [15/Feb/2017:22:59:45 +0530] "POST /wp-admin/admin-ajax.php?action=wpmlimportsubscribers HTTP/1.1" 200 53 "http://domain-name.com/wp-admin/admin.php?page=newsletters-importexport&method=import" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
124.253.12.70 - - [15/Feb/2017:22:59:45 +0530] "POST /wp-admin/admin-ajax.php?action=wpmlimportsubscribers HTTP/1.1" 200 51 "http://domain-name.com/wp-admin/admin.php?page=newsletters-importexport&method=import" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
124.253.12.70 - - [15/Feb/2017:22:59:46 +0530] "POST /wp-admin/admin-ajax.php?action=wpmlimportsubscribers HTTP/1.1" 200 47 "http://domain-name.com/wp-admin/admin.php?page=newsletters-importexport&method=import" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
124.253.12.70 - - [15/Feb/2017:22:59:46 +0530] "POST /wp-admin/admin-ajax.php?action=wpmlimportsubscribers HTTP/1.1" 200 49 "http://domain-name.com/wp-admin/admin.php?page=newsletters-importexport&method=import" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
124.253.12.70 - - [15/Feb/2017:22:59:47 +0530] "POST /wp-admin/admin-ajax.php?action=wpmlimportsubscribers HTTP/1.1" 200 45 "http://domain-name.com/wp-admin/admin.php?page=newsletters-importexport&method=import" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
124.253.12.70 - - [15/Feb/2017:22:59:47 +0530] "POST /wp-admin/admin-ajax.php?action=wpmlimportsubscribers HTTP/1.1" 200 48 "http://domain-name.com/wp-admin/admin.php?page=newsletters-importexport&method=import" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
124.253.12.70 - - [15/Feb/2017:22:59:47 +0530] "POST /wp-admin/admin-ajax.php?action=wpmlimportsubscribers HTTP/1.1" 200 49 "http://domain-name.com/wp-admin/admin.php?page=newsletters-importexport&method=import" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
124.253.12.70 - - [15/Feb/2017:22:59:47 +0530] "POST /wp-admin/admin-ajax.php?action=wpmlimportsubscribers HTTP/1.1" 200 49 "http://domain-name.com/wp-admin/admin.php?page=newsletters-importexport&method=import" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
124.253.12.70 - - [15/Feb/2017:22:59:47 +0530] "POST /wp-admin/admin-ajax.php?action=wpmlimportsubscribers HTTP/1.1" 200 45 "http://domain-name.com/wp-admin/admin.p ... hod=import" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
124.253.12.70 - - [15/Feb/2017:22:59:47 +0530] "POST /wp-admin/admin-ajax.php?action=wpmlimportsubscribers HTTP/1.1" 200 48 "http://domain-name.com/wp-admin/admin.p ... hod=import" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
124.253.12.70 - - [15/Feb/2017:22:59:47 +0530] "POST /wp-admin/admin-ajax.php?action=wpmlimportsubscribers HTTP/1.1" 200 49 "http://domain-name.com/wp-admin/admin.p ... hod=import" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"
124.253.12.70 - - [15/Feb/2017:22:59:47 +0530] "POST /wp-admin/admin-ajax.php?action=wpmlimportsubscribers HTTP/1.1" 200 49 "http://domain-name.com/wp-admin/admin.p ... hod=import" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36"

One single IP exploiting resources continuously.
ohgoodiee
Junior Member
Posts: 2
Joined: 29 Aug 2018, 11:09

Re: Using CSF to block IPs sending GET/POST request multiple times

Post by ohgoodiee »

I know this post is a year old, but maybe someone can find this useful.

Create a htaccess file, put the following in there and that will block the POST, etc

RewriteEngine On

RewriteCond %{REQUEST_METHOD} ^(CONNECT|HEAD|TRACE|DELETE|TRACK|DEBUG|MOVE|PUT) [NC]
RewriteRule ^(.*)$ http://yandex.com/ [R=302,L]
#RewriteRule ^(.*)$ - [F,L]

RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(<|>|'|%0A|%0D|%27|%3C|%3E|%00).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(Java|htmlparser|python|zend|zgrab|raynette|lwp|nutch|virusdie|lynx|Dataprovider).* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^.*(winhttp|libwww\-perl|curl|wget|harvest|scan|grab|extract|HeadlessChrome).* [NC]
RewriteRule ^(.*)$ http://yandex.com/ [R=302,L]

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?your-domain-name-here [NC]
RewriteRule \.(jpg|jpeg|gif|png|bmp|exe|swf|svg|css|txt|js|scss|pdf)$ ? [F,L]

This can also be added to the Apache conf file.
Post Reply