Write to text file via Apache .conf files

Forum Moderators: phranque

Message Too Old, No Replies

Write to text file via Apache .conf files

csdude55

7:22 pm on Mar 27, 2022 (gmt 0)

I block MySQL injection attempts via /etc/apache2/conf.d/userdata/exploits.conf:

RewriteCond %{QUERY_STRING} foo|bar [NC]
RewriteRule ^ - [F]

But I recently discovered that these attempts still show up in the access log, and when I'm under attack it spikes my server load.

I have a brute force block list (a text file, /home/example/block.list) on my account that CSF reads for additional IPs to block. Is there a way to write to this text file directly from Apache, so that I could block the IP on the fly and not let them hit PHP first?

csdude55

7:23 pm on Mar 27, 2022 (gmt 0)

Sorry if the code doesn't make sense, I was getting a Forbidden error while trying to submit it so I kept removing lines until it would go through. But hopefully you get the idea; I have several conditions, and if it matches then I throw a [F].

phranque

6:45 am on Mar 28, 2022 (gmt 0)

if you are using mod_rewrite to intercept the request and respond with a 403 then PHP never comes into play.

csdude55

5:15 pm on Mar 28, 2022 (gmt 0)

The attempts are still causing a huge spike in server load, though. It's gone from < 1 to over 75 in a matter of minutes, and when I can finally get the log files to open I can see that it's from a ton of accesses that are trying to run MySQL injection. They're (in theory) being blocked via Apache, but they're still showing up in the logs and spiking the load.

I don't see a way for CSF to automatically temp block IPs that are doing this.

If I can't do it in Apache then I may need to remove this from .conf, recreate it in PHP, and then write to a block list that's read by CSF and send them to a 403 page. That would work for my site, but it would leave my hosted clients vulnerable so it's not ideal.

lucy24

5:31 pm on Mar 28, 2022 (gmt 0)

They're (in theory) being blocked via Apache, but they're still showing up in the logs and spiking the load.

That's in the nature of logs. They show all requests, regardless of response. It's only a cause for concern if blocked requests are showing up as 200, meaning that the 403 is issued by something other than the config file.

Have you looked into mod_security (third-party)? Some hosts offer it as an optional extra on shared hosting. That is, users get a yes/no toggle--use it or don't--and then the actual parameters are set in the config file.

csdude55

5:49 pm on Mar 28, 2022 (gmt 0)

I thought that I had it installed, but I think when I moved to the new server and updated everything it removed it; now I see mod_security2 is available, but mod_security isn't listed anywhere.

I'm looking at this:

When the mod_security2 module is added on one of our servers, we automatically install it with the OWASP Core Rule Set (CRS). OWASP CRS is a list of rules created for WAFs and protects against a variety of common attacks, like SQL injection, cross-site scripting, and local file inclusion.

[pair.com...]

It's not clear what "local file inclusion" means, though. Am I going to run in to any problems if I install it?

lucy24

12:39 am on Mar 29, 2022 (gmt 0)

:: detour to check something ::

I'm on shared hosting, so I have to do this in a roundabout way.

Ay-yup, mod_security2 it is. That's on Apache 2.4.something (for some reason, the ONLY thing printenv won't tell me with precision.)

phranque

1:22 am on Mar 29, 2022 (gmt 0)

it is unlikely your web app is purposely using local file inclusion.