Page 1 of 1
Block "get /.env" requests
Posted: 09 Jun 2022, 00:48
by BillyJ
Lately I've been getting heaps of these
GET /.env HTTP/1.1
generally 20 or 30 from a single IP address at a time (not the same IP address all the time or I'd block it).
Is there a way to immediately blacklist an IP that calls this GET request or to block all GET requests to /.env
Re: Block "get /.env" requests
Posted: 10 Jun 2022, 14:57
by Sergio
Yes, you can.
What I do is to use ModSecurity to block the offending IP, then in CSF I have the following rule that will block the IP on first try:
On Comodo the rule number that blocks .env is: 210492
So, my regex is like the following (I have deleted all the ID numbers that I block and I just left the one for the .env but you can add as many rules as you want using "|" like per example (210492|225170|210491), to get a list of the most used ModSecurity IDs, enter into your ConfigServer ModSecurity Control and see the ID numbers and add it to the rule.
Modify the rule accordingly to your server:
Code: Select all
# BLOCKING ModSec Rules attacks by Secmas
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\.\d+\s+\S+\] \[:error\] \[pid \d+.*\] \[client \S+\] \[client (\S+)\] ModSecurity.*\[id "(210492)"\]/i)) {
return ("mod_security attack id $2",$1,"Secmas_ModSec","1","1");
}
Sergio