Page 1 of 1

Stop 401 Attacks in Apache

Posted: 30 Mar 2014, 17:07
by bsntech
Getting hundreds of these attacks:

82.98.162.20 - - [29/Mar/2014:23:59:07 -0500] "GET /administrator/index.php HTTP/1.0" 401 -

I have enabled the HTACCESS and MODSEC and set the log files to the proper place, but these are not being stopped.

Re: Stop 401 Attacks in Apache

Posted: 30 Mar 2014, 18:32
by bsntech
I added this to the regex.custom.pm log - doesn't seem to work. Just need some help figuring out how to make a regex to find these. Here is the code:

Code: Select all

#mod_security v2 (audit_log)
        if (($config{LF_MODSEC}) and ($lgfile eq $config{MODSEC_LOG}) and ($line =~ /^(\S+)\ (.*) 401 (.*)/)) {
                $ip = $1; $acc = ""; $ip =~ s/^::ffff://;
                                if (&checkip($ip)) {return ("mod_security triggered by","$ip|$acc","mod_security")} else {return}
        }
And here are the logs I'm trying to catch:

Code: Select all

182.48.46.250 - - [30/Mar/2014:11:52:38 -0500] "GET /administrator/index.php HTTP/1.0" 401 489
The only thing I'm looking to pull out of the log entries is the IP address and the "401" in there.

Re: Stop 401 Attacks in Apache

Posted: 30 Mar 2014, 18:53
by bsntech
Fixed.

Found another post that referenced a site I could use to check RegEx.

Link to the RegEx checker:
http://regex101.com/r/uO1vS2

Here is the RegEx if you want to be able to block those getting 401 errors in Apache:

Code: Select all

#mod_security v2 (audit_log)
        if (($config{LF_MODSEC}) and ($globlogs{MODSEC_LOG}{$lgfile}) and ($line =~ /(\S+)(.*)1.0\"\s+401(.*)/)) {
                $ip = $1; $acc = ""; $ip =~ s/^::ffff://;
                                if (&checkip($ip)) {return ("mod_security triggered by","$ip|$acc","mod_security")} else {return}
        }