Search code examples
prestashopcpanelserver-side-attacks

HTTP Host HEAD attacks in prestashop cPanel host

I see this huge log in apache log for website:

  192.111.129.145 - - [07/Jun/2021:13:07:50 +0430] "HEAD /?Y256629118494u166019161242G5231293763232i55356056861y HTTP/1.1" 403 0 "hsteam-gifts.ir/" "z"
103.137.165.152 - - [07/Jun/2021:13:07:51 +0430] "POST / HTTP/1.1" 403 699 "-" "python-requests/2.25.1"
192.111.129.145 - - [07/Jun/2021:13:07:49 +0430] "HEAD /?Y256629118494u166019161242G5231293763232i55356056861y HTTP/1.1" 403 0 "hsteam-gifts.ir/" "z"
192.111.129.145 - - [07/Jun/2021:13:07:49 +0430] "HEAD /?Y256629118494u166019161242G5231293763232i55356056861y HTTP/1.1" 403 0 "hsteam-gifts.ir/" "z"
192.111.129.145 - - [07/Jun/2021:13:07:49 +0430] "HEAD /?Y256629118494u166019161242G5231293763232i55356056861y HTTP/1.1" 403 0 "hsteam-gifts.ir/" "z"
192.111.129.145 - - [07/Jun/2021:13:07:49 +0430] "HEAD /?Y256629118494u166019161242G5231293763232i55356056861y HTTP/1.1" 403 0 "hsteam-gifts.ir/" "z"
192.111.129.145 - - [07/Jun/2021:13:07:49 +0430] "GET / HTTP/1.1" 403 699 "nsteam-gifts.ir/" "a"
192.111.129.145 - - [07/Jun/2021:13:07:49 +0430] "GET / HTTP/1.1" 403 699 "nsteam-gifts.ir/" "a"
192.111.129.145 - - [07/Jun/2021:13:07:49 +0430] "GET / HTTP/1.1" 403 699 "nsteam-gifts.ir/" "a"
192.111.129.145 - - [07/Jun/2021:13:07:49 +0430] "GET / HTTP/1.1" 403 699 "nsteam-gifts.ir/" "a"
192.111.129.145 - - [07/Jun/2021:13:07:49 +0430] "GET / HTTP/1.1" 403 699 "nsteam-gifts.ir/" "a"
188.166.104.152 - - [07/Jun/2021:13:07:49 +0430] "POST / HTTP/1.1" 403 699 "-" "python-requests/2.25.1"
188.166.104.152 - - [07/Jun/2021:13:07:50 +0430] "POST / HTTP/1.1" 403 699 "-" "python-requests/2.25.1"
188.166.104.152 - - [07/Jun/2021:13:07:50 +0430] "POST / HTTP/1.1" 403 699 "-" "python-requests/2.25.1"
103.137.165.152 - - [07/Jun/2021:13:07:50 +0430] "POST / HTTP/1.1" 403 699 "-" "python-requests/2.25.1"
103.137.165.152 - - [07/Jun/2021:13:07:50 +0430] "POST / HTTP/1.1" 403 699 "-" "python-requests/2.25.1"

I block request in .htaccess and request result id 403 How can I prevent this attack? waf? cloudflare? I user cPanel + Litespeed

Solution

  • Controlled with the following Items:

    first, add this code in index.php

    <?php
if(!isset($_SERVER['HTTP_USER_AGENT'])){
exit();
}
if ($_SERVER['HTTP_USER_AGENT'] == "python-requests/2.25.1" || $_SERVER['HTTP_USER_AGENT'] == "a" || $_SERVER['HTTP_USER_AGENT'] == "\\"){
        exit();
}

    next I block IPs with this command:

    cat /var/log/apache2/domlogs/mydomain.com-ssl_log | awk '{print $1}' | sort | uniq -c |sort -n |  awk '{ if($1 > 10000) print $2 }' >> /etc/csf/csf.deny