Post by hostking » Fri Jan 08, 2021 4:17 pm

We have a strange issue. Hoping someone has a modsecurity rule or something to stop this on our shared hosting servers. We already implemented a Captcha on the site on the login page but does not seem to stop this.

We tried three different modsecurity ruleset, OWASP , Comodo and even Atomic (PAID) and none seem to stop this attack on /admin folder.

I assume we may have to use some reg expression but my knowledge is not so good at that.

Unless someone can recommend a technique or way to stop this accross multiple websites on a server?

180.252.180.250 - - [08/Jan/2021:10:15:43 +0200] "POST /admin/ HTTP/1.1" 406 455 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
122.173.51.255 - - [08/Jan/2021:10:15:46 +0200] "POST /admin/ HTTP/1.1" 406 418 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
106.201.153.52 - - [08/Jan/2021:10:15:46 +0200] "POST /admin/ HTTP/1.1" 406 418 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
82.213.229.161 - - [08/Jan/2021:10:15:49 +0200] "POST /admin/ HTTP/1.1" 406 418 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"

Newbie

Posts

Joined
Fri Feb 21, 2014 2:09 pm

Post by ADD Creative » Fri Jan 08, 2021 9:18 pm

Is creating a allow list of IP addresses and denying access to IP addresses not on that list an option?

Is renaming the admin folder an option?

Also see.
https://github.com/opencart/opencart/issues/8710

www.add-creative.co.uk


Expert Member

Posts

Joined
Sat Jan 14, 2012 1:02 am
Location - United Kingdom

Post by JNeuhoff » Fri Jan 08, 2021 9:45 pm

Create an 'admin/.htaccess' file with this in it:

Code: Select all

order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx
where xxx.xxx.xxx.xxx is your IP-address from where to access your OpenCart admin backend. Nobody else will be able to access you OpenCart admin, they get 403s instead!

Export/Import Tool * SpamBot Buster * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Tag Manager * Survey Plus * OpenTwig


User avatar
Guru Member
Online

Posts

Joined
Wed Dec 05, 2007 3:38 am


Post by straightlight » Fri Jan 08, 2021 10:00 pm

JNeuhoff wrote:
Fri Jan 08, 2021 9:45 pm
Create an 'admin/.htaccess' file with this in it:

Code: Select all

order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx
where xxx.xxx.xxx.xxx is your IP-address from where to access your OpenCart admin backend. Nobody else will be able to access you OpenCart admin, they get 403s instead!
By returning a 403 response, invaders are also let known that there's an implicit deny in the mean time, however.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by IP_CAM » Fri Jan 08, 2021 10:29 pm

Or use something like this, it's a relatively simple, but very efficient way,
to keep 'em from giving you a hard time. I use a similar Mod for years ... ;)

(OCMOD) Secure Admin URL
Set the Key and additional value to protect your Admin URL preventing unauthorized entry.
https://www.opencart.com/index.php?rout ... n_id=40693

My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.


User avatar
Legendary Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by johnp » Sat Jan 09, 2021 1:53 am

Stick the free version of Ninja Firewall on. I use it on all my OC sites.

https://nintechnet.com/ninjafirewall/pro-edition/

Opencart 1.5.6.5/OC Bootstrap Pro/VQMOD lover, user and geek.
Affordable Service £££ - Opencart Installs, Fixing, Development and Upgrades
Plus Ecommerce, Marketing, Mailing List Management and More
FREE Guidance and Advice at https://www.ecommerce-help.co.uk


User avatar
Active Member

Posts

Joined
Fri Mar 25, 2011 10:25 am
Location - Surrey, UK

Post by IP_CAM » Sat Jan 09, 2021 4:46 am

johnp wrote:
Sat Jan 09, 2021 1:53 am
Stick the free version of Ninja Firewall on. I use it on all my OC sites.
Well, I tried their Test Site, but despite of adding their 'robots' content,
it told me, not to be able, to find their 'entry' in my robots file. ::)
I still rely on my .htaccess file, blocking about 750'000 IP-Addresses so
far, to keep my Sites work. I again had an attack-attempt last night,
mainly from russian and some south-american IP's, with no Site errors,
exept for leaving their IP's in my Logs. It just resulted in adding about
45 IP-Blocks, like 3.133.99 (= 11'475 IP's) more to the .htaccess file. In
addition to 'redirect' every single 'link', to avoid such, to ever access
the site again, wherever it might come from ... :laugh:
It's just one of the daily Job's, if one really cares, to keep a Site alive ...
---
Image

My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.


User avatar
Legendary Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by johnp » Sat Jan 09, 2021 4:49 am

I wouldn't be without it Ernie. Download the free one and give it a try. It's very good. :)

Opencart 1.5.6.5/OC Bootstrap Pro/VQMOD lover, user and geek.
Affordable Service £££ - Opencart Installs, Fixing, Development and Upgrades
Plus Ecommerce, Marketing, Mailing List Management and More
FREE Guidance and Advice at https://www.ecommerce-help.co.uk


User avatar
Active Member

Posts

Joined
Fri Mar 25, 2011 10:25 am
Location - Surrey, UK

Post by EvolveWebHosting » Sat Jan 09, 2021 7:05 am

Astra is another great option if you're willing to pay for a license. Going to suggest that everyone stays clear of Comodo.

2 Week FREE Trial of our Shared Hosting plans (DIrectAdmin or cPanel) for new customers
2 Week FREE Trial of Astra Firewall and Malware Scanner
Visit our website for full details and to start your trial today - www.evolvewebhost.com


User avatar
Active Member

Posts

Joined
Fri Mar 27, 2015 11:13 pm
Location - Denver, Colorado, USA

Post by straightlight » Sat Jan 09, 2021 7:14 am

EvolveWebHosting wrote:
Sat Jan 09, 2021 7:05 am
Astra is another great option if you're willing to pay for a license. Going to suggest that everyone stays clear of Comodo.
They do seem to have pretty good ratings on Google, so far. However, their plans seem to be per-process pretty much instead of offering these plans by recurring packages.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by Cue4cheap » Sat Jan 09, 2021 9:09 am

johnp wrote:
Sat Jan 09, 2021 4:49 am
I wouldn't be without it Ernie. Download the free one and give it a try. It's very good. :)
I must be blind because I don't see a free version....
Mike

cue4cheap not cheap quality


Expert Member

Posts

Joined
Fri Sep 20, 2013 4:45 am

Post by IP_CAM » Sat Jan 09, 2021 9:40 am

I must be blind because I don't see a free version...
Same to me, I found that czar_astra_oc1.5.xml on the OC Extension
Site, but that's good for nothing, as it looks .... :crazy:

My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.


User avatar
Legendary Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by johnp » Sat Jan 09, 2021 6:50 pm

Visit the page below. There's a download link at the bottom of the comparison table. :)

https://nintechnet.com/ninjafirewall/pro-edition

If anyone needs it I've got a zip file of the free one and can share if you PM me.

Opencart 1.5.6.5/OC Bootstrap Pro/VQMOD lover, user and geek.
Affordable Service £££ - Opencart Installs, Fixing, Development and Upgrades
Plus Ecommerce, Marketing, Mailing List Management and More
FREE Guidance and Advice at https://www.ecommerce-help.co.uk


User avatar
Active Member

Posts

Joined
Fri Mar 25, 2011 10:25 am
Location - Surrey, UK

Post by EvolveWebHosting » Sat Jan 09, 2021 7:07 pm

straightlight wrote:
Sat Jan 09, 2021 7:14 am
EvolveWebHosting wrote:
Sat Jan 09, 2021 7:05 am
Astra is another great option if you're willing to pay for a license. Going to suggest that everyone stays clear of Comodo.
They do seem to have pretty good ratings on Google, so far. However, their plans seem to be per-process pretty much instead of offering these plans by recurring packages.
I am not sure what you mean by this. It's a monthly or annual license, per domain. Unlimited scans and cleanups. Our pricing is actually a little bit lower than you can get directly from them and anyone can purchase it through us, even if you aren't hosting your site with us.

2 Week FREE Trial of our Shared Hosting plans (DIrectAdmin or cPanel) for new customers
2 Week FREE Trial of Astra Firewall and Malware Scanner
Visit our website for full details and to start your trial today - www.evolvewebhost.com


User avatar
Active Member

Posts

Joined
Fri Mar 27, 2015 11:13 pm
Location - Denver, Colorado, USA

Post by johnp » Sat Jan 09, 2021 7:59 pm

On my OC sites I always use Cidram to block traffic from bad sources and Ninja Firewall to block SQL injections etc. Yes they're not officially supported by Opencart but they work for me and so far I've not had a site hacked or slowed down with them on. My clients aren't bothered about what I use. They just want their sites up and secure. Each to their own but that's my approach. :)

Opencart 1.5.6.5/OC Bootstrap Pro/VQMOD lover, user and geek.
Affordable Service £££ - Opencart Installs, Fixing, Development and Upgrades
Plus Ecommerce, Marketing, Mailing List Management and More
FREE Guidance and Advice at https://www.ecommerce-help.co.uk


User avatar
Active Member

Posts

Joined
Fri Mar 25, 2011 10:25 am
Location - Surrey, UK

Post by YDA » Wed Jan 20, 2021 8:22 pm

Hi,
Into one of my .htaccess I have this:

Code: Select all

<Files *>
  <RequireAll>
    Require all granted
# Cambodia (KH)
Require not ip 114.134.184.0/21
# Chinese (CN) IP addresses follow (split into two lines on 7/6/17 to avoid possible Server 500 due to excess line length):
Require not ip 1.24.0.0/13 1.48.0.0/15 1.50.0.0/16 1.56.0.0/13 1.68.0.0/14 1.80.0.0/13 1.92.0.0/14 1.180.0.0/14 1.188.0.0/14 1.192.0.0/13 1.202.0.0/15 1.204.0.0/14 14.16.0.0/12 14.104.0.0/13 14.112.0.0/12 14.134.0.0/15 14.144.0.0/12 14.204.0.0/15 14.208.0.0/12 23.80.54.0/24 23.104.141.0/24 23.105.14.0/24 23.226.208.0/24 27.8.0.0/13 27.16.0.0/12 27.36.0.0/14 27.40.0.0/13 27.50.128.0/17 27.54.192.0/18 27.106.128.0/18 27.115.0.0/17 27.148.0.0/14 27.152.0.0/13 27.184.0.0/13 27.192.0.0/11 27.224.0.0/14 36.1.0.0/16 36.4.0.0/14 36.26.0.0/16 36.32.0.0/14 36.36.0.0/16 36.40.0.0/13 36.48.0.0/15 36.56.0.0/13 36.96.0.0/11 36.128.0.0/11 36.248.0.0/14 39.64.0.0/11 39.96.0.0/13 39.128.0.0/10 42.4.0.0/14 42.48.0.0/13 42.56.0.0/14 42.84.0.0/14 42.88.0.0/13 42.96.128.0/17 42.100.0.0/14 42.120.0.0/14 42.156.0.0/16 42.176.0.0/13 42.185.0.0/16 42.202.0.0/15 42.224.0.0/12 42.240.0.0/16 42.242.0.0/15 42.248.0.0/15 43.226.64.0/20 43.255.0.0/20 43.255.16.0/22 43.255.48.0/22 43.255.60.0/22 43.255.64.0/20 43.255.96.0/20 43.255.144.0/22 43.255.168.0/22 43.255.176.0/22 43.255.184.0/22 43.255.192.0/22 43.255.200.0/21 43.255.208.0/21 43.255.224.0/21 43.255.232.0/22 43.255.244.0/22 47.74.0.0/15 47.76.0.0/14 47.80.0.0/13 47.88.0.0/14 47.92.0.0/14 49.5.0.0/16 49.64.0.0/11 49.112.0.0/13 54.222.0.0/15 58.16.0.0/14 58.20.0.0/16 58.21.0.0/16 58.22.0.0/15 58.34.0.0/16 58.37.0.0/16 58.38.0.0/16 58.40.0.0/16 58.42.0.0/16 58.44.0.0/14 58.48.0.0/13 58.56.0.0/14 58.60.0.0/14 58.68.128.0/17 58.82.0.0/15 58.100.0.0/15 58.116.0.0/14 58.128.0.0/13 58.208.0.0/12 58.240.0.0/13 58.248.0.0/13 59.32.0.0/12 59.48.0.0/14 59.52.0.0/14 59.56.0.0/13 59.72.0.0/16 59.108.0.0/15 59.172.0.0/14 60.0.0.0/12 60.11.0.0/16 60.12.0.0/14 60.16.0.0/13 60.24.0.0/13 60.160.0.0/11 60.194.0.0/15 60.205.0.0/16 60.208.0.0/12 60.253.128.0/17 61.4.64.0/20 61.4.80.0/22 61.4.176.0/20 61.48.0.0/13 61.128.0.0/10 61.135.0.0/16 61.136.0.0/18 61.139.0.0/16 61.145.73.208/28 61.147.0.0/16 61.150.0.0/16 61.152.0.0/16 61.154.0.0/16 61.158.0.0/16 61.160.0.0/16 61.162.0.0/15 61.164.0.0/16 61.172.0.0/15 61.175.0.0/16 61.177.0.0/16 61.179.0.0/16 61.183.0.0/16 61.184.0.0/16 61.185.219.232/29 61.187.0.0/16 61.188.0.0/16 61.232.0.0/14 61.236.0.0/15 61.240.0.0/14 94.191.0.0/17
Require not ip 101.16.0.0/12 101.37.0.0/16 101.64.0.0/13 101.72.0.0/14 101.76.0.0/15 101.80.0.0/12 101.132.0.0/15 101.200.0.0/15 101.224.0.0/13 101.248.0.0/15 101.254.0.0/16 103.211.164.0/22 103.253.4.0/22 106.4.0.0/14 106.8.0.0/15 106.12.0.0/14 106.16.0.0/12 106.32.0.0/12 106.43.0.0/16 106.56.0.0/13 106.74.0.0/15 106.80.0.0/12 106.108.0.0/14 106.112.0.0/13 106.120.0.0/13 110.6.0.0/15 110.16.0.0/14 110.51.0.0/16 110.52.0.0/15 110.80.0.0/13 110.88.0.0/14 110.96.0.0/11 110.152.0.0/14 110.156.0.0/15 110.166.0.0/15 110.173.0.0/19 110.173.32.0/20 110.173.64.0/18 110.176.0.0/14 110.184.0.0/13 110.192.0.0/11 110.228.0.0/14 110.240.0.0/12 111.0.0.0/10 111.72.0.0/13 111.85.0.0/16 111.112.0.0/15 111.120.0.0/14 111.124.0.0/16 111.126.0.0/15 111.128.0.0/11 111.160.0.0/13 111.172.0.0/14 111.176.0.0/13 111.192.0.0/12 111.224.0.0/14 111.228.0.0/14 112.0.0.0/10 112.64.0.0/14 112.73.0.0/16 112.74.0.0/16 112.80.0.0/12 112.98.0.0/15 112.100.0.0/14 112.109.128.0/17 112.111.0.0/16 112.112.0.0/14 112.116.0.0/15 112.122.0.0/15 112.192.0.0/14 112.224.0.0/11 113.0.0.0/13 113.8.0.0/15 113.12.0.0/14 113.16.0.0/15 113.18.0.0/16 113.54.0.0/15 113.56.0.0/15 113.58.0.0/16 113.59.0.0/17 113.62.0.0/15 113.64.0.0/10 113.120.0.0/13 113.128.0.0/15 113.132.0.0/14 113.136.0.0/13 113.194.0.0/15 113.200.0.0/15 113.204.0.0/14 113.218.0.0/15 113.220.0.0/14 113.224.0.0/12 113.240.0.0/13 113.248.0.0/14 114.28.0.0/16 114.54.0.0/15 114.64.0.0/14 114.80.0.0/12 114.96.0.0/13 114.104.0.0/14 114.112.0.0/14 114.135.0.0/16 114.138.0.0/15 114.215.0.0/16 114.216.0.0/13 114.224.0.0/11 115.24.0.0/15 115.28.0.0/15 115.32.0.0/14 115.48.0.0/12 115.84.0.0/18 115.100.0.0/14 115.148.0.0/14 115.152.0.0/15 115.159.0.0/16 115.166.64.0/19 115.168.0.0/14 115.192.0.0/11 115.224.0.0/12 116.1.0.0/16 116.2.0.0/15 116.4.0.0/14 116.8.0.0/14 116.16.0.0/12 116.52.0.0/14 116.56.0.0/15 116.60.0.0/14 116.76.0.0/15 116.85.0.0/16 116.90.80.0/20 116.95.0.0/16 116.112.0.0/14 116.116.0.0/15 116.128.0.0/10 116.204.0.0/15 116.207.0.0/16 116.208.0.0/14 116.213.64.0/18 116.213.128.0/17 116.224.0.0/12 116.248.0.0/15 116.252.0.0/15 116.254.128.0/18 117.8.0.0/13 117.21.0.0/16 117.22.0.0/15 117.24.0.0/13 117.32.0.0/13 117.40.0.0/14 117.44.0.0/15 117.50.0.0/16 117.51.0.0/16 117.57.0.0/16 117.60.0.0/14 117.64.0.0/13 117.79.224.0/20 117.80.0.0/12 117.106.0.0/15 117.112.0.0/13 117.128.0.0/10 118.24.0.0/15 118.26.0.0/16 118.72.0.0/13 118.80.0.0/15 118.89.0.0/16 118.112.0.0/13 118.120.0.0/14 118.124.0.0/15 118.132.0.0/14 118.144.0.0/14 118.180.0.0/14 118.186.0.0/15 118.192.0.0/15 118.194.0.0/16 118.213.0.0/16 118.244.0.0/16 118.248.0.0/13 119.0.0.0/13 119.8.0.0/16 119.10.0.0/17 119.18.192.0/20 119.23.0.0/16 119.28.0.0/15 119.32.0.0/14 119.36.0.0/16 119.39.0.0/16 119.44.0.0/16 119.48.0.0/13 119.57.0.0/16 119.60.0.0/15 119.62.0.0/16 119.84.0.0/14 119.88.0.0/14 119.96.0.0/13 119.108.0.0/15 119.112.0.0/13 119.120.0.0/13 119.128.0.0/12 119.144.0.0/14 119.162.0.0/15 119.164.0.0/14 119.176.0.0/12 119.233.0.0/16 119.248.0.0/14 120.0.0.0/12 120.24.0.0/14 120.30.0.0/15 120.32.0.0/13 120.40.0.0/14 120.68.0.0/14 120.76.0.0/14 120.80.0.0/13 120.92.0.0/16 120.192.0.0/10 121.0.16.0/20 121.4.0.0/15 121.8.0.0/13 121.16.0.0/12 121.32.0.0/14 121.40.0.0/14 121.52.208.0/20 121.52.224.0/19 121.56.0.0/15 121.60.0.0/14 121.68.0.0/14 121.76.0.0/15 121.100.128.0/17 121.196.0.0/14 121.201.0.0/16 121.204.0.0/14 121.224.0.0/12 122.4.0.0/14 122.8.0.0/16 122.10.128.0/17 122.51.128.0/17 122.64.0.0/11 122.96.0.0/15 122.119.0.0/16 122.136.0.0/13 122.156.0.0/14 122.188.0.0/14 122.192.0.0/14 122.198.0.0/16 122.200.64.0/18 122.224.0.0/12 122.240.0.0/13 123.4.0.0/14 123.8.0.0/13 123.52.0.0/14 123.56.0.0/14 123.64.0.0/11 123.97.128.0/17 123.100.0.0/19 123.112.0.0/12 123.128.0.0/13 123.138.0.0/15 123.144.0.0/14 123.148.0.0/15 123.150.0.0/15 123.152.0.0/13 123.160.0.0/14 123.164.0.0/14 123.172.0.0/15 123.178.0.0/15 123.180.0.0/14 123.184.0.0/13 123.196.0.0/15 123.206.0.0/15 123.232.0.0/14 123.244.0.0/14 123.249.0.0/16 124.42.0.0/16 124.64.0.0/15 124.66.0.0/17 124.67.0.0/16 124.72.0.0/13 124.88.0.0/15 124.92.0.0/14 124.112.0.0/15 124.114.0.0/15 124.117.0.0/16 124.118.0.0/15 124.126.0.0/15 124.128.0.0/13 124.152.0.0/16 124.160.0.0/13 124.192.0.0/15 124.200.0.0/13 124.224.0.0/16 124.226.0.0/15 124.228.0.0/14 124.234.0.0/15 124.236.0.0/14 124.240.0.0/17 124.240.128.0/18 124.248.0.0/17 125.32.0.0/14 125.36.0.0/14 125.40.0.0/13 125.64.0.0/12 125.79.0.0/16 125.80.0.0/13 125.88.0.0/13 125.104.0.0/13 125.112.0.0/12 125.210.0.0/15 125.216.0.0/13 132.232.0.0/16 134.175.0.0/16 139.129.0.0/16 139.170.0.0/16 139.189.0.0/16 139.199.0.0/16 139.206.0.0/16 139.208.0.0/13 139.217.0.0/16 139.224.0.0/16 139.226.0.0/15 140.143.0.0/16 140.206.0.0/15 140.224.0.0/16 140.237.0.0/16 140.240.0.0/16 140.246.0.0/16 140.249.0.0/16 140.255.0.0/16 142.4.117.0/30 144.0.0.0/16 144.12.0.0/16 144.52.0.0/16 144.123.0.0/16 144.255.0.0/16 150.109.0.0/16 150.138.0.0/15 150.242.152.0/21 150.242.160.0/21 150.242.168.0/22 153.0.0.0/16 153.99.0.0/16 159.226.0.0/16 162.209.168.0/24 171.8.0.0/13 171.34.0.0/15 171.36.0.0/14 171.40.0.0/13 171.80.0.0/14 171.88.0.0/13 171.104.0.0/13 171.112.0.0/14 171.116.0.0/14 171.120.0.0/13 171.208.0.0/12 175.0.0.0/12 175.16.0.0/13 175.24.0.0/14 175.30.0.0/15 175.42.0.0/15 175.44.0.0/16 175.46.0.0/15 175.48.0.0/12 175.64.0.0/11 175.102.0.0/16 175.106.128.0/17 175.146.0.0/15 175.148.0.0/14 175.152.0.0/14 175.160.0.0/12 175.178.0.0/16 175.184.128.0/18 175.185.0.0/16 175.186.0.0/15 175.188.0.0/14 180.76.0.0/16 180.95.128.0/17 180.96.0.0/11 180.136.0.0/13 180.152.0.0/13 180.160.0.0/12 180.208.0.0/15 180.212.0.0/15 182.18.0.0/17 182.32.0.0/12 182.50.112.0/20 182.61.0.0/16 182.84.0.0/14 182.88.0.0/14 182.96.0.0/12 182.112.0.0/12 182.128.0.0/12 182.144.0.0/13 182.200.0.0/13 182.240.0.0/13 183.0.0.0/10 183.64.0.0/13 183.92.0.0/14 183.128.0.0/11 183.160.0.0/12 183.184.0.0/13 183.192.0.0/10 192.34.109.224/28 198.2.203.64/28 198.2.212.160/28 198.15.171.64/26
Require not ip 202.43.144.0/22 202.46.32.0/19 202.65.96.0/20 202.66.0.0/16 202.75.208.0/20 202.96.0.0/12 202.111.160.0/19 202.112.0.0/14 202.117.0.0/16 202.127.112.0/20 202.165.176.0/20 202.196.80.0/20 203.69.0.0/16 203.81.16.0/20 203.86.0.0/18 203.86.64.0/19 203.93.0.0/16 203.169.160.0/19 203.171.224.0/20 203.195.160.0/23 210.5.0.0/19 210.12.0.0/16 210.14.128.0/19 210.21.0.0/16 210.22.0.0/16 210.32.0.0/14 210.51.0.0/16 210.52.0.0/15 210.75.0.0/16 210.77.0.0/16 210.79.64.0/18 210.192.96.0/19 211.76.96.0/20 211.78.208.0/20 211.80.0.0/13 211.86.144.0/20 211.90.0.0/15 211.92.0.0/14 211.96.0.0/13 211.136.0.0/13 211.144.0.0/12 211.160.0.0/13 211.233.70.0/24 212.64.0.0/17 218.0.0.0/11 218.56.0.0/13 218.64.0.0/11 218.84.0.0/14 218.88.0.0/13 218.96.0.0/14 218.102.0.0/16 218.104.0.0/14 218.108.0.0/15 218.194.80.0/20 218.200.0.0/13 218.240.0.0/13 218.249.0.0/16 219.128.0.0/11 219.154.0.0/15 219.223.192.0/18 219.232.0.0/16 219.234.80.0/20 219.235.0.0/16 219.238.0.0/15 220.112.0.0/16 220.154.0.0/15 220.160.0.0/11 220.181.0.0/16 220.191.0.0/16 220.192.0.0/12 220.228.70.0/24 220.242.0.0/15 220.248.0.0/14 220.250.0.0/19 220.252.0.0/16 221.0.0.0/12 221.122.0.0/15 221.130.0.0/15 221.136.0.0/15 221.172.0.0/14 221.176.0.0/13 221.192.0.0/14 221.196.0.0/15 221.198.0.0/16 221.199.0.0/17 221.200.0.0/14 221.204.0.0/15 221.206.0.0/16 221.207.0.0/16 221.208.0.0/12 221.212.0.0/15 221.214.0.0/15 221.216.0.0/13 221.224.0.0/13 221.228.0.0/14 221.232.0.0/13 222.32.0.0/11 222.64.0.0/12 222.80.0.0/12 222.128.0.0/14 222.132.0.0/14 222.136.0.0/13 222.160.0.0/14 222.168.0.0/13 222.172.222.0/24 222.176.0.0/13 222.184.0.0/13 222.200.0.0/16 222.208.0.0/13 222.216.0.0/14 222.220.0.0/15 222.222.0.0/15 222.240.0.0/13 222.249.0.0/16 223.4.0.0/14 223.8.0.0/13 223.64.0.0/11 223.96.0.0/12 223.112.0.0/14 223.144.0.0/12 223.198.0.0/15 223.214.0.0/15 223.223.176.0/20 223.223.192.0/20 223.255.0.0/17 223.240.0.0/13

# India (IN), Bangladesh (BD) and Pakistan (PK)
Require not ip 1.39.0.0/16 1.186.38.0/24 14.96.0.0/14 14.139.0.0/16 14.140.0.0/14 14.192.52.0/22 14.194.0.0/15 27.4.0.0/14 27.97.0.0/16 27.248.0.0/14 27.255.0.0/18 27.255.128.0/24 39.32.0.0/11 43.246.140.0/24 49.14.0.0/15 49.200.0.0/14 49.248.0.0/17 58.65.128.0/18 59.88.0.0/13 59.96.0.0/14 59.160.0.0/14 59.164.0.0/15 59.176.0.0/13 59.184.0.0/15 61.0.0.0/14 61.247.238.0/24 101.50.64.0/18 101.56.0.0/13 101.212.0.0/16 101.216.0.0/16 103.48.16.0/24 103.56.220.0/22 103.103.56.0/24 103.194.12.0/22 103.194.20.0/22 103.194.24.0/21 103.194.32.0/22 103.214.124.0/22 103.214.128.0/21 103.214.136.0/22 103.240.204.0/22 103.240.208.0/21 103.240.216.0/22 103.243.52.0/22 103.243.56.0/21 106.51.0.0/16 106.76.0.0/14 106.192.0.0/11 110.224.0.0/16 110.227.0.0/16 110.232.248.0/24 111.68.96.0/20 112.110.0.0/16 113.19.0.0/16 113.212.64.0/19 114.31.224.0/20 115.96.0.0/14 115.108.0.0/14 115.112.0.0/13 115.166.128.0/20 115.167.24.0/24 115.240.0.0/12 116.72.0.0/14 116.202.12.0/22 116.203.0.0/16 117.96.0.0/14 117.192.0.0/10 118.151.209.0/24 119.152.0.0/13 119.160.0.0/17 120.56.0.0/13 120.138.98.0/24 121.240.0.0/13 122.15.0.0/16 122.160.0.0/12 122.176.0.0/13 122.184.0.0/14 123.49.0.0/18 123.236.0.0/14 124.123.0.0/16 124.124.0.0/15 124.247.235.0/24 124.253.0.0/16 125.209.64.0/18 139.190.0.0/16 150.242.148.0/22 150.242.172.0/22 171.48.0.0/12 171.76.0.0/14 175.101.0.0/16 180.215.0.0/16 182.18.128.0/18 182.64.0.0/12 182.176.0.0/12 183.82.0.0/15 193.53.87.0/24 202.54.0.0/16 202.63.160.0/19 202.87.240.0/20 202.137.232.0/21 202.142.64.0/18 202.149.192.0/19 202.154.224.0/24 203.76.176.0/20 203.92.47.0/24 203.100.64.0/20 203.115.80.0/20 203.135.62.0/24 203.153.44.0/24 203.188.247.0/24 203.192.192.0/18 203.197.0.0/16 210.211.128.0/17 210.212.0.0/16 218.248.0.0/20 223.30.0.0/15 223.130.4.0/22 223.220.0.0/15 223.223.128.0/19 223.223.176.0/20 223.223.192.0/20 223.224.0.0/12

# Indonesia (ID)
Require not ip 23.247.80.0/23 36.64.0.0/11 49.50.4.0/22 49.50.8.0/22 103.87.16.0/24 103.253.0.0/22 110.136.176.0/20 110.139.0.0/16 111.95.0.0/16 112.109.19.0/24 114.57.238.0/23 114.79.18.0/24 115.166.96.0/19 116.12.40.0/21 116.66.200.0/21 116.254.96.0/21 118.96.0.0/15 118.99.64.0/18 118.137.96.0/19 119.18.152.0/21 119.110.68.0/24 119.235.16.0/20 119.252.162.0/24 120.160.0.0/11 122.200.144.0/21 124.6.36.0/22 124.81.0.0/16 124.195.124.0/24 125.160.0.0/14 125.164.64.0/19 125.165.128.0/18 139.192.0.0/14 139.255.0.0/16 175.184.232.0/21 180.241.128.0/17 180.242.0.0/16 180.245.0.0/16 180.246.0.0/16 180.248.128.0/18 180.249.0.0/16 180.251.0.0/18 182.253.0.0/16 202.57.0.0/19 202.158.32.0/19 202.162.192.0/20 202.162.208.0/24 203.130.192.0/18 203.215.48.0/24 222.124.168.0/24

# Japan (JP) (hacking, scraping, or spamming)
Require not ip 27.50.96.0/19 36.52.0.0/14 42.83.0.0/18 43.224.32.0/22 58.188.0.0/14 59.146.0.0/15 60.236.0.0/14 61.112.0.0/12 118.0.0.0/12 118.16.0.0/13 118.86.0.0/15 118.106.0.0/16 122.16.0.0/12 122.200.192.0/18 122.208.0.0/12 122.248.128.0/18 123.216.0.0/13 124.84.0.0/14 126.0.0.0/8 150.70.84.41 153.128.0.0/9 182.48.0.0/18 202.210.128.0/18 210.198.6.0/23 210.248.0.0/13 211.19.0.0/16 218.216.0.0/13 218.224.0.0/13 219.94.128.0/17 219.96.0.0/11 220.104.0.0/13 220.208.0.0/12 221.121.160.0/20 222.0.0.0/12 222.231.64.0/18 222.231.128.0/17 222.144.0.0/13 223.216.0.0/14

# Korea (KR) (including North Korea) IP addresses follow:
Require not ip 1.208.0.0/12 1.224.0.0/11 14.32.0.0/11 14.64.0.0/11 27.115.128.0/17 27.255.64.0/18 58.72.0.0/13 58.120.0.0/13 58.140.0.0/14 58.148.0.0/14 58.180.40.0/21 58.224.0.0/12 59.0.0.0/11 59.86.192.0/18 59.186.0.0/15 61.32.0.0/13 61.40.0.0/14 61.72.0.0/13 61.80.0.0/15 61.96.0.0/12 61.110.16.0/20 61.248.0.0/13 101.79.0.0/16 110.8.0.0/13 110.45.0.0/16 112.144.0.0/12 112.160.0.0/11 112.216.0.0/13 113.30.64.0/18 114.29.0.0/17 114.108.0.0/17 114.108.128.0/18 114.200.0.0/13 115.0.0.0/12 115.16.0.0/13 115.40.0.0/15 115.68.0.0/16 115.88.0.0/13 115.144.0.0/15 116.40.0.0/16 116.45.176.0/20 116.93.192.0/19 116.120.0.0/13 117.110.0.0/15 118.32.0.0/11 118.128.0.0/14 118.216.0.0/13 119.64.0.0/13 119.192.0.0/11 120.50.64.0/18 121.78.0.0/16 121.88.0.0/16 121.101.224.0/19 121.127.64.0/18 121.127.128.0/18 121.128.0.0/10 121.254.0.0/16 122.32.0.0/13 122.44.112.0/20 122.99.128.0/17 122.252.64.0/18 123.111.0.0/16 123.140.0.0/14 123.212.0.0/14 123.248.0.0/16 124.0.0.0/15 124.50.87.161 124.136.0.0/14 124.217.192.0/19 125.128.0.0/11 125.176.0.0/12 125.240.0.0/13 125.248.0.0/14 143.248.0.0/16 166.104.0.0/16 168.126.0.0/16 168.188.0.0/16 175.45.176.0/22 175.112.0.0/12 175.192.0.0/10 180.64.0.0/13 180.224.0.0/13 182.224.0.0/14 183.96.0.0/11 202.30.0.0/15 202.133.16.0/20 202.179.176.0/21 203.226.0.0/15 203.228.0.0/14 203.244.0.0/14 203.248.0.0/13 210.93.0.0/16 210.94.0.0/15 210.108.0.0/14 210.112.0.0/14 210.117.128.0/18 210.118.216.192/26 210.123.0.0/16 210.124.0.0/14 210.178.0.0/15 210.180.0.0/15 210.204.0.0/15 210.210.192.0/18 210.219.0.0/16 210.220.0.0/14 211.32.0.0/12 211.48.0.0/15 211.50.0.0/15 211.52.0.0/15 211.54.0.0/15 211.56.0.0/14 211.62.35.0/24 211.104.0.0/13 211.112.0.0/13 211.168.0.0/13 211.176.0.0/12 211.192.0.0/12 211.208.0.0/14 211.216.0.0/13 211.224.0.0/13 211.232.0.0/13 211.240.0.0/12 218.36.0.0/14 218.48.0.0/13 218.144.0.0/12 218.209.0.0/16 218.232.0.0/14 218.236.0.0/14 219.240.0.0/15 219.248.0.0/13 219.250.88.0/21 220.72.0.0/13 220.80.0.0/13 220.95.88.0/24 220.118.0.0/16 220.119.0.0/16 221.128.0.0/12 221.140.0.0/14 221.144.0.0/12 221.160.0.0/13 221.168.0.0/16 221.163.46.0/24 222.96.0.0/12 222.112.0.0/13 222.120.0.0/15 222.122.0.0/16 222.231.0.0/18 222.232.0.0/13

# Yahoo-Korea (provides free email services used by some spammers)
Require not ip 123.0.0.0/20

# Neighboring Asian countries:

# Malaysia (MY)
Require not ip 27.131.32.0/24 60.48.0.0/14 60.52.0.0/15 60.54.0.0/16 110.159.0.0/16 112.137.160.0/20 113.23.128.0/17 115.132.0.0/14 116.197.0.0/17 116.206.0.0/16 118.100.0.0/15 119.110.96.0/20 120.50.48.0/20 120.140.0.0/15 124.82.0.0/16 124.217.224.0/19 161.139.0.0/16 175.136.0.0/13 180.72.0.0/14 182.54.192.0/19 202.58.80.0/20 202.71.96.0/20 202.75.32.0/19 202.188.0.0/18 202.190.0.0/16 203.106.0.0/16 203.217.176.0/22 203.223.128.0/19 210.187.49.0/25 218.111.0.0/16 218.208.12.64/27

# Philippines (PH)
Require not ip 27.110.144.0/20 37.0.120.0/21 85.92.152.0/21 110.5.64.0/21 111.235.80.0/20 112.201.128.0/17 112.202.0.0/16 120.28.64.0/18 122.54.125.73 125.60.128.0/17 125.212.52.0/22 125.212.56.0/22 180.193.64.0/19 202.52.54.0/23 202.133.192.0/24 202.146.184.0/23 222.127.32.0/19 222.127.64.0/19

# Singapore (SG)
Require not ip 47.88.128.0/17 58.185.18.0/28 59.189.0.0/16 116.12.48.0/21 116.14.0.0/15 116.251.223.0/24 121.6.0.0/15 165.21.0.0/16 180.210.200.0/21 182.23.147.0/24 192.169.40.0/23 203.92.64.0/18 203.117.0.0/24 218.186.0.0/16 218.212.0.0/16 219.74.0.0/15 219.75.0.0/17

# Taiwan (TW)
Require not ip 1.160.0.0/12 1.200.0.0/16 36.224.0.0/12 59.112.0.0/12 60.198.0.0/15 60.249.0.0/16 60.250.0.0/15 61.31.0.0/16 61.56.0.0/16 61.58.0.0/15 61.63.0.0/16 61.67.128.0/17 61.216.0.0/14 61.220.0.0/14 61.224.0.0/14 61.228.0.0/14 110.24.0.0/13 110.50.128.0/18 111.240.0.0/12 112.213.48.0/20 114.24.0.0/14 114.32.0.0/12 115.80.0.0/14 115.85.144.0/20 117.19.0.0/16 118.160.0.0/13 122.116.0.0/15 122.118.0.0/16 122.120.0.0/13 122.254.0.0/18 123.51.128.0/17 123.240.0.0/15 124.8.0.0/14 125.224.0.0/13 140.109.0.0/16 140.110.0.0/15 140.112.0.0/12 140.128.0.0/13 140.136.0.0/15 140.138.0.0/16 163.13.0.0/16 163.14.0.0/15 163.16.0.0/12 163.24.0.0/16 163.32.0.0/16 175.96.0.0/14 175.180.0.0/14 203.64.0.0/14 203.71.0.0/16 203.72.0.0/16 210.59.0.0/16 210.200.0.0/15 210.240.0.0/16 211.20.0.0/15 211.23.0.0/16 211.72.0.0/16 211.75.0.0/16 211.76.160.0/20 211.79.32.0/20 211.23.0.0/16 218.160.0.0/12 219.84.0.0/15 219.90.3.0/24 220.128.0.0/12

# Thailand (TH)
Require not ip 1.20.0.0/16 1.46.0.0/15 1.179.128.0/18 14.207.0.0/16 49.0.64.0/18 49.230.0.0/16 58.8.0.0/16 58.9.0.0/16 58.10.0.0/16 58.137.0.0/16 61.19.0.0/16 61.47.0.0/17 110.34.128.0/17 110.168.0.0/16 113.53.0.0/17 114.131.0.0/16 115.87.128.0/17 117.47.0.0/16 118.172.0.0/14 119.59.96.0/19 119.76.0.0/16 122.154.0.0/15 123.242.128.0/18 124.120.0.0/16 124.121.0.0/16 124.122.0.0/16 125.25.0.0/19 171.97.128.0/17 202.28.0.0/15 202.44.135.0/24 202.133.128.0/18 202.142.192.0/19 202.143.128.0/18 203.107.142.0/24 203.113.0.0/17 203.130.149.0/24 203.144.128.0/17 203.146.0.0/16 203.148.128.0/17 203.149.0.0/18 203.150.128.0/17 203.151.38.0/24 203.155.0.0/16 203.158.96.0/19 203.158.128.0/17 203.170.193.0/24 203.172.128.0/17 203.185.128.0/19 210.213.0.0/18 222.123.0.0/16 223.205.0.0/16 223.207.0.0/16

# Vietnam (VN)
Require not ip 1.52.0.0/14 14.160.0.0/11 14.224.0.0/11 27.64.0.0/12 42.112.0.0/13 58.186.0.0/15 64.188.12.0/23 64.188.25.128/26 67.215.225.128/26 103.48.188.0/22 103.48.192.0/22 103.79.140.0/22 103.207.32.0/21 112.78.0.0/20 112.197.0.0/16 112.213.80.0/20 113.22.0.0/16 113.23.0.0/17 113.160.0.0/11 115.72.0.0/13 115.84.176.0/22 115.146.120.0/21 116.96.0.0/12 116.118.0.0/17 117.0.0.0/13 118.68.0.0/14 118.99.13.0/24 123.16.0.0/12 125.234.0.0/15 171.224.0.0/11 175.100.64.0/20 180.93.0.0/16 183.80.0.0/16 183.81.0.0/17 183.91.0.0/19 202.78.227.0/24 203.113.128.0/18 203.162.0.0/16 203.205.0.0/18 203.210.192.0/18 210.211.96.0/19 210.245.0.0/17 220.231.124.0/22 222.252.0.0/14

# End Chinese-Korean blocklist
  </RequireAll>

</Files>
And you may also want to be protected with bad bots, in this case copy and paste this:
If you need a complete .htaccess, do ask me, I will be very happy to send it by email
Have a nice day
Yan

Opencart 3.0.3.6
PHP 7.3.26 FPM served by NGINX 1.16.1.3
Linux Centos 7.9.2009 / Plesk 17.8.11
Dedicated Servers


User avatar
YDA
Newbie

Posts

Joined
Tue Jul 08, 2014 10:40 pm

Post by TechFost » Wed Mar 03, 2021 1:17 pm

You can use Fail2Ban to block all IP addresses that repeatedly making attempts to log in to your opencart site. Once you set up fail2ban, you just have to check the logs to make sure that fail2ban is working as per your expectation.

Newbie

Posts

Joined
Wed Mar 03, 2021 1:10 pm


Post by satriani2019 » Mon Oct 25, 2021 7:50 am

Did you find a solution?
renaming admin folder, adding keys to login admin etc are useless
hostking wrote:
Fri Jan 08, 2021 4:17 pm
We have a strange issue. Hoping someone has a modsecurity rule or something to stop this on our shared hosting servers. We already implemented a Captcha on the site on the login page but does not seem to stop this.

We tried three different modsecurity ruleset, OWASP , Comodo and even Atomic (PAID) and none seem to stop this attack on /admin folder.

I assume we may have to use some reg expression but my knowledge is not so good at that.

Unless someone can recommend a technique or way to stop this accross multiple websites on a server?

180.252.180.250 - - [08/Jan/2021:10:15:43 +0200] "POST /admin/ HTTP/1.1" 406 455 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
122.173.51.255 - - [08/Jan/2021:10:15:46 +0200] "POST /admin/ HTTP/1.1" 406 418 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
106.201.153.52 - - [08/Jan/2021:10:15:46 +0200] "POST /admin/ HTTP/1.1" 406 418 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
82.213.229.161 - - [08/Jan/2021:10:15:49 +0200] "POST /admin/ HTTP/1.1" 406 418 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"

Newbie

Posts

Joined
Tue Aug 27, 2019 6:02 am

Post by JNeuhoff » Mon Oct 25, 2021 5:30 pm

See this forum thread for a solution.

It's both a brute force and DDoS attack combined. It will inflate your 'oc_session' DB table and therefore cause your OpenCart server to eventually reach its resource limit. And each of these attacking requests uses a different user and password combination, randomly generated, in the hope that after weeks or months of attacking your website it will come across the right login credentials.

Export/Import Tool * SpamBot Buster * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Tag Manager * Survey Plus * OpenTwig


User avatar
Guru Member
Online

Posts

Joined
Wed Dec 05, 2007 3:38 am


Post by k2tec » Mon Oct 25, 2021 7:40 pm

Don't make your .htaccess to big with restrictions, it's slows down your apache.
If you run a VPS or a server, place CSF and Modsecurity on it. And configure this to your own wishes.

User avatar
Active Member

Posts

Joined
Mon Apr 12, 2010 8:06 pm
Who is online

Users browsing this forum: No registered users and 54 guests