Protecting .php Files

A site hosted on SkyToaster is getting hit with requests for all kinds of stupid .php files, like install.php. What would be the best way to stop these from generating MODX not-found pages specifically on SkyToaster servers?

I thought of directly contacting SkyToaster, who would certainly answer quickly, but it seems to me this might better be a more public question, so the answer can benefit others in the community. And somebody from SkyToaster will respond almost as quickly, and/or somebody else who knows what to do about this kind of thing in general.

I have the Dashboard widget version of BobRays's LogPageNotFound plugin/snippet combination, so I see at a glance whenever I am in the Manager's Dashboard what requests are getting through to MODX and generating page-not-found pages. Often these are just mis-linked images or something similar that are good to know about and easy to fix. For example, the googlebot will always look for a robots.txt file, and if you don't have one its request is passed on to MODX, which will go to all the trouble of generating your nice Not Found page (you do have one, don't you?), which does the googlebot no good at all.

But it's also useful to see when somebody's bot is hammering your site looking for cracks to crawl through. The first time I ever used it, within a few minutes it exposed one IP address generating literally hundreds of not-found requests for all kinds of files. Banning that IP address at the server level very quickly reduced the load on the website, and setting up some allow/deny rules stopped anybody else from making that kind of attack. [ed. note: sottwell last edited this post 9 years, 9 months ago.]

Take a look at BotBlockX. That will block "hammerers."

What's actually needed here is an input field at the bottom of PageNotFound that lets you enter a string and a submit button that calls a processor that creates a new rewrite rule in .htaccess to turn away those requests before they reach MODX. I've been meaning to do it for some time.

Here are some sample rules (note the 'OR' on all but the last):

Sorry, I didn't see this post earlier. There are several methods to address this problem, but ultimately you want to stop the malicious traffic before it reaches MODX. A few of the methods:

• Enable CloudFlare
• Block in Firewall (send us the IPs)
• Block with .htaccess
• Block with PHP

Solutions such as CloudFlare leverage their global network to detect and block malicious traffic before it hits the server. Their business is stopping this traffic so enabling it is highly recommended. You can do this in cPanel in a few seconds, it's a free service.

The remaining traffic at this point in time is borderline malicious, and blocking it is ultimately up to the end user / hosting provider. We maintain a global block list used among all of our servers, if you report malicious users we will do our best to block them. We already have in excess of 500k addresses blocked, so we aren't afraid to use blocks.

In some cases the traffic isn't going to be worth blocking on a higher level, false positives, dynamic addresses, or other related reasons. You can still block these visitors using .htaccess rules as Bob shows above. The blocks only affect your sites vs the server as a whole, while the block isn't as drastic it's still very effective.

The final option is using some form of PHP to filter/block malicious traffic. This can work for lower level stuff, but you ultimately want to use one of the above methods as they will work better.

I have to post this here:
#DEFCON Defense by numbers: Making Problems for Script Kiddies and Scanner Monkeys
http://blog.c22.cc/2013/08/06/defcon-defense-by-numbers-making-problems-for-script-kiddies-and-scanner-monkeys/
Video https://www.youtube.com/watch?v=I3pNLB3Cq24

My default evo htaccess https://github.com/mrhaw/Evolution-custom-htaccess/blob/master/ht.access
can be made more fun!

@AMDBuilder: IIRC, a while back, I read some reports of trouble with MODX and CloudFlare. Have you seen any issues lately?

There haven't been any recent reports of problems with CloudFlare/MODX lately. Have you been experiencing any problems with it?

Based on the old reports, I've never used it. I'll have to give it a try.

Let me know if you have any problems with it, and I can help you diagnose it.

Will do.