Block "get /.env" requests

Post Reply
BillyJ
Junior Member
Posts: 1
Joined: 09 Jun 2022, 00:41

Block "get /.env" requests

Post by BillyJ »

Lately I've been getting heaps of these
GET /.env HTTP/1.1

generally 20 or 30 from a single IP address at a time (not the same IP address all the time or I'd block it).

Is there a way to immediately blacklist an IP that calls this GET request or to block all GET requests to /.env
Sergio
Junior Member
Posts: 1685
Joined: 12 Dec 2006, 14:56

Re: Block "get /.env" requests

Post by Sergio »

Yes, you can.
What I do is to use ModSecurity to block the offending IP, then in CSF I have the following rule that will block the IP on first try:

On Comodo the rule number that blocks .env is: 210492

So, my regex is like the following (I have deleted all the ID numbers that I block and I just left the one for the .env but you can add as many rules as you want using "|" like per example (210492|225170|210491), to get a list of the most used ModSecurity IDs, enter into your ConfigServer ModSecurity Control and see the ID numbers and add it to the rule.

Modify the rule accordingly to your server:

Code: Select all

# BLOCKING ModSec Rules attacks by Secmas

	if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\[\S+\s+\S+\s+\S+\s+\S+\.\d+\s+\S+\] \[:error\] \[pid \d+.*\] \[client \S+\] \[client (\S+)\] ModSecurity.*\[id "(210492)"\]/i)) {
		return ("mod_security attack id $2",$1,"Secmas_ModSec","1","1");
	}
Sergio
Post Reply