"Gulp!"... Should I trust ChatGPT's custom virtual_host2.conf recommendation?

[jlpeifer]

From time-to-time my DA server spits out a "System Load" warning email. I'm not a skilled linux person, so I decided to prompt ChatGPT for its opinion of what might be happening. It asked me to provide a small snippet from the email I received. I fed it a section that began:

IP '45.148.10.119' currently has '986' connections

It's response was pretty straightforward...

What you're seeing is almost certainly an automated bot or scanner hitting your server very aggressively, and your monitoring system is warning you because the same IP has opened an unusually large number of connections.

It then asked me to give it a few lines from the /var/log/httpd/access_log, and came back with this response...

This log confirms exactly what kind of activity you were seeing: a fully automated vulnerability scanner searching for leaked cloud credentials and misconfigured infrastructure files.

After a bit of back-and-forth it ultimately it suggested that I create a custom /usr/local/directadmin/data/templates/custom/virtual_hosts2.conf file that inserted following lines (in red):

{ . . . }

CustomLog |APACHELOGDIR|/|DOMAIN|.bytes bytes
CustomLog |APACHELOGDIR|/|DOMAIN|.log |COMBINED_LOG|
ErrorLog |APACHELOGDIR|/|DOMAIN|.error.log

|*if SUSPENDED_REASON|
<IfModule mod_env.c>
SetEnv reason "|SUSPENDED_REASON|"
</IfModule>
|*endif|

# Global protection against hidden files and common secret/config artifacts
<FilesMatch "^\.">
Require all denied
</FilesMatch>

<FilesMatch "\.(env|ini|log|bak|old|backup|sql)$">
Require all denied
</FilesMatch>

|CUSTOM2|

{ . . . }

Finally, it said that I needed to run:

cd /usr/local/directadmin/custombuild
./build rewrite_confs
systemctl restart httpd

As mentioned before, I'm not overly familiar with Linux, so I'm a bit gun-shy. Has CGPT provided solid advice here, or is there something about its suggestion that would create havoc?

 

[LawsHosting]

It'll only block access to these *.env|ini|log|bak|old|backup|sql and files beginning with a dot (.)....

If you use CSF, try turning on and tweaking the SYNFLOOD section....... Won't be 100% foolproof, but it may help.

 

[Ohm J]

Please use the chatgpt as profressional.

Weite this to chstgpt.

Turning for high end server.
Prevent ddos / traffic spamming using some ratelimit.
All turning should not affect the normal client.

And select "thinking" GPT, do not use "fast" mode.

 

[sysdev]

One of our simple shoot-and-forget scripts might help? It's based on scanning weblog files and generating a file in /tmp/ with a list of csf temporary block commands. When our ai detects a load spike it shoots this to the server and analyses the json result and if required, executes the generated /tmp/csf-bot-block.sh script to block the offending ip's for 5 minutes. Running it does nothing besides generating a block-script so it's save to run (if you have read it). It's a little 'extra' besides the csf/lfd blocking.

#!/bin/bash

# max load = num cpu's
CPU_COUNT=$(nproc)
CURRENT_LOAD=$(awk '{print $1}' /proc/loadavg)

# Check if load > num CPU cores
if ! awk -v cur_load="$CURRENT_LOAD" -v max="$CPU_COUNT" 'BEGIN { exit !(cur_load > max) }'; then
  echo "{\"bad_bot_ips\":[],\"message\":\"Load below threshold of $CPU_COUNT. No IP needs to be blocked\", \"load\": $CURRENT_LOAD, \"cpu_cores\": $CPU_COUNT}"
  exit 0
fi

LOGDIR="/var/log/httpd/domains"
TMPFILE=$(mktemp)
BADIPS=$(mktemp)

# Limits
MAX_HITS=400
MAX_404=150
MAX_SENSITIVE=150

# Whitelist IPs (ip's with unlimited access. Server ip's, management, yourself.
WHITELIST=("1.2.3.4" "2a01:a640:..etc...")

# A few 'bad endpoints', modify if required.
PATTERN='wp-login\.php|xmlrpc\.php|/admin|/login|\.env|phpmyadmin|/shell|\.git'

# JSON-init
echo '{'
echo '  "bad_bot_ips": ['

# Collect logs (no error logs)
find "$LOGDIR" -type f -name "*.log" ! -name "*.error.log" -exec cat {} + > "$TMPFILE"

# Filter logs in last hour
START_TS=$(date -d "1 hour ago" +%s)
END_TS=$(date +%s)

gawk -v start="$START_TS" -v end="$END_TS" '
  match($0, /\[([0-9]{2})\/([A-Za-z]{3})\/([0-9]{4}):([0-9]{2}):([0-9]{2}):([0-9]{2})/, m) {
    months["Jan"]=1; months["Feb"]=2; months["Mar"]=3; months["Apr"]=4;
    months["May"]=5; months["Jun"]=6; months["Jul"]=7; months["Aug"]=8;
    months["Sep"]=9; months["Oct"]=10; months["Nov"]=11; months["Dec"]=12;
    mon = months[m[2]]
    if (mon) {
      t = mktime(m[3]" "mon" "m[1]" "m[4]" "m[5]" "m[6])
      if (t >= start && t <= end)
        print $0
    }
  }
' "$TMPFILE" > "${TMPFILE}_filtered"

# whitelist check
is_whitelisted() {
    local ip="$1"
    for wip in "${WHITELIST[@]}"; do
        [[ "$ip" == "$wip" ]] && return 0
    done
    return 1
}

FIRST=true
echo "" > /tmp/csf-bot-block.sh
add_ip_json() {
    local ip="$1"
    local reason="$2"
    local count="$3"
    if ! grep -q "$ip|$reason" "$BADIPS"; then
        echo "$ip|$reason" >> "$BADIPS"
        if [ "$FIRST" = false ]; then echo ','; fi
        echo -n "    { \"ip\": \"$ip\", \"reason\": \"$reason\", \"count\": \"$count\" }"
        FIRST=false
    fi
    echo "csf -td $ip/32 300 # $reason" >> /tmp/csf-bot-block.sh
}

# High total request count
awk '{print $1}' "$TMPFILE" | sort | uniq -c | awk -v max=$MAX_HITS '$1 > max' |
while read -r count ip; do
    is_whitelisted "$ip" || add_ip_json "$ip" "high_request_rate" "$count"
done

# Too many 404s
awk '$9 == 404 {print $1}' "$TMPFILE" | sort | uniq -c | awk -v max=$MAX_404 '$1 > max' |
while read -r count ip; do
    is_whitelisted "$ip" || add_ip_json "$ip" "404_spam" "$count"
done

# Suspicious endpoints
grep -E "$PATTERN" "$TMPFILE" | awk '{print $1}' | sort | uniq -c | awk -v max=$MAX_SENSITIVE '$1 > max' |
while read -r count ip; do
    is_whitelisted "$ip" || add_ip_json "$ip" "sensitive_endpoint_scanning" "$count"
done

echo
echo '  ]'
echo '}'

# Cleanup
rm "$TMPFILE" "$BADIPS"

The limit settings will need some adjusting for your situation, because a high load, doesn't mean your server is getting slow and a low load doesn't mean it is fast.