Cartika

Welcome, Guest Login

Support Center

webscan settings

Last Updated: Jun 24, 2016 07:41AM EDT
Webscan is an internally developed script, commonly found on our managed linux servers/VMs that utilize HSphere or cPanel.  It functions similarly to CSF, and specializes in blocking brute-force and limited DOS attacks against common CMS applications (WordPress, Joomla), as well as the server itself.

Managed hosting clients, as well as clients who utilize our shared hosting environment, may contact our support department to make changes, in the rare event that a legitimate IP was blocked, or they can edit the script as per below to accommodate specific needs.

Due to the number of attacks that we receive daily, which target FTP logins, CMS logins, and other services, it is advised never to remove this script, as it is almost guaranteed to result in higher server loads, more frequently compromised accounts, and more alerts that our support team will have to deal with on a regular basis.

Please note that this script automatically schedules and runs itself once installed. It does not accept any parameters. It is not a malware scanner. It will self-terminate if you try to run it while an existing process already exists.

Common Issues:
If you are seeing customers complain of their IP being blocked and you run a grep for their IP against the webscan files and see it was blocked due to wordpress-admin connections, you should verify that wordpress-admin checks are disabled (as they are not critical and generally cause lots of false-positive blockings):
 

[root@web27 ~]# grep "104.158.1.87" webscan/*

webscan/debug.log:block IP: 104.158.1.87 (90) [ 24323964 > 90 ]
webscan/debug.log:removed IP [ 104.158.1.87 ] from webct.a [ 61 > 60 ]
webscan/event.log:Mar 31 11:26:16: 2 [ lancasterhomes.ca - wordpress-admin ] 104.158.1.87 --> iptables -I RH-Firewall-1-INPUT 1 -s 104.158.1.87 -j DROP
webscan/event.log:Apr 03 14:02:34: 2 [ lancasterhomes.ca - wordpress-admin ] 104.158.1.87 --> iptables -I RH-Firewall-1-INPUT 1 -s 104.158.1.87 -j DROP
webscan/event.log:Apr 04 15:53:48: 2 [ lancasterhomes.ca - wordpress-admin ] 104.158.1.87 --> iptables -I RH-Firewall-1-INPUT 1 -s 104.158.1.87 -j DROP
webscan/event.log:Apr 04 19:39:12: removed from droplist: 104.158.1.87


To disable wp-admin checks, run the short script, or do it manually:

Script:
if [[ "$(grep '.' -ci webscan/blockwpa)" -eq 1 ]]; then echo 0 > webscan/blockwpa; cat webscan/blockwpa; else cat webscan/blockwpa; fi

Manually:
[root@vps-netctech3 ~]# cat webscan/blockwpa
1
If thats a 1 then the check is On, so we may want to set it to 0
[root@vps-netctech3 ~]# echo 0 > webscan/blockwpa
Verify that the setting was changed:
[root@vps-netctech3 ~]# cat webscan/blockwpa
0
The webscan script will re-load dynamic variables every cycle (default ~1 min) with function call f_getdynamicvars, and apply the new setting.


Typical Script Location
/root/webscan.sh

Script Files Location
/root/webscan/

To check all activity relating to an IP address
grep "<some ip address>" /root/webscan/*

To add an IP to the whitelist
echo "<some ip address>" >> /root/webscan/whitelist.a

To decrease DDOS sensitivity on a server (i.e. when a customer has many users accessing from a single IP) you could increase the hits variables inside the script:

ddoshits_s=80 - this variable is not actually used anywhere
ddostime_s=1 - hours to block connection counts greater than ddoshits_s but less than ddoshits_m
ddoshits_m=160
ddostime_m=24 - hours to block connection counts greater than ddoshits_m but less than ddoshits_l
ddoshits_l=240
ddostime_l=72 - hours to block connection counts greater than ddoshits_l
ddosrat=720 - not used

Or you could just disable ddos checking by entering '0' in the dynamic variable file: blockdos


Application Specific Limits
These are the number of simultaneous connections from a single IP required to trigger joomla, wp-login, wp-admin, custom, and unknown blocking:

hitsjoo=3
hitswpl=3
hitswpa=3
hitscus=3
hitsunk=3

The time in minutes that joo wpl wpa cus unk connections must persist before they will be blocked:
weblockdelay=90 - small number of connections will result in using a generous delay before blocking.
weblockdelaymed=20
weblockdelayshort=10 - large numbers of connections will result in using a short delay before blocking.
weblockdelaybc=5 - used when the ip is from a country listed in cntblist
weblocktimeoutbc=5 - used when the ip is from a country listed in cntblist

The below variables are the number of script cycles that a tracked IP must be absent before being removed from tracking:

(these values are multiplied x3 from expected minutes due to being incremented multiple times in a nested loop)
weblocktimeout=60    
weblocktimeoutmed=40
weblocktimeoutshort=20

The tracking files are:

webct.a
ftpct.a ( FTP 'bad login' IP tracking does not use the above variables)


Default connection threshold from a single IP (checked via netstat) that will result in a block:
ddoscount=160
ddoscountbc=80

ftphits=30
ftptime=72
ftperiod=10
ftpratime=720

#wordpress/joomla/custom/unknown ban time hours
bantime=48
#repeat abuser ban time hours
banratime=720

Contact Us

sales@cartika.com
https://cdn.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete