3 min.
If you use 1C-Bitrix, then you may have at least once received a letter with the heading “Activity limit exceeded”.The text inside the letter is approximately as follows:
The visitor to the site has exceeded the established activity limit.
Since [date] visitor blocked for 600 sec.
Activity – 16 hits in 10 sec. (limit – 15)
Visitor – 1974831
Session – 2032988
Search engine – [0]
UserAgent –
To add to the stop list, use the link below:
This means that too many requests have come to your site from a specific IP address in a short period of time - more than the set limit allows.
Why is this happening?
In most cases, this is not a live visitor, but a bot scanner that checks the site for vulnerable files or vulnerable CMS scripts. The goal is to find a hole and inject malicious code (web shell, backdoor, spam script).
We noticed that the scan was based on clear lists of popular malicious or outdated files. For example:
- /ee.php
- /edit.php
- /dropdown.php
- /doc.php
- /content.php
- /composer.php
- /classsmtps.php
- /adminer.php
- /as.php
- /alfanew.php
And also by nested paths:
- /assets/images/doc.php
- /about/function.php
- /admin/index.php
- /.well-known/index.php
Bitrix provides a link in the letter for instant blocking of the IP address. At first glance, it is convenient. But in practice, IP addresses change constantly (sometimes - for each new request).
As a result, IP blocking in Bitrix does not produce any real effect, and scanning continues.
How we solved the problem
We decided not to block IP, but to block malicious requests themselves at the web server level (nginx).
The advantage of this approach:
• The request won’t even reach PHP and Bitrix, the load on the site is less.
• Works for all sites on the server at once.
• Does not depend on the IP address of the attacker.
We created a configuration file /etc/nginx/fastpanel2-includes/bot-acces-deny.conf, which is included in all sites.
Example of content:
Blocking malicious files at any nesting level:
location ~* "(?x)
(/|^) (autoload_classmap\.php
| auth\.php
| atomlib\.php
| assets/images/doc\.php
| asasx\.php
| as\.php
| alfa\.php
| al\.php
| akc\.php
| adminfuns\.php
| admin/index\.php
| admin/function\.php
| admin/admin\.php
| admin\.php
| about/function\.php
| about/Geforce\.php
| about\.php
| 87\.php
| 13k\.php
| 12\.php
| ee\.php
| 10\.php
| edit\.php
| dropdown\.php
| doc\.php
| content\.php
| composer\.php
| classsmtps\.php
| chosen\.php
| blog\.php
| ay\.php
| av\.php
| avaa\.php
| adminer\.php
| alfanew\.php
)$" {
deny all;
return 403;
}