i have everyday some IPs blocked by my server's firewall.

but lately this has gone mad: over 4-500 IPs blocked everyday...

is this normal?

i am quite new to dedicated servers so i don't know if this is the average...

99% of the the firewall entries look like this:

===========
ModSecurity:
Access denied with code 406 (phase 2). Pattern match [msg "System Command Injection."]

[hostname "www.domain.tld"] [uri
"//index.php?option=com_content&task=&sectionid=&id=&mosConfig_absolute_path=<<URL to shell script removed>>?"]
===========


anyone?

Looks like a file to grab the contents of something someone shouldn't be seeing - relating to Mambo or Joomla. It's being picked up and blocking whoever's trying to do it.

Someone's bot is trying to inject a script into your server (.txt file, which is a shell script, or more specifically, testing your server for exploitable things). Yup, it's normal...ish. ;)

welcome to the world of running your own servers, happens all the time,

ok, thanks guys.