I have suspicious requests in my haproxy logs from multiple sources to the same target. I could deny them in /etc/hosts.deny, but there are too many to keep track of. Is there a way to deny all requests to a specific target either in haproxy or through iptables?

Here's an example of the request:
Apr 12 15:11:37 127.0.0.1 haproxy[28672]: 41.105.42.150:27072 [12/Apr/2011:15:11:37.315] web_servers frontend_farm/######## 3/0/1/1/169 404 1073 - - --NI 3/3/2/1/0 0/0 "GET /images/comment_icon.gif HTTP/1.1"

I've commented out my amazon instance id for security purposes. The request is for comment_icon.gif which does not exist. All requests go to that. The source IPs are from different countries as well. Blocking a certain country won't work either. Basically, if there was a way to send all requests for comment_icon.gif to /dev/null or something it would work.

Welcome to LQ Security.

Unfortunately, traffic of this nature, meaning random connections and queries looking for nonexistent resources is common, and there is little that you can do to totally block it. Is the traffic in question causing you operational difficulties? I ask because while there are some measures you can take, they are not without side effect and you need to carefully consider your reasons for taking action. In this particular case, the reference to "/images/comment_icon.gif" makes me wonder if you have such a reference in one of your pages and it is essentially a broken link to a file that doesn't exist. This might be the first thing to double check. Note, that it could be part of an application or page provided by a 3rd party, if for example you are using a content manager or PHP based application.

If you decide that you really want to take action against this type of activity, I think you would want something with a form of 'active response', like fail2ban, or Ossec. Such a program scans your logs and when too many requests are made for a non-existent item, the offending IP is temporarily blocked. This is usually enough to make these kinds of things go away. You need to be careful with these programs because you can lock yourself out too.

Noway2 is correct. As long as you have a webserver open to the public, you're going to see traffic like this.

One recommendation (probably my only recommendation) is to use modsecurity. It is an application firewall (inspecting packets, not logs, from my understanding). It is not a trivial piece of software, though. You're not going to be able to install it then ignore it (ie, fire-and-forget). You're going to have to monitor the tool (and the logs) and tune it to your taste. There will also be false positives to deal with (another reason why tuning is so crucial). Once you have it tuned to your liking, it is ROCK SOLID.