Suspicious requests in haproxy log. Need to block. Help?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Suspicious requests in haproxy log. Need to block. Help?
I have suspicious requests in my haproxy logs from multiple sources to the same target. I could deny them in /etc/hosts.deny, but there are too many to keep track of. Is there a way to deny all requests to a specific target either in haproxy or through iptables?
Here's an example of the request:
Apr 12 15:11:37 127.0.0.1 haproxy[28672]: 41.105.42.150:27072 [12/Apr/2011:15:11:37.315] web_servers frontend_farm/######## 3/0/1/1/169 404 1073 - - --NI 3/3/2/1/0 0/0 "GET /images/comment_icon.gif HTTP/1.1"
I've commented out my amazon instance id for security purposes. The request is for comment_icon.gif which does not exist. All requests go to that. The source IPs are from different countries as well. Blocking a certain country won't work either. Basically, if there was a way to send all requests for comment_icon.gif to /dev/null or something it would work.
Unfortunately, traffic of this nature, meaning random connections and queries looking for nonexistent resources is common, and there is little that you can do to totally block it. Is the traffic in question causing you operational difficulties? I ask because while there are some measures you can take, they are not without side effect and you need to carefully consider your reasons for taking action. In this particular case, the reference to "/images/comment_icon.gif" makes me wonder if you have such a reference in one of your pages and it is essentially a broken link to a file that doesn't exist. This might be the first thing to double check. Note, that it could be part of an application or page provided by a 3rd party, if for example you are using a content manager or PHP based application.
If you decide that you really want to take action against this type of activity, I think you would want something with a form of 'active response', like fail2ban, or Ossec. Such a program scans your logs and when too many requests are made for a non-existent item, the offending IP is temporarily blocked. This is usually enough to make these kinds of things go away. You need to be careful with these programs because you can lock yourself out too.
Noway2 is correct. As long as you have a webserver open to the public, you're going to see traffic like this.
One recommendation (probably my only recommendation) is to use modsecurity. It is an application firewall (inspecting packets, not logs, from my understanding). It is not a trivial piece of software, though. You're not going to be able to install it then ignore it (ie, fire-and-forget). You're going to have to monitor the tool (and the logs) and tune it to your taste. There will also be false positives to deal with (another reason why tuning is so crucial). Once you have it tuned to your liking, it is ROCK SOLID.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.