1

So I was browsing my HAProxy logs earlier today and noticed some odd requests being made by external IP addresses to domains that we are not hosting.

For example

Jun  8 06:25:56 haproxy haproxy[6316]: 185.108.107.19:54243 [08/Jun/2020:06:25:56.731] localhost localhost/<NOSRV> -1/-1/-1/-1/13 503 213 - - SC-- 2/2/0/0/0 0/0 "CONNECT chekfast.zennolab.com:443 HTTP/1.1
Jun  8 06:26:33 haproxy haproxy[6316]: 185.108.107.19:54598 [08/Jun/2020:06:26:33.855] localhost localhost/<NOSRV> -1/-1/-1/-1/3 400 188 - - PR-- 0/0/0/0/0 0/0 "<BADREQ>"
Jun  8 06:34:07 haproxy haproxy[6316]: 94.200.76.222:55958 [08/Jun/2020:06:34:07.906] localhost localhost/<NOSRV> -1/-1/-1/-1/0 503 213 - - SC-- 0/0/0/0/0 0/0 "POST /cgi-bin/mainfunction.cgi HTTP/1.1"
Jun  8 06:46:05 haproxy haproxy[6316]: 14.221.172.38:2184 [08/Jun/2020:06:46:05.845] localhost localhost/<NOSRV> -1/-1/-1/-1/11 503 213 - - SC-- 6/6/0/0/0 0/0 "GET http://api.gxout.com/proxy/check.aspx HTTP/1.1"
Jun  8 06:59:49 haproxy haproxy[6316]: 223.12.75.250:17883 [08/Jun/2020:06:59:49.392] localhost localhost/<NOSRV> -1/-1/-1/-1/0 503 213 - - SC-- 11/11/0/0/0 0/0 "HEAD http://123.125.114.144/ HTTP/1.1"

From what I can tell the person doing this (or script) is getting response codes like 503 (Service Unavailable) which I am hoping means that the request is not going through properly - but is there some way I can stop these sorts of requests from being made in the first place? We are running HAProxy version 1.6.3 on Ubuntu 16.04.4 LTS.

Thanks

Richie086
  • 238
  • 2
  • 10
  • 1
    They can make the requests sort of regardless. You can run something like fail2ban so no single ip address can make more than your predefined number of bad requests, which raises the cost to probe your server. HAProxy has a tool built in that does something similar that you can see at: https://www.haproxy.com/blog/bot-protection-with-haproxy/ – Altimus Prime Jun 10 '20 at 00:15
  • @AltimusPrime I’ll give this a try tomorrow thanks – Richie086 Jun 10 '20 at 01:49
  • Did you ever try either of the solutions I suggested? If not, what did you eventually do to lower the bogus requests? – Altimus Prime Jul 15 '20 at 17:32
  • Yep it worked I spaced on marking your answer till now tho – Richie086 Jul 22 '20 at 02:44

1 Answers1

1

You can't prevent people from making the request, but you can limit the number of times a given ip makes certain requests.

On the server-level I run fail2ban and define the jails and rules to my needs, so no single ip address can make more than your predefined number of bad requests and it drastically reduces the total number of requests to the server. For more information on how to use it and create specific rules and define log files to your need visit:

https://www.fail2ban.org/wiki/index.php/MANUAL_0_8

HAProxy has a tool built in that does something similar that you can see at:

https://haproxy.com/blog/bot-protection-with-haproxy

If I understand correctly, HAProxy only concerns itself with requests being routed to the ports it's responsible for. fail2ban can have rules for requests on any port, so if it's not already running and you look are your secure log, there are probably loads of people probing your ports 22, 3306 and others.

Altimus Prime
  • 364
  • 2
  • 7
  • 22
  • Thank you for converting your comment to an answer, I will try this today and be sure to mark this as the answer if it works for me. It looks like exactly what I am looking for.. – Richie086 Jun 10 '20 at 16:30
  • Never got around to testing this yesterday. It’s on my todo list though – Richie086 Jun 11 '20 at 20:49