[RndTbl] weird apache hit
Trevor Cordes
trevor at tecnopolis.ca
Wed Feb 19 12:20:23 CST 2020
On 2020-02-17 Tim Lavoie wrote:
> If you’re up to adding and configuring it, ModSecurity and the
> community rule set can provide a lot of information. Besides actively
> preventing some attacks, you can log complete requests, ideally only
> for the weird traffic.
Thanks for that, I'm looking into it. I did try leaving a tcpdump
going on port 80 after confirming we get very little traffic on it. I
was right, 99.9% of our traffic is 443 now.
Of course, it ran for 24 hours and this is the first span of 24 hours
where the attackers/probers didn't trigger the behavior in weeks.
Sigh. On the bright side, that should mean they hit it in the next few
hours...
Now I'm also trying to figure out why 2 similarly configured apache's
respond differently to CONNECT and OPTION methods... Probers seem to
like to test CONNECT for open proxies... next up: restrict all my
servers to just GET POST HEAD. The fun never ends!
More information about the Roundtable
mailing list