tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Howard W. Smith, Jr." <smithh032...@gmail.com>
Subject Re: How to handle "CONNECT ... HTTP 1.1" 400 in localhost_access_log
Date Tue, 09 Jul 2013 12:26:20 GMT
On Tue, Jul 9, 2013 at 8:16 AM, Mark Thomas <markt@apache.org> wrote:

> On 09/07/2013 12:54, Howard W. Smith, Jr. wrote:
> > On Tue, Jul 9, 2013 at 2:18 AM, Caldarale, Charles R <
> > Chuck.Caldarale@unisys.com> wrote:
> >
> >>> From: Howard W. Smith, Jr. [mailto:smithh032772@gmail.com]
> >>> Subject: Re: How to handle "CONNECT ... HTTP 1.1" 400 in
> >> localhost_access_log
> >>
> >>> why would the same IP address be hitting my server when 400 is the
> >>> response?
> >>
> >>> and they will continue attempting these "CONNECT..." requests until
> >>> they get a 404 or what?
> >>
> >> Because they're trying to break in.  Any response indicates there's
> >> something to poke around in.
> >>
> >>> The 'HTTP "Forbidden" error' returned by RemoteAddrValve would seem to
> >> fuel
> >>> future/continual attempts as well as error 400. right?
> >>
> >> True, which is why it's best just to have a firewall or the TCP/IP stack
> >> completely ignore the traffic, and not send anything back.  By the time
> the
> >> request gets to Tomcat, the TCP connection is established, so the
> >> antagonist knows there's something there.
> >>
> >
> > Done. Thanks. Will continue to monitor logs, occasionally, to see if my
> > changes, made at the firewall level, blocks the IP addresses that are
> > repeat offenders. :)
>
> fail2ban is your friend
>
> The ASF uses it pretty much everywhere.
>
> Mark
>

thanks Mark. researching that now....for Windows Server 2008. :)


>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message