On 2020-02-17 Tim Lavoie wrote:
If you’re up to adding and configuring it, ModSecurity and the community rule set can provide a lot of information. Besides actively preventing some attacks, you can log complete requests, ideally only for the weird traffic.
Thanks for that, I'm looking into it. I did try leaving a tcpdump going on port 80 after confirming we get very little traffic on it. I was right, 99.9% of our traffic is 443 now.
Of course, it ran for 24 hours and this is the first span of 24 hours where the attackers/probers didn't trigger the behavior in weeks. Sigh. On the bright side, that should mean they hit it in the next few hours...
Now I'm also trying to figure out why 2 similarly configured apache's respond differently to CONNECT and OPTION methods... Probers seem to like to test CONNECT for open proxies... next up: restrict all my servers to just GET POST HEAD. The fun never ends!