10 Nov
2019
10 Nov
'19
10:35 a.m.
Hi All,
A website on my VPS has been receiving HEAD requests,
which cause it to fail, and are cluttering up my error logs. They are
coming from IPs all over the place, but only a few (3 to 5) a day.
What would generate them?
How should the software respond?
Regards
Ian
--
Ian Hobson
Tel (+351) 910 418 473
10 Nov
10 Nov
10:56 a.m.
Hi Ian,
I am not a web developer, but…
On Sun, Nov 10, 2019 at 10:35:20AM +0000, Ian Hobson wrote:
A website on my VPS has been receiving HEAD requests,
which cause it to fail, and are cluttering up my error logs.
I don't think that, standards-wise, a HEAD request should fail if a
GET request would not fail.
The purpose of a HEAD request is to "see what would happen" if a GET
request was done, e.g. check if the resource is actually there, what
its size is, when it was last modified, etc., without actually
having to receive the entire content in response.
For example, software that checks for broken links on a web site
might send a HEAD request to each link to see if it still exists.
They are coming from IPs all over the place, but only
a few (3 to 5) a day.
What would generate them?
It probably isn't for your benefit, but I'm guessing that it's
something which has archived your site and is checking if what it
has in its archive is still current.
How should the software respond?
It should do whatever it does for a GET of the same resource, but
not send the content.
Unless it's obviously abusive I wouldn't be concerning myself over 5
requests a day, but I might be wondering why my software objects to
them.
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
11 Nov
11 Nov
11:30 a.m.
New subject: Blocking IP Addresses
Hi,
I read some reports on this list where people get random IPs
scanning/probing ports. I have that same issue of course.
I use a combination of fail2ban and some hooks in my software to build
up a blacklist of IPs over time.
My question is if it's feasible to have a bitfolk-hosted blacklist of
IPs. If we were all to report our probes and scans into a (to-be-build)
bitfolk system, we'd probably protect each other more quickly and
effectively.
Of course I am not certain if that's an option, (e.g. not sure if the
inbound routers are powerful enough) but maybe Andy could comment?
Conrad
11:54 a.m.
New subject: Blocking IP Addresses
On 11 Nov 2019, at 11:30, Conrad Wood
<cnw(a)conradwood.net> wrote:
I read some reports on this list where people get random IPs
scanning/probing ports. I have that same issue of course.
I use a combination of fail2ban and some hooks in my software to build
up a blacklist of IPs over time.
My question is if it's feasible to have a bitfolk-hosted blacklist of
IPs. If we were all to report our probes and scans into a (to-be-build)
bitfolk system, we'd probably protect each other more quickly and
effectively.
You might look at denyhosts, which I believe has a community blacklist at denyhosts.net
<http://denyhosts.net/>. If you don’t want to use denyhosts explicitly, you may be
able to synchronise that database content with fail2ban.
It occurs to me though that these mechanisms would be an obvious vector for a DOS attack,
by maliciously blacklisting harmless IP blocks. I don’t know what measures (if any)
denyhosts has taken to prevent that.
Regards,
Chris
—
Chris Smith <space.dandy(a)icloud.com>
12:01 p.m.
New subject: Blocking IP Addresses
On Mon, 2019-11-11 at 11:54 +0000, Chris Smith wrote:
I should have mentioned that I do use some community lists too. The
main point though I was attempting to convey was that I would consider
it beneficial if the blocking was done on a router upstream from the
VPS rather on the VPS itself.
Conrad
On 11 Nov
2019, at 11:30, Conrad Wood <cnw(a)conradwood.net> wrote:
I read some reports on this list where people get random IPs
scanning/probing ports. I have that same issue of course.
I use a combination of fail2ban and some hooks in my software to
build
up a blacklist of IPs over time.
My question is if it's feasible to have a bitfolk-hosted blacklist
of
IPs. If we were all to report our probes and scans into a (to-be-
build)
bitfolk system, we'd probably protect each other more quickly and
effectively.
You might look at denyhosts, which I believe has a community
blacklist at denyhosts.net. If you don’t want to use denyhosts
explicitly, you may be able to synchronise that database content with
fail2ban.
It occurs to me though that these mechanisms would be an obvious
vector for a DOS attack, by maliciously blacklisting harmless IP
blocks. I don’t know what measures (if any) denyhosts has taken to
prevent that.
12:28 p.m.
New subject: Blocking IP Addresses
On 11 Nov 2019, at 12:01, Conrad Wood
<cnw(a)conradwood.net> wrote:
On Mon, 2019-11-11 at 11:54 +0000, Chris Smith wrote:
Then my point is perhaps even more valid, and also raises questions about unwanted
censorship. How would I opt out if I needed to? Perhaps I want to analyse such traffic,
or use it to test my own protection software. One man’s scat is another man’s fetish.
This seems to me far too problematic for what little benefit there is.
Chris
—
Chris Smith <space.dandy(a)icloud.com>
It occurs to me though that these mechanisms would be an obvious
vector for a DOS attack, by maliciously blacklisting harmless IP
blocks. I don’t know what measures (if any) denyhosts has taken to
prevent that.
I should have mentioned that I do use some community lists too. The
main point though I was attempting to convey was that I would consider
it beneficial if the blocking was done on a router upstream from the
VPS rather on the VPS itself. 
1:34 p.m.
New subject: Blocking IP Addresses
One problem would be that these unwanted IPs change and you could be
blocking the puppet not the puppet-master.
One system I have been using is to put SSH on an alternative port. When any
IP queries port 22, it is added to a blacklist set with a fixed timeout.
Everytime that IP visits any port its timeout is reset to the original
value. Bit like fail2ban does. By experiment I have found a day in the
sinbin is about the right balance. A couple of lines or so of code does it.
My thinking was nobody has any legit reason for visiting port 22, and if
they are up to no good there then they are probably up to no good
elsewhere. I added port 23 to the rule as well
On Mon, 11 Nov 2019 at 12:29, Chris Smith via users <users(a)lists.bitfolk.com>
wrote:
On 11 Nov 2019, at 12:01, Conrad Wood <cnw(a)conradwood.net> wrote:
On Mon, 2019-11-11 at 11:54 +0000, Chris Smith wrote:
It occurs to me though that these mechanisms would be an obvious
vector for a DOS attack, by maliciously blacklisting harmless IP
blocks. I don’t know what measures (if any) denyhosts has taken to
prevent that.
I should have mentioned that I do use some community lists too. The
main point though I was attempting to convey was that I would consider
it beneficial if the blocking was done on a router upstream from the
VPS rather on the VPS itself.
Then my point is perhaps even more valid, and also raises questions about
unwanted censorship. How would I opt out if I needed to? Perhaps I want
to analyse such traffic, or use it to test my own protection software. One
man’s scat is another man’s fetish. This seems to me far too problematic
for what little benefit there is.
Chris
—
Chris Smith <space.dandy(a)icloud.com>
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users
2:09 p.m.
New subject: Blocking IP Addresses
Hi Conrad,
On Mon, Nov 11, 2019 at 11:30:50AM +0000, Conrad Wood wrote:
I use a combination of fail2ban and some hooks in my
software to build
up a blacklist of IPs over time.
At the moment I am also using Fail2Ban for SSH attackers and
dictionary attacks against a few different web apps.
Last time we talked about this on the list people suggested I use
multiple different jails with much longer ban times for repeat
offenders, so I started doing that too.
I currently null route them rather than firewall them but that's
much of a muchness.
http://strugglers.net/~andy/blog/2019/09/04/fail2ban-iptables-and-config-ma…
That is happening on each host (and even on each of BitFolk's own
guests) without sharing the bans. I've often thought about sharing
some sort of database.
My question is if it's feasible to have a
bitfolk-hosted blacklist of
IPs. If we were all to report our probes and scans into a (to-be-build)
bitfolk system, we'd probably protect each other more quickly and
effectively.
…so when I start thinking about sharing some sort of database, my
next thought is, "could the customers contribute to and benefit from
that as well?" It's been on my mind from time to time!
Of course I am not certain if that's an option,
(e.g. not sure if the
inbound routers are powerful enough)
I'm not really worried about load of it. It's probably beneficial to
drop a packet rather than have it go through the router, through the
hypervisor, into the guest, be logged as objectionable, do all that
again and be dropped in the guest's firewall.
My major concern is how to prevent customers (and me) from
accidentally or maliciously blocking too many things for everyone
else. Do you have any ideas?
After that, my lesser concerns are around how much work this would
be:
- Presumably it is going to need some sort of REST API for
submission and querying.
- As the ban actions would be happening in a device that you don't
have control of, possibly there would need to be reporting of the
packets that have hit the ban for you in particular. Otherwise any
time anything network-wise goes wrong, you're going to be in the
dark about whether it's down to this.
- This doesn't sound like a service that people would pay for, or
even be so impressed by that it would influence a purchasing
decision. That doesn't stop me from considering improvements like
this but it does mean that it would happen at the expense of
something else that needs doing.
Copping out and just making a blocklist that people can choose to
use themselves or not seems easier: at least they can see themselves
what they are dropping. But then it's questionable if there is any
value to that beyond just using existing blocklists.
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
2:38 p.m.
New subject: Blocking IP Addresses
On Mon, 2019-11-11 at 14:09 +0000, Andy Smith wrote:
Hi Conrad,
On Mon, Nov 11, 2019 at 11:30:50AM +0000, Conrad Wood wrote:
Ah yes, using it on the hypervisor should drop CPU usage quite a bit
too. Good idea.
I use a combination of fail2ban and some hooks in
my software to
build
up a blacklist of IPs over time.
At the moment I am also using Fail2Ban for SSH attackers and
dictionary attacks against a few different web apps.
Last time we talked about this on the list people suggested I use
multiple different jails with much longer ban times for repeat
offenders, so I started doing that too.
I currently null route them rather than firewall them but that's
much of a muchness.
http://strugglers.net/~andy/blog/2019/09/04/fail2ban-iptables-and-config-ma…
That is happening on each host (and even on each of BitFolk's own
guests) without sharing the bans. I've often thought about sharing
some sort of database.
My question is if it's feasible to have a
bitfolk-hosted blacklist
of
IPs. If we were all to report our probes and scans into a (to-be-
build)
bitfolk system, we'd probably protect each other more quickly and
effectively.
…so when I start thinking about sharing some sort of database, my
next thought is, "could the customers contribute to and benefit from
that as well?" It's been on my mind from time to time!
Of course I am not certain if that's an
option, (e.g. not sure if
the
inbound routers are powerful enough)
I'm not really worried about load of it. It's probably beneficial to
drop a packet rather than have it go through the router, through the
hypervisor, into the guest, be logged as objectionable, do all that
again and be dropped in the guest's firewall.
My major concern is how to prevent customers (and me) from
accidentally or maliciously blocking too many things for everyone
else. Do you have any ideas?
It ought to be a score based system, e.g. each VPS reports a
probe/malicious source IP with a 'confidence level'.
The bitfolk system would then sum/other algorithm the difference
confidence levels into a score.
Ideally, customers could choose from which confidence level onwards
they would like packets dropped, but I think that could also be
bitfolk-managed.
Equally, a "good" ip could be reported too. Assuming an API of sort I
could authenticate against bitfolk and submit my IPs as 'known good'.
After that, my lesser concerns are around how much work this would
be:
- Presumably it is going to need some sort of REST API for
submission and querying.
Preferrably gRPC ;)
- As the ban actions would be happening in a device that you don't
have control of, possibly there would need to be reporting of the
packets that have hit the ban for you in particular. Otherwise any
time anything network-wise goes wrong, you're going to be in the
dark about whether it's down to this.
prometheus could gather stats per VPS. (e.g. how many were dropped for
a given VPS). there are several iptables exporters for that case. (I
also have an iptables exporter in golang - happy to contribute that
source)
I think if each dropped packet (by source & vps) were to be logged in a
system and customers can choose to scrape that or not when/if required
the time this information needs to be stored could be very short.
For example, if you keep that log or database for 24 hours it would
probably be sufficient (and would keep it small(ish))
- This doesn't sound like a service that people would pay for, or
even be so impressed by that it would influence a purchasing
decision. That doesn't stop me from considering improvements like
this but it does mean that it would happen at the expense of
something else that needs doing.
You are probably right. What do you think of a github account for
bitfolk where we could all contribute? That might raise awareness about
the cool things that bitfolk does and might just add a few customers.
(And might help you with the maintenance of the contributed code)
Copping out and just making a blocklist that people can choose to
use themselves or not seems easier: at least they can see themselves
what they are dropping. But then it's questionable if there is any
value to that beyond just using existing blocklists.
I think it needs to be opt-in as well.
11:57 a.m.
On 10/11/2019 10:56, Andy Smith wrote:
Hi Ian,
Unless it's obviously abusive I wouldn't be concerning myself over 5
requests a day, but I might be wondering why my software objects to
them.
Totally agree.
The software now handles HEAD like GET, and all is quiet.
Regards
Ian
Cheers,
Andy
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users
--
Ian Hobson
Tel (+351) 910 418 473
1867
days inactive
1868
days old
9 comments
5 participants
participants (5)
-
Andy Smith -
Chris Smith -
Conrad Wood -
Ian Hobson -
Keith Williams