You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Howard W. Smith, Jr." <sm...@gmail.com> on 2013/07/08 21:27:15 UTC
How to handle "CONNECT ... HTTP 1.1" 400 in localhost_access_log
A few minutes ago, I just recognized the following in the
localhost_access_log:
183.60.48.25 - - [08/Jul/2013:15:15:26 -0400] "CONNECT
tcpconn2.tencent.com:443 HTTP/1.1" 400 -
and then searched all localhost_access_log files and found more
occurrences[1].
This is my first time seeing this type of request, but I assume it is very
similar to the "HEAD /..." request attempts by bots/etc. Based on the 400
server response, I assume that i have nothing to worry about here, but it
seems as though the same IP address is attempting these 'CONNECT ...'
attempts, multiple times per day, almost every day. :(
Any advise on how to handle these requests (if necessary) and/or
information about these type of 'CONNECT ...' requests would be
appreciated. Thanks.
[1] https://gist.github.com/smithh032772/5951621
Re: How to handle "CONNECT ... HTTP 1.1" 400 in localhost_access_log
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Mark,
On 7/9/13 8:16 AM, Mark Thomas wrote:
> On 09/07/2013 12:54, Howard W. Smith, Jr. wrote:
>> On Tue, Jul 9, 2013 at 2:18 AM, Caldarale, Charles R <
>> Chuck.Caldarale@unisys.com> wrote:
>>
>>>> From: Howard W. Smith, Jr. [mailto:smithh032772@gmail.com]
>>>> Subject: Re: How to handle "CONNECT ... HTTP 1.1" 400 in
>>> localhost_access_log
>>>
>>>> why would the same IP address be hitting my server when 400
>>>> is the response?
>>>
>>>> and they will continue attempting these "CONNECT..." requests
>>>> until they get a 404 or what?
>>>
>>> Because they're trying to break in. Any response indicates
>>> there's something to poke around in.
>>>
>>>> The 'HTTP "Forbidden" error' returned by RemoteAddrValve
>>>> would seem to
>>> fuel
>>>> future/continual attempts as well as error 400. right?
>>>
>>> True, which is why it's best just to have a firewall or the
>>> TCP/IP stack completely ignore the traffic, and not send
>>> anything back. By the time the request gets to Tomcat, the TCP
>>> connection is established, so the antagonist knows there's
>>> something there.
>>>
>>
>> Done. Thanks. Will continue to monitor logs, occasionally, to see
>> if my changes, made at the firewall level, blocks the IP
>> addresses that are repeat offenders. :)
>
> fail2ban is your friend
+1
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJR3s5OAAoJEBzwKT+lPKRY7XQQAJSP6lFgt0Gkh4BUgWAiuznM
HwdQtSMYy5vlD032fglKHTkMWGRePKsQmxVaXWeND0A6xs3uaF4Ad+6RzkIQaRVo
yATe3Pw7z7aQZvKQCQ9Sq06HF1lQzfXCQSsKKTLq84fzmPMZKhWZN/BEJJIa2dwF
OZe5It8ThWCC4bFd3tGhbj2VnfHVlgD0X0qUuBzkoKE2wfKqYBHbPs/Nrp1+LQDY
xwHBQ62oEM873ylHJpVpVF9C/wVrBMoN9uN4SqYNdeKZ/7HB2oorjc0IunaYlGAw
pVfVfvrXtsq2oWHxvQE0cJWEHkQkXQ//IM7gjlYZO90p6KW95DJWwfqzUaxDfFb5
RnVEcRia9hAn6yMRHmH+STkGJeNXHNoa+TH5wHYwaqFLHnvIwgQ6goidMzRiXGKJ
Ue7uaQBk4rVFfoPeYg6q3lF03JzY1KQmUFfgpXaA/wmodAbVMDze8HSa/zSix3P/
0U8ybQKPFkBmNi5OLlpseHodiZYXtwMptlyIsqoMI3uUkeFcEYWwlbwvmh35O7MR
EBMGfq5UkccG3vG/1avBnqJxiSzcBdrxBmlhgPiaEAw3Lv9xeAPgbadmnb1ehgqu
RN70qsyUD/LmviCRyhJ7QxACDxCG7CzedZYUgBmtyCp6y5dhXpjsBNVXIRuSkD9L
fCunaeivyx0vd+dyprFT
=ylDD
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How to handle "CONNECT ... HTTP 1.1" 400 in localhost_access_log
Posted by "Howard W. Smith, Jr." <sm...@gmail.com>.
On Tue, Jul 9, 2013 at 8:16 AM, Mark Thomas <ma...@apache.org> wrote:
> On 09/07/2013 12:54, Howard W. Smith, Jr. wrote:
> > On Tue, Jul 9, 2013 at 2:18 AM, Caldarale, Charles R <
> > Chuck.Caldarale@unisys.com> wrote:
> >
> >>> From: Howard W. Smith, Jr. [mailto:smithh032772@gmail.com]
> >>> Subject: Re: How to handle "CONNECT ... HTTP 1.1" 400 in
> >> localhost_access_log
> >>
> >>> why would the same IP address be hitting my server when 400 is the
> >>> response?
> >>
> >>> and they will continue attempting these "CONNECT..." requests until
> >>> they get a 404 or what?
> >>
> >> Because they're trying to break in. Any response indicates there's
> >> something to poke around in.
> >>
> >>> The 'HTTP "Forbidden" error' returned by RemoteAddrValve would seem to
> >> fuel
> >>> future/continual attempts as well as error 400. right?
> >>
> >> True, which is why it's best just to have a firewall or the TCP/IP stack
> >> completely ignore the traffic, and not send anything back. By the time
> the
> >> request gets to Tomcat, the TCP connection is established, so the
> >> antagonist knows there's something there.
> >>
> >
> > Done. Thanks. Will continue to monitor logs, occasionally, to see if my
> > changes, made at the firewall level, blocks the IP addresses that are
> > repeat offenders. :)
>
> fail2ban is your friend
>
> The ASF uses it pretty much everywhere.
>
> Mark
>
thanks Mark. researching that now....for Windows Server 2008. :)
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: How to handle "CONNECT ... HTTP 1.1" 400 in localhost_access_log
Posted by Mark Thomas <ma...@apache.org>.
On 09/07/2013 12:54, Howard W. Smith, Jr. wrote:
> On Tue, Jul 9, 2013 at 2:18 AM, Caldarale, Charles R <
> Chuck.Caldarale@unisys.com> wrote:
>
>>> From: Howard W. Smith, Jr. [mailto:smithh032772@gmail.com]
>>> Subject: Re: How to handle "CONNECT ... HTTP 1.1" 400 in
>> localhost_access_log
>>
>>> why would the same IP address be hitting my server when 400 is the
>>> response?
>>
>>> and they will continue attempting these "CONNECT..." requests until
>>> they get a 404 or what?
>>
>> Because they're trying to break in. Any response indicates there's
>> something to poke around in.
>>
>>> The 'HTTP "Forbidden" error' returned by RemoteAddrValve would seem to
>> fuel
>>> future/continual attempts as well as error 400. right?
>>
>> True, which is why it's best just to have a firewall or the TCP/IP stack
>> completely ignore the traffic, and not send anything back. By the time the
>> request gets to Tomcat, the TCP connection is established, so the
>> antagonist knows there's something there.
>>
>
> Done. Thanks. Will continue to monitor logs, occasionally, to see if my
> changes, made at the firewall level, blocks the IP addresses that are
> repeat offenders. :)
fail2ban is your friend
The ASF uses it pretty much everywhere.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How to handle "CONNECT ... HTTP 1.1" 400 in localhost_access_log
Posted by "Howard W. Smith, Jr." <sm...@gmail.com>.
On Tue, Jul 9, 2013 at 2:18 AM, Caldarale, Charles R <
Chuck.Caldarale@unisys.com> wrote:
> > From: Howard W. Smith, Jr. [mailto:smithh032772@gmail.com]
> > Subject: Re: How to handle "CONNECT ... HTTP 1.1" 400 in
> localhost_access_log
>
> > why would the same IP address be hitting my server when 400 is the
> > response?
>
> > and they will continue attempting these "CONNECT..." requests until
> > they get a 404 or what?
>
> Because they're trying to break in. Any response indicates there's
> something to poke around in.
>
> > The 'HTTP "Forbidden" error' returned by RemoteAddrValve would seem to
> fuel
> > future/continual attempts as well as error 400. right?
>
> True, which is why it's best just to have a firewall or the TCP/IP stack
> completely ignore the traffic, and not send anything back. By the time the
> request gets to Tomcat, the TCP connection is established, so the
> antagonist knows there's something there.
>
Done. Thanks. Will continue to monitor logs, occasionally, to see if my
changes, made at the firewall level, blocks the IP addresses that are
repeat offenders. :)
>
> - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete the e-mail and
> its attachments from all computers.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
RE: How to handle "CONNECT ... HTTP 1.1" 400 in localhost_access_log
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Howard W. Smith, Jr. [mailto:smithh032772@gmail.com]
> Subject: Re: How to handle "CONNECT ... HTTP 1.1" 400 in localhost_access_log
> why would the same IP address be hitting my server when 400 is the
> response?
> and they will continue attempting these "CONNECT..." requests until
> they get a 404 or what?
Because they're trying to break in. Any response indicates there's something to poke around in.
> The 'HTTP "Forbidden" error' returned by RemoteAddrValve would seem to fuel
> future/continual attempts as well as error 400. right?
True, which is why it's best just to have a firewall or the TCP/IP stack completely ignore the traffic, and not send anything back. By the time the request gets to Tomcat, the TCP connection is established, so the antagonist knows there's something there.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How to handle "CONNECT ... HTTP 1.1" 400 in localhost_access_log
Posted by "Howard W. Smith, Jr." <sm...@gmail.com>.
Chris,
On Mon, Jul 8, 2013 at 11:50 PM, Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Howard,
>
> On 7/8/13 3:45 PM, Howard W. Smith, Jr. wrote:
> > On Mon, Jul 8, 2013 at 3:40 PM, Caldarale, Charles R <
> > Chuck.Caldarale@unisys.com> wrote:
> >
> >>> From: Howard W. Smith, Jr. [mailto:smithh032772@gmail.com]
> >>> Subject: How to handle "CONNECT ... HTTP 1.1" 400 in
> >>> localhost_access_log
> >>
> >>> 183.60.48.25 - - [08/Jul/2013:15:15:26 -0400] "CONNECT
> >>> tcpconn2.tencent.com:443 HTTP/1.1" 400 -
> >>
> >>> Any advise on how to handle these requests (if necessary)
> >>> and/or information about these type of 'CONNECT ...' requests
> >>> would be appreciated. Thanks.
> >>
> >> It's from somewhere in China (who'da thunk it?); you can always
> >> black list it with the RemoteAddrValve, but it will likely pop up
> >> from somewhere else.
> >>
> >
> > You beat me to the punch, Chuck. I thought about you when I just
> > searched the IP database[1] for the IP address, and was about to
> > reply again with this info, but thanks, I definitely need to
> > blacklist that IP address.
> >
> > [1] https://ipdb.at/ip/183.60.48.25
>
> Feel free to just drop the whole IP block with iptables or at a firewall
> closer to the edge of your network.
Interesting. sounds like a good idea, thanks.
That is, of course, unless you need to serve clients in China.
>
definitely have no need, desire, or requirement to serve clients in China.
:)
why would the same IP address be hitting my server when 400 is the
response? is that definitely a sign to China that a server (of some sort)
is returning error 400? and they will continue attempting these "CONNECT
..." requests until they get a 404 or what?
The 'HTTP "Forbidden" error' returned by RemoteAddrValve would seem to fuel
future/continual attempts as well as error 400. right?
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJR24h9AAoJEBzwKT+lPKRYGO4QAJVD94MNoQ3XqQ8poGA2AwfV
> 8E2e1XW6gPzmqAlpPv4hlwYGNWFhe7zCyixjJG2zXpC2H+g2uU4dxEpB+fQzAdLZ
> QqjIhLXkY+lcGJisacvvIW9bLxJxVHaRPgZ7nPiYYkomXB7xdeoG/XHdbyjzACIx
> niMAAYhd9hvI3K8ti8wgFmPnabMaOCVs4U9tOJa4M0GWBjlgMR32RCwB0dVBb9cw
> uzaXjySXqXaXXxsAIG1EbRTraVVOmaJQZHa6RK0rfG3jKdXoTJhLlcdfeQXAR/AY
> 3fZeMgP2JAB2ko0h2g6XdIEvW/EPJzT/wlEoLZJ7L3iWpT/7C9VfelmAgmNnxtam
> zPNATFRIwkrPZ0qC/Z4d7Hgogpc4G5V1rB/jJjMi3JhLQM2oUQsf2U8zprZi1MHt
> uDAflKl4wmnge5joQAWhp2m6+U1y4Cv47yT46hRu7A51PHBoruOUrogTTuy3HZk0
> qeHFZ1OkGJdfJCocWixpJnXvLSezfTZcDs7BYGYrwXkVRgc7GTY8RcLPgv7Z/C/u
> sBqEk3unmnGMaNSt6V8yVls287OUKT2Q1yYyP8iDOHgMXtolQIoh87xOEOKAagol
> DgST7p0M0xbFgLZSYpvYyHkbjw8zuwUJa2/WW6EbIzHZ9hH4Nqoq5ByNK2uOLm/a
> 4D7PIkPUJuxao5PYTWdB
> =Ael/
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: How to handle "CONNECT ... HTTP 1.1" 400 in localhost_access_log
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Howard,
On 7/8/13 3:45 PM, Howard W. Smith, Jr. wrote:
> On Mon, Jul 8, 2013 at 3:40 PM, Caldarale, Charles R <
> Chuck.Caldarale@unisys.com> wrote:
>
>>> From: Howard W. Smith, Jr. [mailto:smithh032772@gmail.com]
>>> Subject: How to handle "CONNECT ... HTTP 1.1" 400 in
>>> localhost_access_log
>>
>>> 183.60.48.25 - - [08/Jul/2013:15:15:26 -0400] "CONNECT
>>> tcpconn2.tencent.com:443 HTTP/1.1" 400 -
>>
>>> Any advise on how to handle these requests (if necessary)
>>> and/or information about these type of 'CONNECT ...' requests
>>> would be appreciated. Thanks.
>>
>> It's from somewhere in China (who'da thunk it?); you can always
>> black list it with the RemoteAddrValve, but it will likely pop up
>> from somewhere else.
>>
>
> You beat me to the punch, Chuck. I thought about you when I just
> searched the IP database[1] for the IP address, and was about to
> reply again with this info, but thanks, I definitely need to
> blacklist that IP address.
>
> [1] https://ipdb.at/ip/183.60.48.25
Feel free to just drop the whole IP block with iptables or at a
firewall closer to the edge of your network. That is, of course,
unless you need to serve clients in China.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJR24h9AAoJEBzwKT+lPKRYGO4QAJVD94MNoQ3XqQ8poGA2AwfV
8E2e1XW6gPzmqAlpPv4hlwYGNWFhe7zCyixjJG2zXpC2H+g2uU4dxEpB+fQzAdLZ
QqjIhLXkY+lcGJisacvvIW9bLxJxVHaRPgZ7nPiYYkomXB7xdeoG/XHdbyjzACIx
niMAAYhd9hvI3K8ti8wgFmPnabMaOCVs4U9tOJa4M0GWBjlgMR32RCwB0dVBb9cw
uzaXjySXqXaXXxsAIG1EbRTraVVOmaJQZHa6RK0rfG3jKdXoTJhLlcdfeQXAR/AY
3fZeMgP2JAB2ko0h2g6XdIEvW/EPJzT/wlEoLZJ7L3iWpT/7C9VfelmAgmNnxtam
zPNATFRIwkrPZ0qC/Z4d7Hgogpc4G5V1rB/jJjMi3JhLQM2oUQsf2U8zprZi1MHt
uDAflKl4wmnge5joQAWhp2m6+U1y4Cv47yT46hRu7A51PHBoruOUrogTTuy3HZk0
qeHFZ1OkGJdfJCocWixpJnXvLSezfTZcDs7BYGYrwXkVRgc7GTY8RcLPgv7Z/C/u
sBqEk3unmnGMaNSt6V8yVls287OUKT2Q1yYyP8iDOHgMXtolQIoh87xOEOKAagol
DgST7p0M0xbFgLZSYpvYyHkbjw8zuwUJa2/WW6EbIzHZ9hH4Nqoq5ByNK2uOLm/a
4D7PIkPUJuxao5PYTWdB
=Ael/
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How to handle "CONNECT ... HTTP 1.1" 400 in localhost_access_log
Posted by "Howard W. Smith, Jr." <sm...@gmail.com>.
On Mon, Jul 8, 2013 at 3:40 PM, Caldarale, Charles R <
Chuck.Caldarale@unisys.com> wrote:
> > From: Howard W. Smith, Jr. [mailto:smithh032772@gmail.com]
> > Subject: How to handle "CONNECT ... HTTP 1.1" 400 in localhost_access_log
>
> > 183.60.48.25 - - [08/Jul/2013:15:15:26 -0400] "CONNECT
> > tcpconn2.tencent.com:443 HTTP/1.1" 400 -
>
> > Any advise on how to handle these requests (if necessary) and/or
> > information about these type of 'CONNECT ...' requests would be
> > appreciated. Thanks.
>
> It's from somewhere in China (who'da thunk it?); you can always black list
> it with the RemoteAddrValve, but it will likely pop up from somewhere else.
>
You beat me to the punch, Chuck. I thought about you when I just searched
the IP database[1] for the IP address, and was about to reply again with
this info, but thanks, I definitely need to blacklist that IP address.
[1] https://ipdb.at/ip/183.60.48.25
RE: How to handle "CONNECT ... HTTP 1.1" 400 in localhost_access_log
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Howard W. Smith, Jr. [mailto:smithh032772@gmail.com]
> Subject: How to handle "CONNECT ... HTTP 1.1" 400 in localhost_access_log
> 183.60.48.25 - - [08/Jul/2013:15:15:26 -0400] "CONNECT
> tcpconn2.tencent.com:443 HTTP/1.1" 400 -
> Any advise on how to handle these requests (if necessary) and/or
> information about these type of 'CONNECT ...' requests would be
> appreciated. Thanks.
It's from somewhere in China (who'da thunk it?); you can always black list it with the RemoteAddrValve, but it will likely pop up from somewhere else.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org