On 09/07/2013 12:54, Howard W. Smith, Jr. wrote:
> On Tue, Jul 9, 2013 at 2:18 AM, Caldarale, Charles R <
> chuck.caldar...@unisys.com> wrote:
> 
>>> From: Howard W. Smith, Jr. [mailto:smithh032...@gmail.com]
>>> Subject: Re: How to handle "CONNECT ... HTTP 1.1" 400 in
>> localhost_access_log
>>
>>> why would the same IP address be hitting my server when 400 is the
>>> response?
>>
>>> and they will continue attempting these "CONNECT..." requests until
>>> they get a 404 or what?
>>
>> Because they're trying to break in.  Any response indicates there's
>> something to poke around in.
>>
>>> The 'HTTP "Forbidden" error' returned by RemoteAddrValve would seem to
>> fuel
>>> future/continual attempts as well as error 400. right?
>>
>> True, which is why it's best just to have a firewall or the TCP/IP stack
>> completely ignore the traffic, and not send anything back.  By the time the
>> request gets to Tomcat, the TCP connection is established, so the
>> antagonist knows there's something there.
>>
> 
> Done. Thanks. Will continue to monitor logs, occasionally, to see if my
> changes, made at the firewall level, blocks the IP addresses that are
> repeat offenders. :)

fail2ban is your friend

The ASF uses it pretty much everywhere.

Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to