On Tue, Jul 9, 2013 at 8:16 AM, Mark Thomas <ma...@apache.org> wrote:
> On 09/07/2013 12:54, Howard W. Smith, Jr. wrote: > > On Tue, Jul 9, 2013 at 2:18 AM, Caldarale, Charles R < > > chuck.caldar...@unisys.com> wrote: > > > >>> From: Howard W. Smith, Jr. [mailto:smithh032...@gmail.com] > >>> Subject: Re: How to handle "CONNECT ... HTTP 1.1" 400 in > >> localhost_access_log > >> > >>> why would the same IP address be hitting my server when 400 is the > >>> response? > >> > >>> and they will continue attempting these "CONNECT..." requests until > >>> they get a 404 or what? > >> > >> Because they're trying to break in. Any response indicates there's > >> something to poke around in. > >> > >>> The 'HTTP "Forbidden" error' returned by RemoteAddrValve would seem to > >> fuel > >>> future/continual attempts as well as error 400. right? > >> > >> True, which is why it's best just to have a firewall or the TCP/IP stack > >> completely ignore the traffic, and not send anything back. By the time > the > >> request gets to Tomcat, the TCP connection is established, so the > >> antagonist knows there's something there. > >> > > > > Done. Thanks. Will continue to monitor logs, occasionally, to see if my > > changes, made at the firewall level, blocks the IP addresses that are > > repeat offenders. :) > > fail2ban is your friend > > The ASF uses it pretty much everywhere. > > Mark > thanks Mark. researching that now....for Windows Server 2008. :) > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
