How to block http inbound connection by http header

alexferro32 · Feb 1, 2023, 3:42 PM

Hi guys!

I need to block DDos attack like this one (apache's access.log) by "puthon-request/2.28.2" match rules:

165.22.52.169 - - [01/Feb/2023:14:23:33 +0100] "GET /index.php HTTP/1.1" 200 192 "-" "python-requests/2.28.1"

Which package of two HAProxy or SquidGuard is right for me?

Thanks, Ale

michmoor · Feb 1, 2023, 5:35 PM

@alexferro32 Are you using HA Proxy or SquidGuard as reverse proxies? Could also run Suricata and create your own custom rule.
Could create a rule to block just the source IP.

You have multiple options available but how you do it depends on your network setup and resources available on the pfsense.

johnpoz · Feb 1, 2023, 6:36 PM

@michmoor exactly... To be honest, that is DO - in what scenario would they ever need to be inbound to you?

Block all of their ASNs

NetRange:       165.22.0.0 - 165.22.255.255
CIDR:           165.22.0.0/16
NetName:        DIGITALOCEAN-165-22-0-0

pfblocker makes it easy to look up ASNs and put them into a alias and then block that completely from your services you don't want them to be able to talk to.. DO while is a big cloud provider - why would you have need of inbound traffic from them? They are not known for being to particular on how they allow their services to be used.