Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to block http inbound connection by http header

    Scheduled Pinned Locked Moved Cache/Proxy
    3 Posts 3 Posters 589 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      alexferro32
      last edited by

      Hi guys!

      I need to block DDos attack like this one (apache's access.log) by "puthon-request/2.28.2" match rules:

      165.22.52.169 - - [01/Feb/2023:14:23:33 +0100] "GET /index.php HTTP/1.1" 200 192 "-" "python-requests/2.28.1"

      Which package of two HAProxy or SquidGuard is right for me?

      Thanks, Ale

      M 1 Reply Last reply Reply Quote 1
      • M Offline
        michmoor LAYER 8 Rebel Alliance @alexferro32
        last edited by

        @alexferro32 Are you using HA Proxy or SquidGuard as reverse proxies? Could also run Suricata and create your own custom rule.
        Could create a rule to block just the source IP.

        You have multiple options available but how you do it depends on your network setup and resources available on the pfsense.

        Firewall: NetGate,Palo Alto-VM,Juniper SRX
        Routing: Juniper, Arista, Cisco
        Switching: Juniper, Arista, Cisco
        Wireless: Unifi, Aruba IAP
        JNCIP,CCNP Enterprise

        johnpozJ 1 Reply Last reply Reply Quote 0
        • johnpozJ Offline
          johnpoz LAYER 8 Global Moderator @michmoor
          last edited by johnpoz

          @michmoor exactly... To be honest, that is DO - in what scenario would they ever need to be inbound to you?

          Block all of their ASNs

          NetRange:       165.22.0.0 - 165.22.255.255
CIDR:           165.22.0.0/16
NetName:        DIGITALOCEAN-165-22-0-0

          pfblocker makes it easy to look up ASNs and put them into a alias and then block that completely from your services you don't want them to be able to talk to.. DO while is a big cloud provider - why would you have need of inbound traffic from them? They are not known for being to particular on how they allow their services to be used.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.