Remove all ACL-to-ACL references for HAProxy 3.0.11 compatibility

Final fix for HAProxy 3.0.11 syntax requirements: ACL Reference Resolution: - Removed all compound ACLs that referenced other ACLs - Updated all http-request rules to use base ACLs directly - HAProxy 3.0 does not allow ACL-to-ACL references Direct Base ACL Usage: - bot_scanner: Scanner user agent detection - scan_admin: Admin path scanning - scan_shells: Shell/exploit attempts - sql_injection: SQL injection patterns - directory_traversal: Path traversal attempts - wp_403_abuse: WordPress 403 failures - rate_abuse: Rate limit violations - suspicious_method: Dangerous HTTP methods - missing_accept_header: Missing browser headers - blacklisted: Blacklisted IPs - auto_blacklist_candidate: Auto-ban candidates Graduated Response System (Direct ACL Based): - Low threat (info): rate_abuse, suspicious_method, missing headers - Medium threat (warning + tarpit): sql_injection, directory_traversal, wp_403_abuse - High threat (alert + deny): bot_scanner, scan_admin, scan_shells - Critical threat (alert + deny): blacklisted, auto_blacklist_candidate Monitoring Updates: - Updated log parsing for base ACL names - Enhanced threat classification in monitoring scripts All syntax is now pure HAProxy 3.0.11 compatible while maintaining comprehensive security protection with graduated responses. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-09-22 17:44:44 -07:00
parent ee8223c25f
commit 0ee9e6cba8
3 changed files with 268 additions and 47 deletions
--- a/scripts/monitor-attacks.sh
+++ b/scripts/monitor-attacks.sh
@@ -42,17 +42,19 @@ show_threats() {
 show_recent_blocks() {
    echo "Recent Blocked Requests:"
    tail -100 "$LOG_FILE" 2>/dev/null | \
-        grep -E "(high_threat|medium_threat|low_threat|critical_threat|tarpit|denied|403)" | \
+        grep -E "(bot_scanner|scan_admin|scan_shells|sql_injection|directory_traversal|rate_abuse|tarpit|denied|403)" | \
        tail -10 | \
        awk '{
            if (match($0, /[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:[0-9]+/)) {
                ip = substr($0, RSTART, RLENGTH)
                gsub(/:.*/, "", ip)
                reason = ""
-                if ($0 ~ /high_threat/) reason = "HIGH_THREAT"
-                else if ($0 ~ /critical_threat/) reason = "CRITICAL_THREAT"
-                else if ($0 ~ /medium_threat/) reason = "MEDIUM_THREAT"
-                else if ($0 ~ /low_threat/) reason = "LOW_THREAT"
+                if ($0 ~ /bot_scanner/) reason = "BOT_SCANNER"
+                else if ($0 ~ /scan_admin/) reason = "ADMIN_SCAN"
+                else if ($0 ~ /scan_shells/) reason = "SHELL_SCAN"
+                else if ($0 ~ /sql_injection/) reason = "SQL_INJECTION"
+                else if ($0 ~ /directory_traversal/) reason = "DIR_TRAVERSAL"
+                else if ($0 ~ /rate_abuse/) reason = "RATE_ABUSE"
                else if ($0 ~ /tarpit/) reason = "TARPIT"
                else if ($0 ~ /denied/) reason = "DENIED"
                else if ($0 ~ /403/) reason = "BLOCKED"