cloud-hosting-platform/haproxy-manager-base
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Make scan detection more targeted to avoid false positives
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 52s
Details

Browse Source 
Major changes to prevent legitimate users from being blocked:

1. Increased thresholds significantly:
   - Initial trigger: 10 → 25 errors
   - Medium level: 20 → 40 errors
   - High level: 35 → 60 errors
   - Critical level: 50 → 100 errors

2. Only count actual scan attempts as errors:
   - Script files: .php, .asp, .jsp, .cgi, .pl, .py, .rb, .sh
   - Admin paths: /wp-admin, /phpmyadmin, /adminer
   - Config files: .env, .git, .htaccess, .ini, .yml
   - Backup files: .backup, .bak, .sql, .dump
   - Known vulnerable paths: /cgi-bin, /fckeditor

3. Explicitly exclude legitimate assets from counting:
   - Images: .jpg, .png, .gif, .svg, .webp
   - Fonts: .woff, .woff2, .ttf, .eot, .otf
   - Static: .css, .js, .map, .pdf
   - Common paths: /static/, /assets/, /fonts/, /images/

4. Still count all 401/403 errors (auth failures are suspicious)

This prevents missing fonts, images, CSS files from triggering blocks
while still catching actual vulnerability scanners.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
jknapp
2025-08-25 12:39:15 -07:00
parent 6a4379c4a1
commit 31801a6c1d
5 changed files with 74 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
scripts/show-tarpit-ips.sh
View File

@@ -75,17 +75,17 @@ printf "@!%s show table web\n" "${PROCESS_ID}" | socat stdio "$SOCKET" 2>/dev/nu
# Determine status based on scan count and escalation
status=""
if [ "$gpc0" -ge 50 ]; then
if [ "$gpc0" -ge 100 ]; then
status="BLOCKED (429)"
elif [ "$gpc0" -ge 35 ]; then
elif [ "$gpc0" -ge 60 ]; then
status="SILENT-DROP"
elif [ "$gpc0" -ge 20 ]; then
elif [ "$gpc0" -ge 40 ]; then
if [ "$gpc1" -ge 2 ]; then
status="SILENT-DROP (repeat)"
else
status="TARPIT 10s"
fi
elif [ "$gpc0" -ge 10 ]; then
elif [ "$gpc0" -ge 25 ]; then
status="TARPIT 10s"
else
status="Normal"
@@ -104,12 +104,13 @@ printf "@!%s show table web\n" "${PROCESS_ID}" | socat stdio "$SOCKET" 2>/dev/nu
echo
echo "==================================================================="
echo "Legend:"
echo " - Scan Count 10-19: Low scanner → TARPIT 10s delay"
echo " - Scan Count 20-34: Medium scanner → TARPIT 10s (1st), SILENT-DROP (repeat)"
echo " - Scan Count 35-49: High scanner → SILENT-DROP (immediate disconnect)"
echo " - Scan Count 50+: Critical scanner → BLOCKED (429 response)"
echo " - Scan Count 25-39: Low scanner → TARPIT 10s delay"
echo " - Scan Count 40-59: Medium scanner → TARPIT 10s (1st), SILENT-DROP (repeat)"
echo " - Scan Count 60-99: High scanner → SILENT-DROP (immediate disconnect)"
echo " - Scan Count 100+: Critical scanner → BLOCKED (429 response)"
echo " - Burst (5+ in 10s): → TARPIT 10s (1st), SILENT-DROP (repeat)"
echo "==================================================================="
echo "Note: Only counts suspicious scripts/configs, NOT missing images/fonts/CSS"
echo "Note: IPs are tracked for 1 hour since last activity"
echo
echo "To clear a specific IP from the table:"