haproxy-manager-base

cloud-hosting-platform/haproxy-manager-base

Fork 0

Commit Graph

Author	SHA1	Message	Date
jknapp	31801a6c1d	Make scan detection more targeted to avoid false positives All checks were successful HAProxy Manager Build and Push / Build-and-Push (push) Successful in 52s Details Major changes to prevent legitimate users from being blocked: 1. Increased thresholds significantly: - Initial trigger: 10 → 25 errors - Medium level: 20 → 40 errors - High level: 35 → 60 errors - Critical level: 50 → 100 errors 2. Only count actual scan attempts as errors: - Script files: .php, .asp, .jsp, .cgi, .pl, .py, .rb, .sh - Admin paths: /wp-admin, /phpmyadmin, /adminer - Config files: .env, .git, .htaccess, .ini, .yml - Backup files: .backup, .bak, .sql, .dump - Known vulnerable paths: /cgi-bin, /fckeditor 3. Explicitly exclude legitimate assets from counting: - Images: .jpg, .png, .gif, .svg, .webp - Fonts: .woff, .woff2, .ttf, .eot, .otf - Static: .css, .js, .map, .pdf - Common paths: /static/, /assets/, /fonts/, /images/ 4. Still count all 401/403 errors (auth failures are suspicious) This prevents missing fonts, images, CSS files from triggering blocks while still catching actual vulnerability scanners. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-08-25 12:39:15 -07:00
jknapp	e54b4b4afe	Implement progressive protection: tarpit → silent-drop → block All checks were successful HAProxy Manager Build and Push / Build-and-Push (push) Successful in 1m20s Details - Set tarpit timeout to 10 seconds for initial offenders - Use silent-drop for obvious scanners (35+ errors) and repeat offenders - Silent-drop immediately closes connection without response - Keep 429 block for critical threats (50+ errors) Protection levels: - 10-19 errors: 10s tarpit - 20-34 errors: 10s tarpit (first), silent-drop (repeat) - 35-49 errors: silent-drop - 50+ errors: 429 block - Burst attacks: 10s tarpit (first), silent-drop (repeat) Updated monitoring script to show correct status based on new logic. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-08-25 06:42:09 -07:00
jknapp	b88da4c58f	Implement HAProxy tarpit escalation and CLI monitoring All checks were successful HAProxy Manager Build and Push / Build-and-Push (push) Successful in 51s Details - Add full tarpit escalation logic with gpc1 tracking (levels 0-3) - Implement progressive delays: 2-5s → 8-15s → 20-45s → 60s - Increase initial threshold from 5 to 10 errors (more tolerant) - Reduce tracking duration from 2h to 1h (faster cleanup) - Add show-tarpit-ips.sh script for monitoring tarpitted IPs via CLI - Script shows IP, scan count, escalation level, and tarpit status 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-08-24 19:33:10 -07:00

Author

SHA1

Message

Date

jknapp

31801a6c1d

Make scan detection more targeted to avoid false positives

HAProxy Manager Build and Push / Build-and-Push (push) Successful in 52s

Details

Major changes to prevent legitimate users from being blocked:

1. Increased thresholds significantly:
   - Initial trigger: 10 → 25 errors
   - Medium level: 20 → 40 errors
   - High level: 35 → 60 errors
   - Critical level: 50 → 100 errors

2. Only count actual scan attempts as errors:
   - Script files: .php, .asp, .jsp, .cgi, .pl, .py, .rb, .sh
   - Admin paths: /wp-admin, /phpmyadmin, /adminer
   - Config files: .env, .git, .htaccess, .ini, .yml
   - Backup files: .backup, .bak, .sql, .dump
   - Known vulnerable paths: /cgi-bin, /fckeditor

3. Explicitly exclude legitimate assets from counting:
   - Images: .jpg, .png, .gif, .svg, .webp
   - Fonts: .woff, .woff2, .ttf, .eot, .otf
   - Static: .css, .js, .map, .pdf
   - Common paths: /static/, /assets/, /fonts/, /images/

4. Still count all 401/403 errors (auth failures are suspicious)

This prevents missing fonts, images, CSS files from triggering blocks
while still catching actual vulnerability scanners.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

2025-08-25 12:39:15 -07:00

jknapp

e54b4b4afe

Implement progressive protection: tarpit → silent-drop → block

HAProxy Manager Build and Push / Build-and-Push (push) Successful in 1m20s

Details

- Set tarpit timeout to 10 seconds for initial offenders
- Use silent-drop for obvious scanners (35+ errors) and repeat offenders
- Silent-drop immediately closes connection without response
- Keep 429 block for critical threats (50+ errors)

Protection levels:
- 10-19 errors: 10s tarpit
- 20-34 errors: 10s tarpit (first), silent-drop (repeat)
- 35-49 errors: silent-drop
- 50+ errors: 429 block
- Burst attacks: 10s tarpit (first), silent-drop (repeat)

Updated monitoring script to show correct status based on new logic.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

2025-08-25 06:42:09 -07:00

jknapp

b88da4c58f

Implement HAProxy tarpit escalation and CLI monitoring

HAProxy Manager Build and Push / Build-and-Push (push) Successful in 51s

Details

- Add full tarpit escalation logic with gpc1 tracking (levels 0-3)
- Implement progressive delays: 2-5s → 8-15s → 20-45s → 60s
- Increase initial threshold from 5 to 10 errors (more tolerant)
- Reduce tracking duration from 2h to 1h (faster cleanup)
- Add show-tarpit-ips.sh script for monitoring tarpitted IPs via CLI
- Script shows IP, scan count, escalation level, and tarpit status

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

2025-08-24 19:33:10 -07:00

3 Commits