cloud-hosting-platform/haproxy-manager-base
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ee8223c25fc4a75a5157d412836b73b13e61928a
haproxy-manager-base/scripts/monitor-attacks.sh
jknapp ee8223c25f
All checks were successful
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 2m20s
Details
Complete HAProxy 3.0.11 syntax fixes for ACL and sc-inc errors 
Fixed remaining HAProxy 3.0.11 compatibility issues:

ACL Definition Fixes:
- Fixed compound ACL references (can't reference ACLs as fetch methods)
- Split complex ACLs into individual threat detection ACLs
- Updated all ACL names to be descriptive and unique

Syntax Corrections:
- Fixed sc-inc-gpc syntax (removed extra "1" parameter)
- Updated all ACL references in http-request rules
- Fixed compound conditions in response rules

Threat Detection Structure:
- high_threat_detected: Bot scanners
- high_threat_scan: Admin path scanning
- high_threat_shells: Shell/exploit attempts
- medium_threat_injection: SQL injection attempts
- medium_threat_traversal: Directory traversal
- medium_threat_wp_attack: WordPress brute force (403s)
- low_threat_rate: Rate limit violations
- low_threat_method: Suspicious HTTP methods
- low_threat_headers: Missing browser headers
- critical_threat_blacklist: Blacklisted IPs
- critical_threat_autoban: Auto-blacklist candidates

Response System Updates:
- Individual ACL-based responses for each threat type
- Proper whitelisting for legitimate bots/browsers
- Enhanced logging with new threat classifications

Monitoring Script Updates:
- Updated log parsing for new threat level names
- Better threat categorization in real-time monitoring

All syntax errors resolved for HAProxy 3.0.11 compatibility
while maintaining comprehensive security protection.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-09-22 17:37:16 -07:00

89 lines
2.9 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# Real-time attack monitoring for HAProxy
# Shows blocked requests and suspicious activity
LOG_FILE="/var/log/haproxy.log"
SOCKET="/tmp/haproxy-cli"
echo "==================================================="
echo "HAProxy Security Monitor - Real-time Attack Detection"
echo "==================================================="
echo ""
# Function to show current threats
show_threats() {
echo "Current Threat IPs (Rate Limiting Table):"
echo "show table web" | socat stdio "$SOCKET" 2>/dev/null | \
awk '$4 > 0 || $5 > 20 || $6 > 5 || $7 > 10 {
printf "%-15s req_rate:%-3s err_rate:%-3s conn_rate:%-3s marked:%s\n",
$1, $5, $6, $7, $4
}' | head -10
echo ""
echo "Blacklisted IPs (24h tracking):"
echo "show table security_blacklist" | socat stdio "$SOCKET" 2>/dev/null | \
awk '$4 > 0 || $5 > 0 {
printf "%-15s blacklisted:%s violations:%s\n",
$1, $4, $5
}' | head -10
echo ""
echo "WordPress 403 Failures:"
echo "show table wp_403_track" | socat stdio "$SOCKET" 2>/dev/null | \
awk '$4 > 2 {
printf "%-15s 403_rate:%-3s\n",
$1, $4
}' | head -10
echo "---------------------------------------------------"
}
# Function to show recent blocks
show_recent_blocks() {
echo "Recent Blocked Requests:"
tail -100 "$LOG_FILE" 2>/dev/null | \
grep -E "(high_threat|medium_threat|low_threat|critical_threat|tarpit|denied|403)" | \
tail -10 | \
awk '{
if (match($0, /[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:[0-9]+/)) {
ip = substr($0, RSTART, RLENGTH)
gsub(/:.*/, "", ip)
reason = ""
if ($0 ~ /high_threat/) reason = "HIGH_THREAT"
else if ($0 ~ /critical_threat/) reason = "CRITICAL_THREAT"
else if ($0 ~ /medium_threat/) reason = "MEDIUM_THREAT"
else if ($0 ~ /low_threat/) reason = "LOW_THREAT"
else if ($0 ~ /tarpit/) reason = "TARPIT"
else if ($0 ~ /denied/) reason = "DENIED"
else if ($0 ~ /403/) reason = "BLOCKED"
printf "[%s] %-15s %s\n", strftime("%H:%M:%S"), ip, reason
}
}'
echo ""
}
# Monitor mode selection
if [ "$1" == "live" ]; then
echo "Live monitoring mode - Press Ctrl+C to exit"
echo ""
while true; do
clear
echo "==================================================="
echo "HAProxy Security Monitor - $(date '+%Y-%m-%d %H:%M:%S')"
echo "==================================================="
echo ""
show_threats
echo ""
show_recent_blocks
sleep 5
done
else
# Single run mode
show_threats
echo ""
show_recent_blocks
echo ""
echo "Tip: Run with 'live' parameter for continuous monitoring"
echo "Usage: $0 [live]"
fi
Reference in New Issue View Git Blame Copy Permalink