Forum

Hi,

In a reverse proxy situation I am trying to ban an ip-address if it asks for a url that does not exist on the backend server.
I have tried the config below, but keep getting banned.
I presume because RequestURI exists only applies to files on disk, and not files on the disk of a back-end server.
Is my assumption correct? Is there a workaround?

UrlToolkit {
        ToolkitID = block_pman404
        MatchCI phpMyAdmin/.* Ban 3600
        MatchCI /Admin Ban 3600                ##CI is case incensitive
        Header User-Agent bot Exit              #allow bots    
        Header User-Agent spider Exit         #allow bots
        Header User-Agent crawler Exit       #allow bots
        RequestURI exists Exit                     #if uri exists, go on
       do Ban 3600                                       #if uri does not exist, ban IP
}

VirtualHost {
        Hostname = www.hanscees.com, *.hanscees.com
        ReverseProxy  !^/.well-known/ http://172.16.0.101:80/
        #RequireTLS = yes
        TLScertFile = /etc/letsencrypt/live/www.hanscees.com/hiawatha-hc.pem
        WebsiteRoot /var/www/hcs
        UseToolkit = block_pman404
}

That is correct.


If the backend server is also a Hiawatha server, do the banning there.

My advice is not to ban clients who make a request for a non-existing file. Many valid clients do that. For example, the /favicon.ico is requested often. What harm comes from requesting a non-existing file anyway?

Requesting a non-existing file can be an early sign of somebody trying to hack or exploit.
I know that somebody trying to look up phpadmin is trying something. So I want to block the ip-adress that tries that. Because after that address tries this it will probably try other stuff I do not know about.
So while I do know that a get of phpadmin is a telltale, I do not know many others that however can lead to exploiting a vulnerability.
Many of those will include files my webapplication does not serve. (specific joomal modules you might or might not have installed and so on.

The fact that I can ban onbthe basis of 404 errors directly in the config makes me suspect there must be a way?

hc

Most of the time it's not somebody, but something. It's a script that looks for something specific to exploit. If it doesn't find it, it will move on.

And besides that, if you've secured your applications well, who cares about somebody or something looking around. Let them look.

If you really want to ban someone requesting a non-existing file, you can use the following UrlToolkit rule. But be careful with it as it will probably do more harm than good.

UrlToolkit {
  ToolkitID = ban_on_404
  RequestURI exists Return
  Match .* Ban 86400
}

I was not asking if you agree with my policy. You don't have to. I want defense in depth which means assuming the code I use from others (it is not my code, I am just setting up a website) is not secure.
I think my assumption is more safe than yours. But agian, you don't have to agree.

The rules you supply are functionally the same as my example as far as I can see:

RequestURI exists Exit #if uri exists, go on
do Ban 3600 #if uri does not exist, ban IP

Probably return means something like "jump out of this loop" and exit menans "jump out of all loops".

But still the code won't work for a reverse-proxy. Obviously there is code to do that, but not in the toolkit. Pity.

No, it won't work on a reverse proxy, as the requested files don't exist at the reverse proxy. As you mentioned in an earlier post.