can't replicate/block portscanner
Robert Paprocki
rpaprocki at fearnothingproductions.net
Sat Dec 10 00:09:21 UTC 2016
Should be fairly easy to do with any command to write data over the wire
(nc/netcat/echo into /dev/tcp):
echo -en 'GET / HTTP/1.0' | nc 1.2.3.4
It should be worth noting that the Host header is not a required HTTP/1.0
header, so if your app requires the Host header (or derives some other
variable value from this header), you should either require HTTP/1.1, or
find a way to set this header in the proxies request. The proxy_pass
documentation has some discussion on setting the Host header in particular
for proxy environments:
http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header
On Fri, Dec 9, 2016 at 3:29 PM, Jonathan Vanasco <nginx at 2xlp.com> wrote:
>
> I got hit with a portscanner a few minutes ago, which caused an edge-case
> I can't repeat.
>
> the access log looks like this:
>
> 94.102.48.193 - [09/Dec/2016:22:15:03 +0000][_] 500 "GET /
> HTTP/1.0" 10299 "-" "masscan/1.0 (https://github.com/
> robertdavidgraham/masscan)" "-" cookies="-"
>
> the server block was:
>
> server {
> listen 80 default_server;
> server_name _;
> ...
> }
>
> but there is another ip block:
>
> server { listen 80;
> server_name ~^[0-9.]*$;
> }
>
>
> i can't figure out how to duplicate this request. the 500 was triggered,
> because the upstream application server didn't get find a "HTTP_HOST"
> environment variable set up, and i'd like to protect against this.
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20161209/189b37c6/attachment.html>
More information about the nginx
mailing list