Haproxy Monitoring or BLOCK DDOS

How to monitor or block DDOS in Haproxy





Configuration to monitor access
This configuration just will TAG the external IP in the  abuse table, if need block something just remove the double #, to change the level of monitoring increase or reduce the number of connection  level.

# ABUSE SECTION works with http mode dependent on src ip
##tcp-request content reject if { src_get_gpc0(Abuse) gt 5000 }
acl abuse src_http_req_rate(Abuse) ge 5000
acl flag_abuser src_inc_gpc0(Abuse) ge 100
acl scanner src_http_err_rate(Abuse) ge 5000



# Abuse protection.
# Sources that are not filtered.
tcp-request content accept if { src -f /etc/haproxy/whitelist.lst }
# Sources rejected immeditely.
tcp-request content reject if { src -f /etc/haproxy/blacklist.lst }
# Limiting the connection rate per client. No more than 5000 connections over 3 seconds.
##tcp-request content reject if { src_conn_rate(Abuse) ge 5000 }
# Reject if more than 1000 connections from client.
# This is to accommodate clients behind a NAT.
##tcp-request content reject if { src_conn_cur(Abuse) ge 1000 }
# Block based on backend.
##tcp-request content reject if { src_get_gpc0(Abuse) gt 5000 }
# Track counters based on forwarded ip.
##tcp-request content track-sc1 src table Abuse


When the rule BLOCK is enabled  you can choose the return 403 or silent-drop t9

# Returns a 403 to the abuser and flags for tcp-reject next time
http-request deny if abuse flag_abuser
http-request deny if scanner flag_abuser




Monitoring

Show the stick table that there the top IP
echo "show table Abuse" | socat unix-connect:/var/run/haproxy/admin.sock stdio





hatop -s /var/run/haproxy/admin.sock



It's possible connect external tools like

Microsoft OMS
Datadog
Prometheus.
Splunk
And others APMs

Popular posts from this blog

Remote Server returned '550 5.2.3 RESOLVER.RST.RecipSizeLimit; message too large for this recipient'

Office 365 or Exchange online problem Remote Server returned '550 5.2.3 RESOLVER.RST.RecipSizeLimit; message too large for this recipient' Connect in your office365/Exchangeonlime with PowerShell Confirm the problem,   Get-Mailbox | fl mailboxplan,maxsendsize,maxreceivesize If you have   Get-Mailbox user@mailbox.com | fl mailboxplan,maxsendsize,maxreceivesize MailboxPlan    : ExchangeOnline-1ab122338-4f1a-bac1-c28ff8a1234 MaxSendSize    : 0 B (0 bytes) MaxReceiveSize : 0 B (0 bytes) Execute the command  Set-Mailbox user@mailbox.com -MaxReceiveSi ze 55 MB -MaxSend Size 55 MB  or   Set-Mailbox user@mailbox.com -MaxReceiveSize 150MB -MaxSendSize 150MB To apply for all users run this.  Get-Mailbox | Set-Mailbox -MaxReceiveSize 55MB -MaxSendSize 55MB
Read more

Haproxy error inconsistencies between private key and certificate loaded from PEM file

Error in haproxy with lets encrypt error msg bind *:443' : inconsistencies between private key and certificate loaded from PEM file '/etc/letsencrypt/live/ Need to create a new file cat cert.pem privkey.pem > haproxy_cert.pem Add in haproxy frontend www         bind *:80         bind *:443  ssl crt /etc/letsencrypt/live/mydomain.com/haproxy_cert.pem and make a test haproxy -c -V -f /etc/haproxy/haproxy.cfg
Read more

Porque a centralização de arquivos?

Image
Porque a centralização de arquivos?   Muitas empresas gastam boa parte de sua estrutura armazenando a mesma coisa, de forma desorganizada.  Para entender o problema vou tentar explicar de maneira simplificada, como visualizo o problema de gestão sobre os arquivos e a falta de cultura. E como resolver.
Read more