I have an apache server thats ‘exposed’ outside the corporate firewall via NAT. I get probes constantly and while I work to keep everything updated Im concerned that someone is going to find an exposed surface.
I tried using fail2ban to read the logs and create firewall rules but because the host is inside a VPC (of sorts) it sees every incoming request originating via the default gateway.
Host is at 10.95.96.xx
#ip route get 172.56.xx.xx
172.56.xx.xx via 10.95.96.1 dev enX0 src 10.95.96.xx uid 0
So while I see fail2ban/firewalld creating rules for the various probing IPs, none are effected.
I’ve been looking into mod_evasive but it doesn’t look like it’s been maintained in a number of years. Hopefully there’s something up to date that can read inside the requests and make decisions based on that info.
I went so far as to add my home IP to the block zone – no effect.
I used tcpdump to try to pick out packets from incoming probes but all ‘originate’ at the default gateway.
