Menu
▾
▴
roundup-users
|
From: David H. <dha...@po...> - 2024-05-18 21:23:49
|
Roundup 2.3.0 source distribution, Python 3.10.12, running roundup-server with http on port 8080, net 0.0.0.0. I have SENDMAILDEBUG writing to a local file.
Background: I haven’t done any Roundup work for at least 6 years; that server is Python 2.7 and a much older Roundup. I’m prototyping some additions (a new issue type), and I’m running a standalone server for the moment.
I’d like to understand the errors that follow. Here’s the server running in the foreground, followed by a request from my IP for the list of issues, followed by two pairs of error messages from IP addresses that I don’t recognize. This seems to happen only on the first request after starting the roundup server, and then they stop. And I’ve just observed that after subsequent restarts, they don’t appear for a few real requests, then I get a few more of the code 400s.
Any ideas what these are (or pointers for finding this myself)? Here is what I’m seeing:
(simona-roundup) dhancock@ubuntu-s-1vcpu-1gb-nyc3-01:~/trackers/simona$ roundup-server -p 8080 -n 0.0.0.0 simona=/home/dhancock/trackers/simona
Roundup server started on 0.0.0.0:8080
100.16.88.22 - - [18/May/2024 21:00:25] "GET /simona/issue?@sort=-activity&@group=priority&@filter=status&@columns=id%2Cactivity%2Ctitle%2Ccreator%2Cassignedto%2Cstatus&@search_text=&status=-1%2C1%2C2%2C3%2C4%2C5%2C6%2C7&@dispname=Show%20All&@pagesize=50&@startwith=0 HTTP/1.1" 200 -
149.56.23.153 - - [18/May/2024 21:00:30] code 400, message Bad request syntax ('\\x16\\x03\\x01\\x02\\x00\\x01\\x00\\x01ü\\x03\\x03\\x94OW')
149.56.23.153 - - [18/May/2024 21:00:30] "\x16\x03\x01\x02\x00\x01\x00\x01ü\x03\x03\x94OW" 400 -
87.121.69.52 - - [18/May/2024 21:02:09] code 501, message Unsupported method ('CONNECT')
87.121.69.52 - - [18/May/2024 21:02:09] "CONNECT google.com:443 HTTP/1.1" 501 -
Thank you for any help you can provide.
P.S. I was also going to report that the Roundup Wiki was down, but it’s back now.
Cheers!
--
David Hancock
|
|
From: John P. R. <ro...@cs...> - 2024-05-18 22:19:20
|
Hi David:
In message <F6E...@po...>,
David Hancock writes:
>Roundup 2.3.0 source distribution, Python 3.10.12, running
>roundup-server with http on port 8080, net 0.0.0.0. I have
>SENDMAILDEBUG writing to a local file.
Are you running a firewall on your host and is your host connected to
the public internet?
>I’d like to understand the errors that follow. Here’s the server
>running in the foreground, followed by a request from my IP for the
>list of issues, followed by two pairs of error messages from IP
>addresses that I don’t recognize.
Details below, but this looks like you are being scanned/probed.
>Any ideas what these are (or pointers for finding this myself)? Here
>is what I’m seeing:
>
>(simona-roundup) dhancock@ubuntu-s-1vcpu-1gb-nyc3-01:~/trackers/simona$ roundup-server -p 8080 -n 0.0.0.0 simona=/home/dhancock/trackers/simona
>
>Roundup server started on 0.0.0.0:8080
>
>100.16.88.22 - - [18/May/2024 21:00:25] "GET /simona/issue?@sort=-activity&@group=priority&@filter=status&@columns=id%2Cactivity%2Ctitle%2Ccreator%2Cassignedto%2Cstatus&@search_text=&status=-1%2C1%2C2%2C3%2C4%2C5%2C6%2C7&@dispname=Show%20All&@pagesize=50&@startwith=0 HTTP/1.1" 200 -
>
>149.56.23.153 - - [18/May/2024 21:00:30] code 400, message Bad request syntax ('\\x16\\x03\\x01\\x02\\x00\\x01\\x00\\x01ü\\x03\\x03\\x94OW')
>
>149.56.23.153 - - [18/May/2024 21:00:30] "\x16\x03\x01\x02\x00\x01\x00\x01ü\x03\x03\x94OW" 400 -
I am running a dev version of Roundup on http. If I hit the endpoint
using HTTPS not HTTP, I see:
192.168.1.20 - - [18/May/2024 17:45:02] code 400, message Bad request version ("y$¯OÞU\\x00F\\x13\\x02\\x13\\x03\\x13\\x01À,À0̨̩À\\xadÀ+À/À¬À#À'À")
192.168.1.20 - - [18/May/2024 17:45:02] "\x16\x03\x01\x02\x00\x01\x00\x01ü\x03\x03A\x93#6ª..." 400 -
(... is elided) which looks a lot like your output.
See also: https://stackoverflow.com/questions/60144556/apache-httpd-server-doesnt-accept-get-http-request-from-f5-load-balancer
>
>87.121.69.52 - - [18/May/2024 21:02:09] code 501, message Unsupported method ('CONNECT')
>
>87.121.69.52 - - [18/May/2024 21:02:09] "CONNECT google.com:443 HTTP/1.1" 501 -
This is a connect/tunnel request from some system/scanner on the
internet. https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/CONNECT
It looks like your test box is on the open internet and is being hit
by random scanners/hackers. My suggestion is to enable a host
firewall and block all IP connections to port 8080 that are not from
the hosts you are using to test the server (network 100.16.88/24
maybe). If your server and test client are on a local lan, use '-n
<server local lan address>' and configure config.ini to use the local
lan address.
Roundup-server is fine for production, but it doesn't have the
features/performance required to defend against an attack. If you are
allowing access from the internet, we recommend placing roundup-server
behind a reverse proxy. Reverse proxies (e.g. Apache, varnish, nginx,
Hiawatha ...) can run web application firewalls (WAF), rate limit or
filter connections. Roundup-server takes longer to process/drop a
connection and doesn't have WAF and other filtering capabilities.
Using roundup-server directly on a local lan/intranet protected from
the internet by a firewall is fine as you don't expect people to
actively attack the server to be on your local lan.
>This seems to happen only on the first request after starting the
>roundup server, and then they stop. And I’ve just observed that after
>subsequent restarts, they don’t appear for a few real requests, then
>I get a few more of the code 400s.
Timing of the connections could be a scanning/hacking tool that hits
an endpoint until it gets an answer. Then slows or stops probes. Your
'first request' observation could be regular probing of your system
that is discarded because nothing is listening. Then when you fire up
Roundup, well it's listening and you see the probe that was invisible
before.
Most hosts have host level firewalls. You might see more activity of
probing by looking at your firewall logs.
Hope this helps.
--
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
|
|
From: David H. <dha...@po...> - 2024-05-18 23:04:04
|
Thank you! That all makes sense. I am using an iptables rule to allow 8080 from anywhere. I’d better fix that pronto.
Understood about roundup-server vs. more robust chains. For the moment I’m just trying to relearn schema and template changes. Those will get rolled into a proper Roundup, behind Apache with https and better firewalls.
The super-convenient roundup-server is handy, but not so great if I’m open to attacks!
Cheers!
--
David Hancock (sent from my phone)
On May 18, 2024, at 18:19, John P. Rouillard <ro...@cs...> wrote:
Hi David:
In message <F6E...@po...>,
David Hancock writes:
> Roundup 2.3.0 source distribution, Python 3.10.12, running
> roundup-server with http on port 8080, net 0.0.0.0. I have
> SENDMAILDEBUG writing to a local file.
Are you running a firewall on your host and is your host connected to
the public internet?
> I’d like to understand the errors that follow. Here’s the server
> running in the foreground, followed by a request from my IP for the
> list of issues, followed by two pairs of error messages from IP
> addresses that I don’t recognize.
Details below, but this looks like you are being scanned/probed.
> Any ideas what these are (or pointers for finding this myself)? Here
> is what I’m seeing:
>
> (simona-roundup) dhancock@ubuntu-s-1vcpu-1gb-nyc3-01:~/trackers/simona$ roundup-server -p 8080 -n 0.0.0.0 simona=/home/dhancock/trackers/simona
>
> Roundup server started on 0.0.0.0:8080
>
> 100.16.88.22 - - [18/May/2024 21:00:25] "GET /simona/issue?@sort=-activity&@group=priority&@filter=status&@columns=id%2Cactivity%2Ctitle%2Ccreator%2Cassignedto%2Cstatus&@search_text=&status=-1%2C1%2C2%2C3%2C4%2C5%2C6%2C7&@dispname=Show%20All&@pagesize=50&@startwith=0 HTTP/1.1" 200 -
>
> 149.56.23.153 - - [18/May/2024 21:00:30] code 400, message Bad request syntax ('\\x16\\x03\\x01\\x02\\x00\\x01\\x00\\x01ü\\x03\\x03\\x94OW')
>
> 149.56.23.153 - - [18/May/2024 21:00:30] "\x16\x03\x01\x02\x00\x01\x00\x01ü\x03\x03\x94OW" 400 -
I am running a dev version of Roundup on http. If I hit the endpoint
using HTTPS not HTTP, I see:
192.168.1.20 - - [18/May/2024 17:45:02] code 400, message Bad request version ("y$¯OÞU\\x00F\\x13\\x02\\x13\\x03\\x13\\x01À,À0̨̩À\\xadÀ+À/À¬À#À'À")
192.168.1.20 - - [18/May/2024 17:45:02] "\x16\x03\x01\x02\x00\x01\x00\x01ü\x03\x03A\x93#6ª..." 400 -
(... is elided) which looks a lot like your output.
See also: https://stackoverflow.com/questions/60144556/apache-httpd-server-doesnt-accept-get-http-request-from-f5-load-balancer
>
> 87.121.69.52 - - [18/May/2024 21:02:09] code 501, message Unsupported method ('CONNECT')
>
> 87.121.69.52 - - [18/May/2024 21:02:09] "CONNECT google.com:443 HTTP/1.1" 501 -
This is a connect/tunnel request from some system/scanner on the
internet. https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/CONNECT
It looks like your test box is on the open internet and is being hit
by random scanners/hackers. My suggestion is to enable a host
firewall and block all IP connections to port 8080 that are not from
the hosts you are using to test the server (network 100.16.88/24
maybe). If your server and test client are on a local lan, use '-n
<server local lan address>' and configure config.ini to use the local
lan address.
Roundup-server is fine for production, but it doesn't have the
features/performance required to defend against an attack. If you are
allowing access from the internet, we recommend placing roundup-server
behind a reverse proxy. Reverse proxies (e.g. Apache, varnish, nginx,
Hiawatha ...) can run web application firewalls (WAF), rate limit or
filter connections. Roundup-server takes longer to process/drop a
connection and doesn't have WAF and other filtering capabilities.
Using roundup-server directly on a local lan/intranet protected from
the internet by a firewall is fine as you don't expect people to
actively attack the server to be on your local lan.
> This seems to happen only on the first request after starting the
> roundup server, and then they stop. And I’ve just observed that after
> subsequent restarts, they don’t appear for a few real requests, then
> I get a few more of the code 400s.
Timing of the connections could be a scanning/hacking tool that hits
an endpoint until it gets an answer. Then slows or stops probes. Your
'first request' observation could be regular probing of your system
that is discarded because nothing is listening. Then when you fire up
Roundup, well it's listening and you see the probe that was invisible
before.
Most hosts have host level firewalls. You might see more activity of
probing by looking at your firewall logs.
Hope this helps.
--
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
|
|
From: John P. R. <ro...@cs...> - 2024-05-19 00:57:04
|
Hi David: In message <5F3...@po...>, David Hancock writes: >Thank you! That all makes sense. I am using an iptables rule to >allow 8080 from anywhere. I’d better fix that pronto. More restrictive firewall rule for the win! >Understood about roundup-server vs. more robust chains. For the >moment I’m just trying to relearn schema and template changes. Those >will get rolled into a proper Roundup, behind Apache with https and >better firewalls. > >The super-convenient roundup-server is handy, but not so great if I’m >open to attacks! Agreed. I have been working on Roundup with some graduate student teams this past semester. Being able to spin up a server quickly for development/testing out ideas has been a major win. Have a great week. -- -- rouilj John Rouillard =========================================================================== My employers don't acknowledge my existence much less my opinions. |
Thanks for helping keep SourceForge clean.
X