Closed jesusaurus closed 7 years ago
It looks like the vhost configuration has several unwanted server aliases:
<VirtualHost _default_:80>
ServerName elk
ServerAlias _
ServerAlias _
ServerAlias o
ServerAlias m
ServerAlias i
ServerAlias t
ServerAlias _
ServerAlias p
ServerAlias l
ServerAlias a
ServerAlias c
ServerAlias e
ServerAlias _
ServerAlias h
ServerAlias o
ServerAlias l
ServerAlias d
ServerAlias e
ServerAlias r
ServerAlias _
ServerAlias _
ServerAlias 8
ServerAlias 0
ServerAlias c
ServerAlias f
ServerAlias 9
ServerAlias a
ServerAlias 3
ServerAlias d
ServerAlias 4
ServerAlias c
ServerAlias 0
ServerAlias 4
ServerAlias 4
ServerAlias 4
ServerAlias 8
ServerAlias 7
ServerAlias 1
ServerAlias 4
ServerAlias 1
ServerAlias 8
ServerAlias 0
ServerAlias 6
ServerAlias 4
ServerAlias e
ServerAlias c
ServerAlias 9
ServerAlias b
ServerAlias 9
ServerAlias 8
ServerAlias e
ServerAlias 0
ServerAlias b
ServerAlias f
ServerAlias 5
ServerAlias e
ServerAlias 5
ServerAlias 0
ServerAlias 2
ServerAlias 4
ServerAlias 3
ProxyPreserveHost On
ProxyRequests On
ProxyPass / http://127.0.0.1:5601/
ProxyPassReverse / http://127.0.0.1:5601/
</VirtualHost>
I've proposed BonnyCI/hoist#299 to remove the strange server aliases.
A better server alias fix is proposed in BonnyCI/hoist#302
The apache service has been stopped on elk, and ansible crons disabled to prevent the service from being re-enabled
The unexpected server aliases have been removed from the configuration, and a vm rebuild has started.
The ProxyRequests
directive should not be enabled. BonnyCI/hoist#306 disables that directive.
So it looks like we have people scanning our public IP blocks looking for things like this. It looks like this proxy got picked up and added to the backend of some public proxy service. After disabling the ProxyRequests, the server was still receiving loads of proxy requests but we were serving them the kibana dashboard in return. I've added https://github.com/BonnyCI/hoist/pull/307 which sets up the default vhost to deny all requests, and allows explicit requests to elk.bonnyci.org. Hopefully the non-200s will eventually remove the host from the proxy network
Actually, I forgot to git add an inventory to properly set up the vhost, https://github.com/BonnyCI/hoist/pull/309 In the meantime, proxy requests are still denied
We are no longer acting as an open proxy.
While checking the apache access log to verify that kibana is working, I noticed many arbitrary websites being accessed, such as:
Note that some are returning 200s.