Block HEAD requests to AWS Elastic Beanstalk and Elastic Load Balancer
Asked Answered
C

1

7

I have an AWS Elastic Beanstalk (Node.js) setup behind an Elastic Load Balancer and alerts setup for the load balancer. Each night I get tons of alerts for:

Environment health has transitioned from Ok to Severe. 100.0 % of the requests are erroring with HTTP 4xx.

This is due to trawls of different PHP hackz and phpmyadmin, dbadmin, etc. using the HEAD method in 99% of the cases. Since we have an external AIM service they trigger on these alerts as well creating an issue for each (which we now change of course) but crying "wolf" you know...

Question is, is it possible to block HEAD or certain URI's we know we don't need somehow to get rid of the "false" HTTP 4xx?

Cartwright answered 4/1, 2017 at 7:20 Comment(4)
We started getting the same notifications tonight - I consider looking into the new AWS WAF (aws.amazon.com/waf) to manage blocking rules centrally - or possibly just add some custom directives to the Apache config via .ebextensions (e.g. using mod_security, see also #27569866).Medor
*.php >> HTTP/1.1 302 Found Location: http://127.0.0.1/... (heh.)Humbert
A Web Application Firewall (WAF) is the correct solution for this issue.Metaphrase
I too have also just started getting these requests being sent to my Elastic Beanstalk and Elastic Load Balancer, so perhaps @MarkB could add it as a solution and go into a bit more depth as to how we'd use these tools to block HEAD requests?Ordinary
C
8

As Mark B pointed out in the comments above using a Web Application Firewall (WAF & Shield) solves our issue.

We had a normal EC2 ELB (Elastic Load Balancer) and swapped that out for the new Application Load Balancer (ALB) that is a requirement for the WAF.

Setting up WAF is fairly easy, first create a Web ACL for blocking HTTP HEAD (you can add a ton of other protection as well, SQL Injection, etc.) and then add a Rule to Block any matching wACL but Allow any other traffic.

Lastly associate the new wACL with the load balancer and you're done!

Testing HTTP HEAD now gives a "403 Forbidden" and is not entering our Elastic Beanstalk.

Cartwright answered 5/1, 2017 at 9:31 Comment(1)
"Lastly associate the new wACL with the load balancer and you're done!" Do I need AWS Shield Advanced to do that?Kamakura

© 2022 - 2024 — McMap. All rights reserved.