I'm doing this on Debian Linux, but you should be able to do the same on any of
HAProxy's supported platforms, like FreeBSD or other Linux distributions.
HAProxy was never intended to be used as a port scan detector. This TCP port scan detection is really a deliberate misuse of the "
bind" keyword for HAProxy. HAProxy's "bind" accepts a dash-delimited ports range, and you can make HAProxy listen on about 40,000 TCP ports without any problem.
You have to skip ports for your real TCP services. I will skip SMTP (TCP port 25) and HTTP (TCP port 80) in the following example.
Install HAProxy first.
apt-get install haproxy
Append the following lines to HAProxy's configuration at /etc/haproxy/haproxy.cfg.
frontend fr_tcp
log /dev/log local2
mode tcp
bind <IP address of your HAProxy server>:1-24
bind <IP address of your HAProxy server>:26-79
bind <IP address of your HAProxy server>:81-40000
log-format %ci:%cp\ =>\ %[dst]:%[dst_port]\ [%t]\ %ft\ %b/%s\ %Tw/%Tc/%Tt\ %B\ %ts\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq
default_backend bk_tcp
backend bk_tcp
mode tcp
server www-2 127.0.0.1:1028
In the frontend section, HAProxy is configured to accept connections on TCP ports 1 to 40,000 minus 25 and 80. A custom log format is used to record IP addresses and port numbers of source and destination nodes, which are separated by a "=>" character string.
The backend section specifies a backend server at 127.0.0.1:1028. You can change the IP address and/or port number. It doesn't matter whether you have a TCP service there, and I don't have one. This is just to get a working configuration.
You have to stop and start HAProxy again to make the new configuration come into effect. I don't just restart or reload HAProxy because sometimes it seemed to run out of file descriptors and I have to reboot my Debian Linux.
service haproxy stop
service haproxy start
Give it some time, I guess at most half an hour, and you should see some logged actions in /var/log/messages or /var/log/syslog, like the following:
2018-09-29T03:21:53.912375+00:00 h4fvps1 haproxy[6415]: 45.XXX.49.XXX:64768 => 1YY.Y40.YY.1Y8:445 [29/Sep/2018:03:21:50.908] fr_tcp bk_tcp/www-2 1/-1/3003 0 SC 0/0/0/0/3 0/0
The line above shows that a host at IP 45.XXX.49.XXX tried to connect to TCP port 445 of my server at IP 1YY.Y40.YY.1Y8.
I prefer to keep HAProxy's log in its own file, so I changed the content of the file /etc/rsyslod.d/49-haproxy.conf to the following (only uncommented lines are shown):
$AddUnixListenSocket /var/lib/haproxy/dev/log
local2.* /var/log/haproxy.log
That's it.
Before this "misuse" of HAProxy, I had tried my hands on
scanlogd and
PSAD, two security tools capable of detecting port scans. But none of them really accept TCP connections, which makes me doubt the validity of source IP addresses they logged. HAProxy does not have this problem because it really listens on all the TCP ports you specified in haproxy.cfg. You can verify it yourself by issuing the following command:
netstat -an | grep LISTEN | wc
The number printed should be larger than the number of ports specified in your haproxy.cfg.