Running my own web and mail servers means not only do I get to keep up with current technologies, but I have to keep up with current technologies and requirements, or the server fails to work properly. AOL won't accept email from systems without reverse DNS. Yahoo! won't accept email from systems lacking a Sender Permitted From value in the DNS. We'll ignore the fact that the DNS servers can be hacked and spoofed for the moment.
I have various logging mechanisms on my servers. One is logwatch, recommended by Mike. It sends me a daily summary of what happened on my systems. Granted, the report is a reactionary mechanism: if something went wrong, I'd find out only after the fact; but it's better than nothing (and I suspect, given how hard I use my machines, I'd probably notice fairly quickly anyway).
One of the interesting reports in my daily summary is the number of CONNECT tries to my box. Most legitimate web service calls are GETs (all the parameters on the URL) or POSTs (a form submission or file upload). CONNECTS are rare, as are HEAD requests.
All the CONNECT requests are to Yahoo! servers in Taiwan, or two other server in Taiwan. All of the requests come from China.
So, I now drop all the requests. I haven't automated this yet, but will shortly. A sample line looks like:
/sbin/iptables -A INPUT -p tcp -s 18.104.22.168/16 -j DROP
The beginnings of my Great fireWall of China. Use some other servers to try to get to Taiwan.
The odd thing about the requests is that I don't have
mod_proxy turned on for that server. So, none of the requests succeeded, they just kept coming.