Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[HOWTO] Closing Apache to Spammers
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
viperlin
Veteran
Veteran


Joined: 15 Apr 2003
Posts: 1317
Location: UK

PostPosted: Thu Feb 26, 2004 9:30 pm    Post subject: [HOWTO] Closing Apache to Spammers Reply with quote

If you have ever seen this type of log output:
Code:

192.168.0.9 - - [26/Feb/2004:21:17:42 +0000] "CONNECT 1.3.3.7:1337" 200 "-" "-" "-"

Then this is a relay spammers can use, i have only recently learned of this and it is not turned off by default.

in the /var/www/localhost/htdocs Directory section of /etc/apache2/commonapacheconf2.conf add this to only allow GET and POST requests:

Code:

<Limit GET POST>
        Order allow,deny
        Allow from all
    </Limit>
    <LimitExcept GET POST>
        Order deny,allow
        Deny from all
    </LimitExcept>



Restart Apache2 and then CONNECT attempts will be denied with a 403 error.
Back to top
View user's profile Send private message
juliancoccia
Tux's lil' helper
Tux's lil' helper


Joined: 10 Jan 2004
Posts: 91
Location: Opensource World

PostPosted: Thu Feb 26, 2004 9:45 pm    Post subject: Reply with quote

Could you explain this briefly ? What does the CONNECT mean and what does that represent a spam abuse threat ?
_________________
http://julian.coccia.com
http://www.linuxespanol.com
Back to top
View user's profile Send private message
viperlin
Veteran
Veteran


Joined: 15 Apr 2003
Posts: 1317
Location: UK

PostPosted: Thu Feb 26, 2004 9:52 pm    Post subject: Reply with quote

i beleve they use it's proxy feature to relay spam somehow, i have only done some basic research but i thought it was imprtant enough to post to prevent this.

basicly if your server replies with "200" (= OK) it means you can be abused as connect proxy spammers my use to access an open relay.
Back to top
View user's profile Send private message
Lews_Therin
l33t
l33t


Joined: 03 Oct 2003
Posts: 657
Location: Banned

PostPosted: Thu Feb 26, 2004 9:55 pm    Post subject: Reply with quote

Default for this seems to be turned off, my server responds with a 405.
Back to top
View user's profile Send private message
viperlin
Veteran
Veteran


Joined: 15 Apr 2003
Posts: 1317
Location: UK

PostPosted: Thu Feb 26, 2004 9:59 pm    Post subject: Reply with quote

hmm, mine returned 200 originally. using (old?) config file (i dont overwite with etc-update) so it's an older template i would expect.
Back to top
View user's profile Send private message
juliancoccia
Tux's lil' helper
Tux's lil' helper


Joined: 10 Jan 2004
Posts: 91
Location: Opensource World

PostPosted: Fri Feb 27, 2004 2:07 am    Post subject: Reply with quote

Alright. It seems to be a bug with PHP but it does not mean that your server is being compromised. CONNECT is used by mod_proxy, which is not installed in my server. In theory the server should return a 405 Method not Allowed error, but instead is returning a 200 followed by the contents of my homepage.

I have seen quite a few CONNECTs in my logs requesting different third destinations, they all show 200 as the status which makes you think that in fact a connection has been established with this third host but if you look at the bytecount, in my case it is always the same, as the server returns the contents of your index file.

I have applied the <Limit CONNECT> to my website as you mentioned and now instead of a 200 it returns a 403 Forbidden. I think I like this answer better than a 200 but it does not seem to make a big difference.

The only advantage I see is that any script in search for open proxies will add you the list when you are not open.... anyway.

There is more info on this bug here:
http://bugs.php.net/bug.php?id=19113
_________________
http://julian.coccia.com
http://www.linuxespanol.com
Back to top
View user's profile Send private message
viperlin
Veteran
Veteran


Joined: 15 Apr 2003
Posts: 1317
Location: UK

PostPosted: Fri Feb 27, 2004 9:43 am    Post subject: Reply with quote

well at least it works as a minor bugfix :-)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum