Re: How to prevent Spammer from abusing Apache?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Tony,

On Jun 18, 2007, at 11:25 PM, Tony Anecito wrote:
I noticed a someone was using CONNECT xxx.xxx.xxx.xxx http command against Apache. I was wondering how to disable the CONNECT command from executing on Apache. In a couple of entries I noticed a connection from Seattle that might be a spammer so I want to disable the CONNECT command from running successfully.
I'd advise you to CLOSE THIS IMMEDIATELY. Before long your site will be on lists of open proxies and you'll be denied traffic. And trust me, it's a huge pain getting off those lists. Until you fix this issue, don't advertize your site - there will be plenty of spambots checking the openness of your proxy.
See the proxy documentation, off the top of my head (check the docs, I can't access them now but want to leave at least a pointer) there are at least 3 alternatives:
# 1. If you have a reverse proxy only, you don't need to serve proxy requests 
ProxyRequests off

or

# 2. If you have a forwarding proxy, then you must serve proxy requests.
# Use a whitelist of the systems that are allowed to do so, and close all 
# others. I'm not sure this is the right syntax btw...
<location proxy>
  order deny, allow
  deny from all
  allow from 127.0.0.1
</location>

or
3. Have your proxy listen to some odd port, say 8080, set up as a virtual server. Allow proxy requests only in that virtual server. Have your internal LAN users (who use Apache as a forwarding proxy to get to the outside) connect to that port, but close access to the port from the outside on the OS level, eg. on Linux with iptables. 

Hope this helps,
Karel

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (Darwin)

iD8DBQFGdvzI23FrzRzybNURApPOAKCOtTA73RZULOmGApmFwVCeMAcOiQCfeApS
c9aeh/4r60oFTHhDGNCG6dM=
=G9Md
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux