|
I posted my question with subject line ‘Deny CONNECT & GET http
requests’. The replies to my post came back saying that apache defaults to
denying CONNECT requests which I was not able to verify. That mod_proxy was
causing it. I have mod-proxy commented out. That the CONNECT request is some how being spoofed through php which I was not able to verify. My reading of php5 says it accepts all valid methods that apache
hands it. To me this indicates that apache is not denying CONNECT requests by
default. Reading a book I have titled 'Maximum Apache Security' it said to gain
explicit control over the "Methods" use the <Limit> or
<LimitExcept> declaratives with the 'Require valid-user' in the
default <Directory />
definition in the http-conf file. So in apache http-conf around line 340 I added the <LimitExcept
GET POST> Declarative like this to the default directory definition so it
looks like this. <Directory /> Options
FollowSymLinks
AllowOverride None Order
allow,deny Allow
from all
<LimitExcept GET POST> Require valid-user
</LimitExcept> </Directory> Now the access log shows this 61.228.120.228 - - [17/Jun/2007:22:42:49 -0400] "CONNECT
66.196.97.250:25 HTTP/1.0" 500 602 "-" "-" And the error.log shows this [Sun Jun 17 22:42:49 2007] [crit] [client 61.228.120.228]
configuration error: couldn't
perform authentication. AuthType not set!: / As you can see the CONNECT request is now being denied with a 500. The CONNECT requests have been stopped from attacking others. I hope this is the kind of solution you were looking for. -----Original
Message----- Hi All, I noticed a someone was using CONNECT xxx.xxx.xxx.xxx http
command against Apache. I was wondering how to disable the CONNECT command from
executing on Apache. In a couple of entries I noticed a connection from Seattle
that might be a spammer so I want to disable the CONNECT command from running
successfully. Thanks, -Tony Sick sense of humor? Visit Yahoo! TV's Comedy
with an Edge to see what's on, when. |
|