On 6/19/07, Bob <bob@xxxxxxxxxxxxxxx> wrote:
The replies to my post came back saying that apache defaults to denying CONNECT requests which I was not able to verify. That the CONNECT request is some how being spoofed through php which I was not able to verify. My reading of php5 says it accepts all valid methods that apache hands it. To me this indicates that apache is not denying CONNECT requests by default.
The default handler of apache does indeed deny connect requests. But apache is a modular server that allows modules to take over whatever processing they want. php chooses to take over all methods (even invalid methods like SPLATCH or lowercase get -- this has been the source of security problems in the past).
So in apache http-conf around line 340 I added the <LimitExcept GET POST> Declarative like this to the default directory definition so it looks like this. <Directory /> Options FollowSymLinks AllowOverride None Order allow,deny Allow from all <LimitExcept GET POST> Require valid-user </LimitExcept> </Directory> Now the access log shows this 61.228.120.228 - - [17/Jun/2007:22:42:49 -0400] "CONNECT 66.196.97.250:25 HTTP/1.0" 500 602 "-" "-" And the error.log shows this [Sun Jun 17 22:42:49 2007] [crit] [client 61.228.120.228] configuration error: couldn't perform authentication. AuthType not set!: /
That's not really an ideal config, since it is returning a server misconfiguration error rather than a proper 403 forbidden error. But it doesn't really matter; the robots making these requests don't care.
As you can see the CONNECT request is now being denied with a 500. The CONNECT requests have been stopped from attacking others.
The CONNECT requests where never attacking others in your case. PHP was treating them exactly like GET requests and serving your default page. As I've mentioned twice already, the best solution to this is to limit the methods handled by PHP. Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx