Re: Found problem?


Subject: Re: Found problem?
From: Justin Dieters (enderak@gci.net)
Date: Sun Nov 16 2003 - 00:43:45 AKST


Yeah. I stopped the proxy stuff - I was expecting Apache to simply start
drop the requests, or throw them into the error log, but instead it
keeps responding to them with 404 messagse, which threw me off at
first.. I used iptables to block the worst repeating IP's, but there's
so many, I'd be stuck here all day trying to block each individual one
as they came through. I found a place online that recommends using
mod_rewrite to make Apache send out 403 errors (Forbidden) instead of
404 errors for these requests, so I did that as well.

I don't know how the proxy stuff got turned on in the first place - I
think the default RedHat 8 config file has it turned on. Reading around
online, it seems this is a common problem with some default setups.

I fear my IP is listed on these Open Proxy lists now, and that is why I
am getting so much traffic. I'm not sure what would be the best course
of action now, to turn off my web server for a while and hope it goes
away in a couple days, or to just leave it running with it returning the
403 messages and hope the traffic starts going down.

Thanks for all your help, everyone.

Justin

Mike Tibor wrote:
> Well, it won't stop the requests from coming, but it should stop the
> requests from exploiting you :-) The problem has nothing to do with
> Postfix (or whatever MTA you happen to be using). Spammers appear to be
> using your web server as a proxy, and by shutting that off you should be
> able to solve the problem. If you actually need mod_proxy in Apache (very
> doubtful) you can use the basic access controls to limit access by IP.
> Otherwise just comment it all out of your httpd.conf and restart Apache.
>
> If you make these changes you should see your server reply to these
> requests with 404 errors. If it doesn't, something is wrong and you
> should dig deeper.
>
> I should point out that this problem is not limited to Apache's proxy
> module--any application proxy without access controls is ripe for
> exploitation.
>
> Mike
>
> ---------
> To unsubscribe, send email to <aklug-request@aklug.org>
> with 'unsubscribe' in the message body.
>
>

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.



This archive was generated by hypermail 2a23 : Sun Nov 16 2003 - 00:46:21 AKST