Mailing List Archive: Apache: Users

How to prevent apache proxy abuse?

Index | Next | Previous | View Threaded

anebi at iguanait

Jul 18, 2008, 12:08 PM

Post #1 of 6 (531 views)
Permalink

How to prevent apache proxy abuse?

Hi,

i would like to ak how can i block these attempts?

fcmat_ex.nw1.fcmat.org - - [18/Jul/2008:09:51:30 -0500] "POST
http://lti-mail01.ltinetworks.com:25/ HTTP/1.0" 302 313 "-" "-"
fcmat_ex.nw1.fcmat.org - - [18/Jul/2008:09:51:30 -0500] "GET
http://www.microsoft.com/ HTTP/1.0" 302 304 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5
.1; SV1; .NET CLR 1.1.4322)"
fcmat_ex.nw1.fcmat.org - - [18/Jul/2008:09:51:32 -0500] "CONNECT
http://lti-mail01.ltinetworks.com:25 HTTP/1.0" 400 319 "-" "-"
204.184.43.252 - - [18/Jul/2008:13:05:41 -0500] "GET
http://www.microsoft.com/ HTTP/1.0" 302 304 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1;
.NET CLR 1.1.4322)"
204.184.43.252 - - [18/Jul/2008:13:05:41 -0500] "POST
http://lti-mail01.ltinetworks.com:25/ HTTP/1.0" 302 313 "-" "-"
204.184.43.252 - - [18/Jul/2008:13:05:43 -0500] "CONNECT
http://lti-mail01.ltinetworks.com:25 HTTP/1.0" 400 319 "-" "-"

I don't use proxy and it is disabled, but i still get these
connections in access_log. After this, this server is blacklisted from
XBL and CBL list like spammer.

Please help me to solve this problem. What can i do to block and to
prevent this kind of accesses?

Thanks in advanced!

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd

rich.schu at gmail

Jul 18, 2008, 12:45 PM

Post #2 of 6 (513 views)
Permalink

Re: How to prevent apache proxy abuse? [In reply to]

If you are seeing nothing but abuse from these hosts your best bet would be
to block these at the router/firewall level. If you don't have access to
that, use iptables on the web server to silenty drop any connections from
them.

On Fri, Jul 18, 2008 at 12:08 PM, Ali Nebi <anebi [at] iguanait> wrote:

> Hi,
>
> i would like to ak how can i block these attempts?
>
> fcmat_ex.nw1.fcmat.org - - [18/Jul/2008:09:51:30 -0500] "POST
> http://lti-mail01.ltinetworks.com:25/ HTTP/1.0" 302 313 "-" "-"
> fcmat_ex.nw1.fcmat.org - - [18/Jul/2008:09:51:30 -0500] "GET
> http://www.microsoft.com/ HTTP/1.0" 302 304 "-" "Mozilla/4.0 (compatible;
> MSIE 6.0; Windows NT 5
> .1; SV1; .NET CLR 1.1.4322)"
> fcmat_ex.nw1.fcmat.org - - [18/Jul/2008:09:51:32 -0500] "CONNECT
> http://lti-mail01.ltinetworks.com:25 HTTP/1.0" 400 319 "-" "-"
> 204.184.43.252 - - [18/Jul/2008:13:05:41 -0500] "GET
> http://www.microsoft.com/ HTTP/1.0" 302 304 "-" "Mozilla/4.0 (compatible;
> MSIE 6.0; Windows NT 5.1; SV1;
> .NET CLR 1.1.4322)"
> 204.184.43.252 - - [18/Jul/2008:13:05:41 -0500] "POST
> http://lti-mail01.ltinetworks.com:25/ HTTP/1.0" 302 313 "-" "-"
> 204.184.43.252 - - [18/Jul/2008:13:05:43 -0500] "CONNECT
> http://lti-mail01.ltinetworks.com:25 HTTP/1.0" 400 319 "-" "-"
>
>
> I don't use proxy and it is disabled, but i still get these connections in
> access_log. After this, this server is blacklisted from XBL and CBL list
> like spammer.
>
> Please help me to solve this problem. What can i do to block and to prevent
> this kind of accesses?
>
> Thanks in advanced!
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe [at] httpd
> " from the digest: users-digest-unsubscribe [at] httpd
> For additional commands, e-mail: users-help [at] httpd
>
>

anebi at iguanait

Jul 18, 2008, 1:21 PM

Post #3 of 6 (541 views)
Permalink

Re: How to prevent apache proxy abuse? [In reply to]

Thanks for the reply.

I use shorewall firewall. I will try to configure it to drop these hosts.
Is there some way to deny these accesses with rewriterule?

If yes how it should looks like?

Quoting Rich Schumacher <rich.schu [at] gmail>:

> If you are seeing nothing but abuse from these hosts your best bet would be
> to block these at the router/firewall level. If you don't have access to
> that, use iptables on the web server to silenty drop any connections from
> them.
>
> On Fri, Jul 18, 2008 at 12:08 PM, Ali Nebi <anebi [at] iguanait> wrote:
>
>> Hi,
>>
>> i would like to ak how can i block these attempts?
>>
>> fcmat_ex.nw1.fcmat.org - - [18/Jul/2008:09:51:30 -0500] "POST
>> http://lti-mail01.ltinetworks.com:25/ HTTP/1.0" 302 313 "-" "-"
>> fcmat_ex.nw1.fcmat.org - - [18/Jul/2008:09:51:30 -0500] "GET
>> http://www.microsoft.com/ HTTP/1.0" 302 304 "-" "Mozilla/4.0 (compatible;
>> MSIE 6.0; Windows NT 5
>> .1; SV1; .NET CLR 1.1.4322)"
>> fcmat_ex.nw1.fcmat.org - - [18/Jul/2008:09:51:32 -0500] "CONNECT
>> http://lti-mail01.ltinetworks.com:25 HTTP/1.0" 400 319 "-" "-"
>> 204.184.43.252 - - [18/Jul/2008:13:05:41 -0500] "GET
>> http://www.microsoft.com/ HTTP/1.0" 302 304 "-" "Mozilla/4.0 (compatible;
>> MSIE 6.0; Windows NT 5.1; SV1;
>> .NET CLR 1.1.4322)"
>> 204.184.43.252 - - [18/Jul/2008:13:05:41 -0500] "POST
>> http://lti-mail01.ltinetworks.com:25/ HTTP/1.0" 302 313 "-" "-"
>> 204.184.43.252 - - [18/Jul/2008:13:05:43 -0500] "CONNECT
>> http://lti-mail01.ltinetworks.com:25 HTTP/1.0" 400 319 "-" "-"
>>
>>
>> I don't use proxy and it is disabled, but i still get these connections in
>> access_log. After this, this server is blacklisted from XBL and CBL list
>> like spammer.
>>
>> Please help me to solve this problem. What can i do to block and to prevent
>> this kind of accesses?
>>
>> Thanks in advanced!
>>
>> ----------------------------------------------------------------
>> This message was sent using IMP, the Internet Messaging Program.
>>
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe [at] httpd
>> " from the digest: users-digest-unsubscribe [at] httpd
>> For additional commands, e-mail: users-help [at] httpd
>>
>>
>

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd

Jacqui.caren at ntlworld

Jul 18, 2008, 2:11 PM

Post #4 of 6 (519 views)
Permalink

Re: How to prevent apache proxy abuse? [In reply to]

Ali Nebi wrote:
> Thanks for the reply.
>
> I use shorewall firewall. I will try to configure it to drop these hosts.

Off topic now (nd assuming this is a non commercial web service)

Add the ip addresses to /etc/shorewall/blacklists and ensure

blacklists is added to the correct line in the /ec/shorewall/interfaces
file.

i.e.

fox ~ # grep blacklist /etc/shorewall/interfaces
# blacklist - Check packets arriving on this
interface
# against the /etc/shorewall/blacklist
net eth1 - blacklist
net ppp0 - blacklist
fox ~ #

and

fox ~ # tail -5 /etc/shorewall/blacklist
24.64.108.109/32
24.64.187.143/32

#ADDRESS/SUBNET PROTOCOL PORT
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

> Is there some way to deny these accesses with rewriterule?
> If yes how it should looks like?

If I wanted to try and feed the infected machine something that
may trigger it I would consider an errordocument handler
but anything beyond a standard error may cause the infected machine
to conside your system as 'open'.

Instead, have the errordoc handler write the IP address to a log
and feed this (carefully) into your blacklist file.

Jacqui

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd

rich.schu at gmail

Jul 18, 2008, 2:13 PM

Post #5 of 6 (514 views)
Permalink

Re: How to prevent apache proxy abuse? [In reply to]

You could use mod_rewrite/.htaccess to block these hosts. If you have
access, however, I'd suggest adding them to the DocumentRoot in your
httpd.conf. This is especially helpful if you are serving multiple sites
from a single server using vhosts. Adding them to the httpd.conf will allow
you to block access across the board to all sites that fall under the
DocumentRoot.

In httpd.conf, using the hosts from your log:
<Directory "/your/document/root">
Order allow,deny
Allow from all
Deny from fcmat.org
Deny from 204.184.43.252
</Directory>

Hope that helps.

Rich

On Fri, Jul 18, 2008 at 1:21 PM, Ali Nebi <anebi [at] iguanait> wrote:

> Thanks for the reply.
>
> I use shorewall firewall. I will try to configure it to drop these hosts.
> Is there some way to deny these accesses with rewriterule?
>
> If yes how it should looks like?
>
>
> Quoting Rich Schumacher <rich.schu [at] gmail>:
>
> If you are seeing nothing but abuse from these hosts your best bet would
>> be
>> to block these at the router/firewall level. If you don't have access to
>> that, use iptables on the web server to silenty drop any connections from
>> them.
>>
>> On Fri, Jul 18, 2008 at 12:08 PM, Ali Nebi <anebi [at] iguanait> wrote:
>>
>> Hi,
>>>
>>> i would like to ak how can i block these attempts?
>>>
>>> fcmat_ex.nw1.fcmat.org - - [18/Jul/2008:09:51:30 -0500] "POST
>>> http://lti-mail01.ltinetworks.com:25/ HTTP/1.0" 302 313 "-" "-"
>>> fcmat_ex.nw1.fcmat.org - - [18/Jul/2008:09:51:30 -0500] "GET
>>> http://www.microsoft.com/ HTTP/1.0" 302 304 "-" "Mozilla/4.0
>>> (compatible;
>>> MSIE 6.0; Windows NT 5
>>> .1; SV1; .NET CLR 1.1.4322)"
>>> fcmat_ex.nw1.fcmat.org - - [18/Jul/2008:09:51:32 -0500] "CONNECT
>>> http://lti-mail01.ltinetworks.com:25 HTTP/1.0" 400 319 "-" "-"
>>> 204.184.43.252 - - [18/Jul/2008:13:05:41 -0500] "GET
>>> http://www.microsoft.com/ HTTP/1.0" 302 304 "-" "Mozilla/4.0
>>> (compatible;
>>> MSIE 6.0; Windows NT 5.1; SV1;
>>> .NET CLR 1.1.4322)"
>>> 204.184.43.252 - - [18/Jul/2008:13:05:41 -0500] "POST
>>> http://lti-mail01.ltinetworks.com:25/ HTTP/1.0" 302 313 "-" "-"
>>> 204.184.43.252 - - [18/Jul/2008:13:05:43 -0500] "CONNECT
>>> http://lti-mail01.ltinetworks.com:25 HTTP/1.0" 400 319 "-" "-"
>>>
>>>
>>> I don't use proxy and it is disabled, but i still get these connections
>>> in
>>> access_log. After this, this server is blacklisted from XBL and CBL list
>>> like spammer.
>>>
>>> Please help me to solve this problem. What can i do to block and to
>>> prevent
>>> this kind of accesses?
>>>
>>> Thanks in advanced!
>>>
>>> ----------------------------------------------------------------
>>> This message was sent using IMP, the Internet Messaging Program.
>>>
>>>
>>> ---------------------------------------------------------------------
>>> The official User-To-User support forum of the Apache HTTP Server
>>> Project.
>>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>>> To unsubscribe, e-mail: users-unsubscribe [at] httpd
>>> " from the digest: users-digest-unsubscribe [at] httpd
>>> For additional commands, e-mail: users-help [at] httpd
>>>
>>>
>>>
>>
>
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
>

krist.vanbesien at gmail

Jul 20, 2008, 12:43 AM

Post #6 of 6 (516 views)
Permalink

Re: How to prevent apache proxy abuse? [In reply to]

On Fri, Jul 18, 2008 at 21:08, Ali Nebi <anebi [at] iguanait> wrote:
> Hi,
>
> i would like to ak how can i block these attempts?
>
> fcmat_ex.nw1.fcmat.org - - [18/Jul/2008:09:51:30 -0500] "POST
> http://lti-mail01.ltinetworks.com:25/ HTTP/1.0" 302 313 "-" "-"
> fcmat_ex.nw1.fcmat.org - - [18/Jul/2008:09:51:30 -0500] "GET
> http://www.microsoft.com/ HTTP/1.0" 302 304 "-" "Mozilla/4.0 (compatible;
> MSIE 6.0; Windows NT 5
> .1; SV1; .NET CLR 1.1.4322)"
> fcmat_ex.nw1.fcmat.org - - [18/Jul/2008:09:51:32 -0500] "CONNECT
> http://lti-mail01.ltinetworks.com:25 HTTP/1.0" 400 319 "-" "-"
> 204.184.43.252 - - [18/Jul/2008:13:05:41 -0500] "GET
> http://www.microsoft.com/ HTTP/1.0" 302 304 "-" "Mozilla/4.0 (compatible;
> MSIE 6.0; Windows NT 5.1; SV1;
> .NET CLR 1.1.4322)"
> 204.184.43.252 - - [18/Jul/2008:13:05:41 -0500] "POST
> http://lti-mail01.ltinetworks.com:25/ HTTP/1.0" 302 313 "-" "-"
> 204.184.43.252 - - [18/Jul/2008:13:05:43 -0500] "CONNECT
> http://lti-mail01.ltinetworks.com:25 HTTP/1.0" 400 319 "-" "-"
>
>
> I don't use proxy and it is disabled, but i still get these connections in
> access_log. After this, this server is blacklisted from XBL and CBL list
> like spammer.
>
> Please help me to solve this problem. What can i do to block and to prevent
> this kind of accesses?

You should realize that whatever you configure in Apache won't keep
such log entries from appearing. For example: The "CONNECT" attempts
are already being blocked by your server, and apache is logging this
(see the 400 status code). If you manage to make Apache block the
other requests they will still appear in your logfile.
From some of those log entries I get that proxying is enabled on your
server. You need to disable proxy.

Krist

--
krist.vanbesien [at] gmail
krist [at] vanbesien
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads