Mailing List Archive: Apache: Users

Attack on my reverse proxy server

Index | Next | Previous | View Threaded

RJiang at fnpc

Jun 11, 2012, 9:42 PM

Post #1 of 3 (378 views)
Permalink

Attack on my reverse proxy server

Hi, all

We see some attack on our apache reverse proxy server.

180.211.101.213 - - [11/Jun/2012:11:30:00 -400] "POST / HTTP/1.0" 301 324
201.243.47.144 - - [11/Jun/2012:11:30:00 -400] "POST / HTTP/1.0" 400 226
113.162.230.163 - - [11/Jun/2012:11:30:00 -400] "POST / HTTP/1.0" 503 323

How can we block those activities on the apache server? Thanks.

Ryan Jiang

This message (including any attachments) is intended
solely for the specific individual(s) or entity(ies) named
above, and may contain legally privileged and
confidential information. If you are not the intended
recipient, please notify the sender immediately by
replying to this message and then delete it.
Any disclosure, copying, or distribution of this message,
or the taking of any action based on it, by other than the
intended recipient, is strictly prohibited.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd

uhlar at fantomas

Jun 12, 2012, 4:05 AM

Post #2 of 3 (350 views)
Permalink

Re: Attack on my reverse proxy server [In reply to]

On 12.06.12 00:42, Ruiyuan Jiang wrote:
>We see some attack on our apache reverse proxy server.
>
>180.211.101.213 - - [11/Jun/2012:11:30:00 -400] "POST / HTTP/1.0" 301 324
>201.243.47.144 - - [11/Jun/2012:11:30:00 -400] "POST / HTTP/1.0" 400 226
>113.162.230.163 - - [11/Jun/2012:11:30:00 -400] "POST / HTTP/1.0" 503 323
>
>How can we block those activities on the apache server? Thanks.

if your server is accessible from the internet, such attacks _will_ come.
you should make sure that such attacks won't affect its functionality.

you can watch logs for that kind of activities and e.g. block source
IPs in firewall (a.g. using fail2ban).

There apparently are apache modules that can to something similar
internally.
--
Matus UHLAR - fantomas, uhlar [at] fantomas ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
A day without sunshine is like, night.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd

RJiang at fnpc

Jun 13, 2012, 8:55 AM

Post #3 of 3 (341 views)
Permalink

RE: Attack on my reverse proxy server [In reply to]

Thanks Matus

Actually we see a lot of POST command from lots different IPs around the world and our site was took down (very slow).

-----Original Message-----
From: Matus UHLAR - fantomas [mailto:uhlar [at] fantomas]
Sent: Tuesday, June 12, 2012 7:05 AM
To: users [at] httpd
Subject: Re: [users [at] http] Attack on my reverse proxy server

On 12.06.12 00:42, Ruiyuan Jiang wrote:
>We see some attack on our apache reverse proxy server.
>
>180.211.101.213 - - [11/Jun/2012:11:30:00 -400] "POST / HTTP/1.0" 301 324
>201.243.47.144 - - [11/Jun/2012:11:30:00 -400] "POST / HTTP/1.0" 400 226
>113.162.230.163 - - [11/Jun/2012:11:30:00 -400] "POST / HTTP/1.0" 503 323
>
>How can we block those activities on the apache server? Thanks.

if your server is accessible from the internet, such attacks _will_ come.
you should make sure that such attacks won't affect its functionality.

you can watch logs for that kind of activities and e.g. block source
IPs in firewall (a.g. using fail2ban).

There apparently are apache modules that can to something similar
internally.
--
Matus UHLAR - fantomas, uhlar [at] fantomas ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
A day without sunshine is like, night.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd

This message (including any attachments) is intended
solely for the specific individual(s) or entity(ies) named
above, and may contain legally privileged and
confidential information. If you are not the intended
recipient, please notify the sender immediately by
replying to this message and then delete it.
Any disclosure, copying, or distribution of this message,
or the taking of any action based on it, by other than the
intended recipient, is strictly prohibited.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads