You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Jens <je...@gmx.de> on 2008/11/13 00:46:25 UTC

[users@httpd] mod_proxy_connect security questions

Hello,

I set up mod_proxy, mod_proxy_http and mod_proxy_connect on my debian 
box (apache 2.2.3).

After a couple of hours, I got the first spammer trying to abuse it - 
the access log showed

... CONNECT ...:25 HTTP/1.0 ...

though nothing in the error logs.

iftop tells me, however, that no traffic actually leaves the machine on 
that port, which is what I would expect given that I have turned off 
proxying globally

<IfModule mod_proxy.c>

         ProxyRequests Off
         ProxyVia Off

         <Proxy *>
                 AddDefaultCharset off

                 Order deny,allow
                 Deny from all

                 ProxyFtpDirCharset UTF-8
         </Proxy>

         AllowCONNECT 22

</IfModule>

and allow only CONNECTs to port 22.

I also have a virtual host

<VirtualHost *>
         ServerName ...

         ProxyRequests On

         <Proxy *>
                 Order deny,allow
                 Allow from ...
         </Proxy>

         AllowCONNECT 22

</VirtualHost>

which turns it on, but 1. that would be hard to guess and 2. it still 
should only connect to port 22.

Indeed my own tries to use the non-virtual host proxy fail and the 
virtual hosts ones succeed. So far so good, but now my questions:

1. If the spammer fails to send mail, why does he keep trying? What did 
actually change from his perspective compared to not loading 
mod_proxy_connect at all?
2. Can I somehow get the apache logs to tell me whether the spamming 
succeeds or not? LogLevel debug does not echo a thing more.

I think apache is configured correctly but it's somewhat disturbing to 
see CONNECT sth:25 in the access log while nothing in the error log.

Thank you for your information,

Jens


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] mod_proxy_connect security questions

Posted by ma...@gmail.com.

Sorry for top post - gooseberry.

Its not clear to me why you are having a proxy around for general use? What happens when you use a servername that you do not have in your config at all, usually it is matched to the first virtualhost, have you set up a non-proxy vhost first in the conf?

If you own a firewall, use that to deny requests, generally its done that way, not in apache. If you do require a TCP proxy for mail, use a dedicated mail transfer agent with SPI/DPI for that protocol.

The port isn't hard to guess, and the spammer doesn't care, its just software going after low hanging insecure servers on the standard ports, if the worm the spammer is using wanted YOUR server it would look for other ways in. Generally the time spent port scanning is time not spent spamming on another server, but it isn't good to reply on "non-standard" config to protect you when standard methods do exist to protect you. Modern company firewalls that do Packet Inspection will stop connect requests to an http proxy on 22 if configured to do so, expecting to see SSH2 traffic instead!

So basically 
1. Spammers are really just software, they are everywhere, and having a server with standard ports open writing to a log file means you will start seeing this white noise.

2. Log and look at the response size in bytes, is it the standard size for the status code given, ie if 403 with a set size in bytes. 

It Is disturbing to see log entries but at least you are checking them!!
Check your firewall logs if you have them, and match up the times to see what's going on.
Block outgoing requests to ports for TCP/UDP apart from ones you need and trust and for those ports, to the hosts/IPs you trust - outgoing ports 21, 22, 25, 53, 110, 135/7, 443, 445, 500 etc should be only to hosts/IPs you trust. Even 80, unless you truely need this proxy to be more "open" than that. A web server only needs access to other "trusted" web servers - although quite what that means I will leave to you. Careful with IP based ACLs though, they change, so if possible use hosts, and lock down your DNS outgoing to the IP of your ISP.


Matt











Sent from my BlackBerry® wireless device

-----Original Message-----
From: Jens <je...@gmx.de>

Date: Wed, 12 Nov 2008 23:46:25 
To: <us...@httpd.apache.org>
Subject: [users@httpd] mod_proxy_connect security questions

Hello,

I set up mod_proxy, mod_proxy_http and mod_proxy_connect on my debian 
box (apache 2.2.3).

After a couple of hours, I got the first spammer trying to abuse it - 
the access log showed

.... CONNECT ...:25 HTTP/1.0 ...

though nothing in the error logs.

iftop tells me, however, that no traffic actually leaves the machine on 
that port, which is what I would expect given that I have turned off 
proxying globally

<IfModule mod_proxy.c>

         ProxyRequests Off
         ProxyVia Off

         <Proxy *>
                 AddDefaultCharset off

                 Order deny,allow
                 Deny from all

                 ProxyFtpDirCharset UTF-8
         </Proxy>

         AllowCONNECT 22

</IfModule>

and allow only CONNECTs to port 22.

I also have a virtual host

<VirtualHost *>
         ServerName ...

         ProxyRequests On

         <Proxy *>
                 Order deny,allow
                 Allow from ...
         </Proxy>

         AllowCONNECT 22

</VirtualHost>

which turns it on, but 1. that would be hard to guess and 2. it still 
should only connect to port 22.

Indeed my own tries to use the non-virtual host proxy fail and the 
virtual hosts ones succeed. So far so good, but now my questions:

1. If the spammer fails to send mail, why does he keep trying? What did 
actually change from his perspective compared to not loading 
mod_proxy_connect at all?
2. Can I somehow get the apache logs to tell me whether the spamming 
succeeds or not? LogLevel debug does not echo a thing more.

I think apache is configured correctly but it's somewhat disturbing to 
see CONNECT sth:25 in the access log while nothing in the error log.

Thank you for your information,

Jens


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org