John Bailey Replied... >One thing that might be worth checking to see if the ISP's web proxy is >setting any kind of 'X-Forwarded-For' HTTP header (I know squid can be >configured to do this).
John did a bit of research on that after posting and asked the question to one of the ISP's and there sys min gave the educated reply of "nah it's not and don't see why it should be" ... (sad frown) Graeme Replied... >John however does make a pertinent note, that properly configured proxies >*should* pass an X- header with the source IP in them. Again, for privacy >reasons (and logistical ones too) many do not. It is not written in any >standard, nor is it a requirement AFAIK in law anywhere. This confirms what I was told from one of the main New Zealand ISP's >>What Chae brings up is a perennial problem for all webserver administrators: >>just when do you bother to report things? I have always checked what was being reported prior to it going to the system admin at the ISP...we don't report the 1 or 2 scans for formmail or wayboard accesss etc but we do send out reports when we see say 20 or more obvious attempts at anonymous FTP attempts, SYN FIN scans, Squid scans, Dos Attempts etctera - the out of the everyday ordinary stuff. But I have asked the question to one of the ISP's ... so what if I get a barage of attacks coming from your proxy server are you saying you can't help or assist in the tracing of the culprit? I'm still waiting for a reply :< Up to now we've approached 4 of the big New Zealand ISP's regarding this and 3 have just gave the typical reply of "Sorry it's an International Proxy/Cache server can't help" and one ISP spent a few days setting up logging and filtered through a 400Mb per day log for us - still didn't help trace them culprit down but at least they went to the trouble of assisting us. I'm cusrious - do other smaller ISP's/hosting companies have the same problem or is it simply a New Zealand thing? Regards Chae _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
