RE: Apache access log shows these attack requests
The replies to my post came back saying that apache defaults to denying CONNECT requests which I was not able to verify. That mod_proxy was causing it. I have mod-proxy commented out. That the CONNECT request is some how being spoofed through php which I was not able to verify. My reading of php5 says it accepts all valid methods that apache hands it. To me this indicates that apache is not denying CONNECT requests by default. Reading a book I have titled 'Maximum Apache Security' it said to gain explicit control over the "Methods" use the or declaratives with the 'Require valid-user' in the default definition in the http-conf file. So in apache http-conf around line 340 I added the Declarative like this to the default directory definition so it looks like this. Options FollowSymLinks AllowOverride None Order allow,deny Allow from all Require valid-user Now the access log shows this 61.228.120.228 - - [17/Jun/2007:22:42:49 -0400] "CONNECT 66.196.97.250:25 HTTP/1.0" 500 602 "-" "-" And the error.log shows this [Sun Jun 17 22:42:49 2007] [crit] [client 61.228.120.228] configuration error: couldn't perform authentication. AuthType not set!: / As you can see the CONNECT request is now being denied with a 500. The CONNECT requests have been stopped from attacking others. I post this solution so others can find it in the questions archives. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Apache access log shows these attack requests
On Thu, 14 Jun 2007, Norberto Meijome wrote: > On Wed, 13 Jun 2007 10:50:20 -0400 > "Bob" <[EMAIL PROTECTED]> wrote: > > Hi Bob, please learn how to quote in a reply to a message - it's pretty hard > to > figure out who's written what otherwise. So much so, it's easier to respond to Bob via yours :) > > I checked with ls -l command and I have no pages 7036 in size. > > (hmm... does those bytes include the headers et al ? if they do, then u > should > be looking for something else other than 7036 in the filesystem...anyway... Static pages do show the actual file size, checking here, but of course any dynamic content (php or whatever) makes size indeterminate. Bob, check the size shown as served for your ordinary "/" page requests? > > My question > > is why is apache servicing a request for "\x04\x01", this is not a valid > > request in first place. > > maybe if you show us your apache config it would be easier to figure out what > you allow or not. To make it simpler, the DEFAULT config in apache (with no > mod_proxy) is quite secure wrt access to / . If not too much modified, a 'diff apache.conf.installed apache.conf' might be less wieldy and easier to grok .. You do and will regularly see all sorts of tricks tried, aimed at various vulnerabilities, mostly on M$ systems, and life's too short to get too bothered by the 'background radiation' .. trust the security teams (both apache and freebsd) to post about and deal with new vulns. > > You wrote "because I disallow 'no referrer' > > plus 'no browser' ("-" "-") connects from non-local addresses, blocking > > heaps of rogue robots" > > Could you give me a example of the httpd.config coding you used for this? > > These denied requests get logged in the access.log, I would think they > > should be logged in the error.log. > > well, they are not an error from apache's POV, are they? they get served OK > :) > therefore, access. (the fact that you dont like it doenst make it less > "correct" > for Apache ;) Yeah. Anything invoking a 40[0-9] response, among other things, makes it to the error log, but even errors usually send some sort of response, and if in doubt (eg on would-be proxy requests) apache will serve "/" For Bob and the other fellow asking: it's all in the Fine Manual apache installed for you of course, but for simple illustration something like: BrowserMatchNoCase "Yet Another Illbehaved Robot" go_away SetEnvIfNoCase Referer nastysukkas\.biz go_away BrowserMatch "Windows 98\) XX" go_away SetEnvIf Remote_Addr 254.231.132.* go_away [..] # we only want to exclude those with neither (no_ref being usually ok) # meanwhile, till finding out how .. just 'no browser' is disallowed # SetEnvIf Referer "^$" no_ref=1 SetEnvIf User-Agent "^$" no_bro=1 # (I never did work out how to express 'no_bro AND no_ref' ?) SetEnvIf no_bro 1 go_away # except of course allow local "-" "-" requests - add more friendlies .. SetEnvIf Remote_Addr my.ip.adr.ess !go_away [..] Options Indexes FollowSymLinks AllowOverride AuthConfig # 18Mar02 - always allow, even for otherwise denied bots order allow,deny allow from all # Controls who can get stuff from this server. order allow,deny allow from all deny from env=go_away Cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Apache access log shows these attack requests
Hello; I have not understood what the request for "-" "-" meant. Thank you, this as shed a lot of light on it. I have seen that fairly frequently in my Apache logs. But on one of my machines that serves as secondary name server I also had Apache running to serve a place holder site. It was attacked but voluminous request for that, so much so that it was causing Apache to kill processes for lack of memory. The machine does not have a lot of RAM at its disposal, so it was not too surprising. I do not run Apache on this machine, now, because of that. I would like to know how do you disallow 'no referrer' and 'no browser'? Is this a server configuration issue? I have not seen mention of this in texts on Apache, nor the manual. And queries of the Apache mailing list yielded indistinct results. I am not running a proxy on the public server. I have shell and ftp access blocked from out side. I am using php as application server. I am running several machines with FreeBSD 6.0 and 6.2 as web servers. Only one serves my public addresses. I am using Apache 1.3.x. Thanks in advance for guidance. Jeff K 220.137.74.222 - - [12/Jun/2007:02:07:08 +1000] "CONNECT msa-mx10.hinet.net:25 HTTP/1.0" 403 272 "-" "-" 403 = Permission denied. In this case, because I disallow 'no referrer' plus 'no browser' ("-" "-") connects from non-local addresses blocking heaps of rogue robots, but CONNECT requests don't work anyway in apache 1.3 in default configuration .. older logs show 405 responses to these. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Apache access log shows these attack requests
On Wed, 13 Jun 2007 10:50:20 -0400 "Bob" <[EMAIL PROTECTED]> wrote: Hi Bob, please learn how to quote in a reply to a message - it's pretty hard to figure out who's written what otherwise. > I checked with ls -l command and I have no pages 7036 in size. (hmm... does those bytes include the headers et al ? if they do, then u should be looking for something else other than 7036 in the filesystem...anyway... > My question > is why is apache servicing a request for "\x04\x01", this is not a valid > request in first place. maybe if you show us your apache config it would be easier to figure out what you allow or not. To make it simpler, the DEFAULT config in apache (with no mod_proxy) is quite secure wrt access to / . > You wrote "because I disallow 'no referrer' > plus 'no browser' ("-" "-") connects from non-local addresses, blocking > heaps of rogue robots" > Could you give me a example of the httpd.config coding you used for this? > These denied requests get logged in the access.log, I would think they > should be logged in the error.log. well, they are not an error from apache's POV, are they? they get served OK :) therefore, access. (the fact that you dont like it doenst make it less "correct" for Apache ;) B _ {Beto|Norberto|Numard} Meijome "The whole problem with the world is that fools and fanatics are always so certain of themselves, but wiser people so full of doubts." Bertrand Russell I speak for myself, not my employer. Contents may be hot. Slippery when wet. Reading disclaimers makes you go blind. Writing them is worse. You have been Warned. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Apache access log shows these attack requests
On Tue, 12 Jun 2007 16:54:47 -0400 "Bob" <[EMAIL PROTECTED]> wrote: > Running FBSD 6.2 + apache 13. In the apache access log I see these log > records. > To me it looks like my apache server is servicing connect requests and get > requests to other URL's. > Is there some configuration option I can turn on to stop my server from > servicing these bogus requests? > > 122-124-129-27.dynamic.hinet.net - - [04/May/2007:04:38:18 -0400] "CONNECT > 220.1 [..] > 122-124-129-55.dynamic.hinet.net - - [10/May/2007:18:29:39 -0400] "CONNECT > 220.1 > kaista.fi - - [03/May/2007:01:35:44 -0400] "GET http://pro_xy.t35.com/AZ.php > HTT > kaista.fi - - [03/May/2007:01:35:45 -0400] "GET http://pro_xy.t35.com/AZ.php > H [..] > r - - [10/May/2007:09:42:40 -0400] "\x04\x01\x1a\vE\x10\xac\"" 400 - "-" "-" > r - - [10/May/2007:09:42:50 -0400] "\x05\x01" 200 7036 "-" "- > 89.196.37.169 - - [15/May/2007:02:50:21 -0400] "GET > http://www.internetsec.org/a > 89.196.37.169 - - [15/May/2007:02:50:37 -0400] "\x04\x01" 200 7036 "-" "-" > 89.196.37.169 - - [15/May/2007:02:50:52 -0400] "\x05\x01" 200 7036 "-" "-" What Chuck said about disabling|securing mod_proxy and PHP, for sure .. But in most cases you chopped off the most important information; the HTTP code indicating apache's response to the request. On those last two, 200 indicates apache served a page of 7036 bytes. If that's the served size of your home "/" page then you've little to worry about. 40x responses indicate refusal; page not found, permission denied etc. Here at least weekly I see such as: 220.137.74.222 - - [12/Jun/2007:02:07:08 +1000] "CONNECT msa-mx10.hinet.net:25 HTTP/1.0" 403 272 "-" "-" 403 = Permission denied. In this case, because I disallow 'no referrer' plus 'no browser' ("-" "-") connects from non-local addresses, blocking heaps of rogue robots, but CONNECT requests don't work anyway in apache 1.3 in default configuration .. older logs show 405 responses to these. 222.141.50.175 - - [21/May/2007:23:46:01 +1000] "GET http://www.baidu.com/ HTTP/1.1" 200 3847 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows NT)" In this case, apache served (200 response) *my* home page (3847 bytes) on all such would-be proxy requests. Not a problem. > 122-124-129-55.dynamic.hinet.net - - [10/May/2007:18:29:38 -0400] "CONNECT > 220.1 FWIW, nearly every CONNECT request here for the last 2 years has been for or from some hinet.net host or other. They're well up in the top 10 spam sources too, so I won't see any mail from [EMAIL PROTECTED] complaining! Cheers, Ian ___ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ian Smith Sent: Wednesday, June 13, 2007 1:09 AM To: Bob Cc: freebsd-questions@freebsd.org Subject: Re: Apache access log shows these attack requests Sorry about cutting off the end of the record. > 89.196.37.169 - - [15/May/2007:02:50:37 -0400] "\x04\x01" 200 7036 "-" "-" > 89.196.37.169 - - [15/May/2007:02:50:52 -0400] "\x05\x01" 200 7036 "-" "-" You wrote "On these two, 200 indicates apache served a page of 7036 bytes. If that's the served size of your home "/" page then you've little to worry about." I checked with ls -l command and I have no pages 7036 in size. My question is why is apache servicing a request for "\x04\x01", this is not a valid request in first place. You wrote "because I disallow 'no referrer' plus 'no browser' ("-" "-") connects from non-local addresses, blocking heaps of rogue robots" Could you give me a example of the httpd.config coding you used for this? These denied requests get logged in the access.log, I would think they should be logged in the error.log. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Apache access log shows these attack requests
On Tue, 12 Jun 2007 16:54:47 -0400 "Bob" <[EMAIL PROTECTED]> wrote: > Running FBSD 6.2 + apache 13. In the apache access log I see these log > records. > To me it looks like my apache server is servicing connect requests and get > requests to other URL's. > Is there some configuration option I can turn on to stop my server from > servicing these bogus requests? > > 122-124-129-27.dynamic.hinet.net - - [04/May/2007:04:38:18 -0400] "CONNECT > 220.1 [..] > 122-124-129-55.dynamic.hinet.net - - [10/May/2007:18:29:39 -0400] "CONNECT > 220.1 > kaista.fi - - [03/May/2007:01:35:44 -0400] "GET http://pro_xy.t35.com/AZ.php > HTT > kaista.fi - - [03/May/2007:01:35:45 -0400] "GET http://pro_xy.t35.com/AZ.php > H [..] > r - - [10/May/2007:09:42:40 -0400] "\x04\x01\x1a\vE\x10\xac\"" 400 - "-" "-" > r - - [10/May/2007:09:42:50 -0400] "\x05\x01" 200 7036 "-" "- > 89.196.37.169 - - [15/May/2007:02:50:21 -0400] "GET > http://www.internetsec.org/a > 89.196.37.169 - - [15/May/2007:02:50:37 -0400] "\x04\x01" 200 7036 "-" "-" > 89.196.37.169 - - [15/May/2007:02:50:52 -0400] "\x05\x01" 200 7036 "-" "-" What Chuck said about disabling|securing mod_proxy and PHP, for sure .. But in most cases you chopped off the most important information; the HTTP code indicating apache's response to the request. On those last two, 200 indicates apache served a page of 7036 bytes. If that's the served size of your home "/" page then you've little to worry about. 40x responses indicate refusal; page not found, permission denied etc. Here at least weekly I see such as: 220.137.74.222 - - [12/Jun/2007:02:07:08 +1000] "CONNECT msa-mx10.hinet.net:25 HTTP/1.0" 403 272 "-" "-" 403 = Permission denied. In this case, because I disallow 'no referrer' plus 'no browser' ("-" "-") connects from non-local addresses, blocking heaps of rogue robots, but CONNECT requests don't work anyway in apache 1.3 in default configuration .. older logs show 405 responses to these. 222.141.50.175 - - [21/May/2007:23:46:01 +1000] "GET http://www.baidu.com/ HTTP/1.1" 200 3847 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows NT)" In this case, apache served (200 response) *my* home page (3847 bytes) on all such would-be proxy requests. Not a problem. > 122-124-129-55.dynamic.hinet.net - - [10/May/2007:18:29:38 -0400] "CONNECT > 220.1 FWIW, nearly every CONNECT request here for the last 2 years has been for or from some hinet.net host or other. They're well up in the top 10 spam sources too, so I won't see any mail from [EMAIL PROTECTED] complaining! Cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Apache access log shows these attack requests
On Jun 12, 2007, at 2:58 PM, Bob wrote: I all ready have Apache mod_proxy commented out in httpd.conf and there is no php stuff installed in system. Your logfile lines seemed to be oddly truncated, so it's a bit hard to tell, but it sure seemed like some of the requests you showed were getting 200 success responses. I assume you aren't IPs 89.196.37.169 or 122.124.129.55? The requests for AZ.php or azenv.php are trying to reference scripts used to control and "rate" lists of "anonymous" proxies that tend to run either on hacked systems or systems configured to permit the world to use the proxy (generally because of a lack of admin clue rather than by intent). See: http://web.freerk.com/proxyjudge/azenv.htm ...and: http://forum.my-proxy.com/index.php?topic=48.0 ...which actually lists this "http://pro_xy.t35.com/AZ.php"; host... -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Apache access log shows these attack requests
On Jun 12, 2007, at 1:54 PM, Bob wrote: > Running FBSD 6.2 + apache 13. In the apache access log I see these log > records. To me it looks like my apache server is servicing connect > requests and get > requests to other URL's. Is there some configuration option I can > turn on to stop my server from > servicing these bogus requests? If you have the Apache mod_proxy enabled, either configure it securely or disable it entirely. Also, double-check your use of PHP-based stuff-- the security of PHP is sufficiently bad that it's pretty common for sites to get hacked if they aren't careful about securing it and updating to the latest versions as new security holes in PHP-based stuff are exploited. You might want to run portaudit... -- -Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Chuck Swiger Sent: Tuesday, June 12, 2007 5:21 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] ORG Subject: Re: Apache access log shows these attack requests I all ready have Apache mod_proxy commented out in httpd.conf and there is no php stuff installed in system. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Apache access log shows these attack requests
On Jun 12, 2007, at 1:54 PM, Bob wrote: Running FBSD 6.2 + apache 13. In the apache access log I see these log records. To me it looks like my apache server is servicing connect requests and get requests to other URL's. Is there some configuration option I can turn on to stop my server from servicing these bogus requests? If you have the Apache mod_proxy enabled, either configure it securely or disable it entirely. Also, double-check your use of PHP-based stuff-- the security of PHP is sufficiently bad that it's pretty common for sites to get hacked if they aren't careful about securing it and updating to the latest versions as new security holes in PHP-based stuff are exploited. You might want to run portaudit... -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"