Date: Sat, 30 Jun 2007 12:07:31 -0400 From: "Bob" <bob@a1poweruser.com> To: "freebsd-questions@FreeBSD. ORG" <freebsd-questions@FreeBSD.ORG> Subject: RE: stopping "connect" attacks in apache (solution) Message-ID: <NBECLJEKGLBKHHFFANMBOEFACEAA.bob@a1poweruser.com> In-Reply-To: <97823238-9544-478B-BAF3-C9CC53BBB36A@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
>>On Jun 15, 2007, at 7:49 PM, Bob wrote: >> Every time my apache server slows down or has denial of service the >> access >> log is full this >> >> 61.228.122.220 - "CONNECT 66.196.97.250:25 HTTP/1.0" 200 7034 "-" "-" >> 61.228.122.220 - "CONNECT 216.39.53.3:25 HTTP/1.0" 200 7034 "-" "-" >> 61.228.122.220 - "CONNECT 216.39.53.1:25 HTTP/1.0" 200 7034 "-" "-" >> 61.228.122.220 - "CONNECT 168.95.5.155:25 HTTP/1.0" 200 7034 "-" "-" >> 61.228.122.220 - "CONNECT 168.95.5.157:25 HTTP/1.0" 200 7034 "-" "-" >> 61.228.122.220 - "CONNECT 168.95.5.159:25 HTTP/1.0" 200 7034 "-" "-" >> >IP 61.228.122.220 is using the HTTP CONNECT method to relay spam to >port 25 on the targets via your Apache server. > >This almost certainly indicates that you've got mod_proxy loaded or >something similar via mod_perl/mod_php/whatever, as the CONNECT >attack would get a "405 Method not allowed" error otherwise. > >Check http://your_webserver/server-info for details. mod_proxy is commented out but am using php5. Tried putting this statement http.allowed_methods = GET & POST into /usr/local/etc/php.ini but it had no effect. The best solution was to add an location declarative with a limitexcept. The location in the httpd-conf where to place this is very important. First find this in the conf file # # Each directory to which Apache has access, can be configured with respect # to which services and features are allowed and/or disabled in that # directory (and its subdirectories). # # First, we configure the "default" to be a very restrictive set of # permissions for directories. # <Directory /> Options FollowSymLinks AllowOverride None Order allow,deny Deny from all </Directory> Then add the following right after it and restart apache to activate. # Second, we configure the "default" Location to restrict the methods allowed # to stop CONNECT method attacks. # <Location /> <LimitExcept GET POST> Order allow,deny Deny from all </LimitExcept> </Location> All CONNECT requests from this point on will get a status code of 403 Forbidden for both perl and php CONNECT attacks. Just posting this as best solution for the archives. Good luck all.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?NBECLJEKGLBKHHFFANMBOEFACEAA.bob>