From owner-freebsd-questions@FreeBSD.ORG Sat Jun 30 16:07:34 2007 Return-Path: X-Original-To: freebsd-questions@FreeBSD.ORG Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C66D416A400 for ; Sat, 30 Jun 2007 16:07:33 +0000 (UTC) (envelope-from bob@a1poweruser.com) Received: from mta15.adelphia.net (mta15.mail.adelphia.net [68.168.78.77]) by mx1.freebsd.org (Postfix) with ESMTP id 5E60A13C480 for ; Sat, 30 Jun 2007 16:07:33 +0000 (UTC) (envelope-from bob@a1poweruser.com) Received: from laptop ([76.190.225.105]) by mta15.adelphia.net (InterMail vM.6.01.05.04 201-2131-123-105-20051025) with SMTP id <20070630160732.QFPO26470.mta15.adelphia.net@laptop> for ; Sat, 30 Jun 2007 12:07:32 -0400 From: "Bob" To: "freebsd-questions@FreeBSD. ORG" Date: Sat, 30 Jun 2007 12:07:31 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028 In-Reply-To: <97823238-9544-478B-BAF3-C9CC53BBB36A@mac.com> Cc: Subject: RE: stopping "connect" attacks in apache (solution) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: bob@a1poweruser.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 Jun 2007 16:07:34 -0000 >>On Jun 15, 2007, at 7:49 PM, Bob wrote: >> Every time my apache server slows down or has denial of service the >> access >> log is full this >> >> 61.228.122.220 - "CONNECT 66.196.97.250:25 HTTP/1.0" 200 7034 "-" "-" >> 61.228.122.220 - "CONNECT 216.39.53.3:25 HTTP/1.0" 200 7034 "-" "-" >> 61.228.122.220 - "CONNECT 216.39.53.1:25 HTTP/1.0" 200 7034 "-" "-" >> 61.228.122.220 - "CONNECT 168.95.5.155:25 HTTP/1.0" 200 7034 "-" "-" >> 61.228.122.220 - "CONNECT 168.95.5.157:25 HTTP/1.0" 200 7034 "-" "-" >> 61.228.122.220 - "CONNECT 168.95.5.159:25 HTTP/1.0" 200 7034 "-" "-" >> >IP 61.228.122.220 is using the HTTP CONNECT method to relay spam to >port 25 on the targets via your Apache server. > >This almost certainly indicates that you've got mod_proxy loaded or >something similar via mod_perl/mod_php/whatever, as the CONNECT >attack would get a "405 Method not allowed" error otherwise. > >Check http://your_webserver/server-info for details. mod_proxy is commented out but am using php5. Tried putting this statement http.allowed_methods = GET & POST into /usr/local/etc/php.ini but it had no effect. The best solution was to add an location declarative with a limitexcept. The location in the httpd-conf where to place this is very important. First find this in the conf file # # Each directory to which Apache has access, can be configured with respect # to which services and features are allowed and/or disabled in that # directory (and its subdirectories). # # First, we configure the "default" to be a very restrictive set of # permissions for directories. # Options FollowSymLinks AllowOverride None Order allow,deny Deny from all Then add the following right after it and restart apache to activate. # Second, we configure the "default" Location to restrict the methods allowed # to stop CONNECT method attacks. # Order allow,deny Deny from all All CONNECT requests from this point on will get a status code of 403 Forbidden for both perl and php CONNECT attacks. Just posting this as best solution for the archives. Good luck all.