From owner-freebsd-questions@FreeBSD.ORG Tue Jun 19 11:26:02 2007 Return-Path: X-Original-To: freebsd-questions@FreeBSD.ORG Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9E49016A475 for ; Tue, 19 Jun 2007 11:26:02 +0000 (UTC) (envelope-from bob@a1poweruser.com) Received: from mta13.adelphia.net (mta13.mail.adelphia.net [68.168.78.44]) by mx1.freebsd.org (Postfix) with ESMTP id 2C5A113C484 for ; Tue, 19 Jun 2007 11:26:01 +0000 (UTC) (envelope-from bob@a1poweruser.com) Received: from laptop ([76.190.225.105]) by mta13.adelphia.net (InterMail vM.6.01.05.02 201-2131-123-102-20050715) with SMTP id <20070619112600.TUAL27139.mta13.adelphia.net@laptop>; Tue, 19 Jun 2007 07:26:00 -0400 From: "Bob" To: "Chuck Swiger" Date: Tue, 19 Jun 2007 07:25:59 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) Importance: Normal In-Reply-To: <97823238-9544-478B-BAF3-C9CC53BBB36A@mac.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028 Cc: "freebsd-questions@FreeBSD. ORG" Subject: RE: stopping "connect" attacks in apache X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: bob@a1poweruser.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jun 2007 11:26:02 -0000 On Jun 15, 2007, at 7:49 PM, Bob wrote: > Every time my apache server slows down or has denial of service the > access > log is full this > > 61.228.122.220 - "CONNECT 66.196.97.250:25 HTTP/1.0" 200 7034 "-" "-" > 61.228.122.220 - "CONNECT 216.39.53.3:25 HTTP/1.0" 200 7034 "-" "-" > 61.228.122.220 - "CONNECT 216.39.53.1:25 HTTP/1.0" 200 7034 "-" "-" > 61.228.122.220 - "CONNECT 168.95.5.155:25 HTTP/1.0" 200 7034 "-" "-" > 61.228.122.220 - "CONNECT 168.95.5.157:25 HTTP/1.0" 200 7034 "-" "-" > 61.228.122.220 - "CONNECT 168.95.5.159:25 HTTP/1.0" 200 7034 "-" "-" >IP 61.228.122.220 is using the HTTP CONNECT method to relay spam to >port 25 on the targets via your Apache server. >This almost certainly indicates that you've got mod_proxy loaded or >something similar via mod_perl/mod_php/whatever, as the CONNECT >attack would get a "405 Method not allowed" error otherwise. >-Chuck _______________________________________________ -----Original Message----- From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Chuck Swiger Sent: Monday, June 18, 2007 1:02 PM To: bob@a1poweruser.com Cc: freebsd-questions@FreeBSD. ORG Subject: Re: stopping "connect" attacks in apache The replies to my post came back saying that apache defaults to denying CONNECT requests which I was not able to verify. That mod_proxy was causing it. I have mod-proxy commented out. That the CONNECT request is some how being spoofed through php which I was not able to verify. My reading of php5 says it accepts all valid methods that apache hands it. To me this indicates that apache is not denying CONNECT requests by default. Reading a book I have titled 'Maximum Apache Security' it said to gain explicit control over the "Methods" use the or declaratives with the 'Require valid-user' in the default definition in the http-conf file. So in apache http-conf around line 340 I added the Declarative like this to the default directory definition so it looks like this. Options FollowSymLinks AllowOverride None Order allow,deny Allow from all Require valid-user Now the access log shows this 61.228.120.228 - - [17/Jun/2007:22:42:49 -0400] "CONNECT 66.196.97.250:25 HTTP/1.0" 500 602 "-" "-" And the error.log shows this [Sun Jun 17 22:42:49 2007] [crit] [client 61.228.120.228] configuration error: couldn't perform authentication. AuthType not set!: / As you can see the CONNECT request is now being denied with a 500. The CONNECT requests have been stopped from attacking others. I post this solution so others can find it in the questions archives.