From owner-freebsd-questions@FreeBSD.ORG Wed Jun 13 05:10:00 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6B73D16A41F for ; Wed, 13 Jun 2007 05:10:00 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143]) by mx1.freebsd.org (Postfix) with ESMTP id C6DE313C45E for ; Wed, 13 Jun 2007 05:09:58 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (smithi@localhost) by gaia.nimnet.asn.au (8.8.8/8.8.8R1.5) with SMTP id PAA24498; Wed, 13 Jun 2007 15:09:28 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Wed, 13 Jun 2007 15:09:27 +1000 (EST) From: Ian Smith To: Bob In-Reply-To: <20070612215825.6E92216A4C1@hub.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-questions@freebsd.org Subject: Re: Apache access log shows these attack requests X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Jun 2007 05:10:00 -0000 On Tue, 12 Jun 2007 16:54:47 -0400 "Bob" wrote: > Running FBSD 6.2 + apache 13. In the apache access log I see these log > records. > To me it looks like my apache server is servicing connect requests and get > requests to other URL's. > Is there some configuration option I can turn on to stop my server from > servicing these bogus requests? > > 122-124-129-27.dynamic.hinet.net - - [04/May/2007:04:38:18 -0400] "CONNECT > 220.1 [..] > 122-124-129-55.dynamic.hinet.net - - [10/May/2007:18:29:39 -0400] "CONNECT > 220.1 > kaista.fi - - [03/May/2007:01:35:44 -0400] "GET http://pro_xy.t35.com/AZ.php > HTT > kaista.fi - - [03/May/2007:01:35:45 -0400] "GET http://pro_xy.t35.com/AZ.php > H [..] > r - - [10/May/2007:09:42:40 -0400] "\x04\x01\x1a\vE\x10\xac\"" 400 - "-" "-" > r - - [10/May/2007:09:42:50 -0400] "\x05\x01" 200 7036 "-" "- > 89.196.37.169 - - [15/May/2007:02:50:21 -0400] "GET > http://www.internetsec.org/a > 89.196.37.169 - - [15/May/2007:02:50:37 -0400] "\x04\x01" 200 7036 "-" "-" > 89.196.37.169 - - [15/May/2007:02:50:52 -0400] "\x05\x01" 200 7036 "-" "-" What Chuck said about disabling|securing mod_proxy and PHP, for sure .. But in most cases you chopped off the most important information; the HTTP code indicating apache's response to the request. On those last two, 200 indicates apache served a page of 7036 bytes. If that's the served size of your home "/" page then you've little to worry about. 40x responses indicate refusal; page not found, permission denied etc. Here at least weekly I see such as: 220.137.74.222 - - [12/Jun/2007:02:07:08 +1000] "CONNECT msa-mx10.hinet.net:25 HTTP/1.0" 403 272 "-" "-" 403 = Permission denied. In this case, because I disallow 'no referrer' plus 'no browser' ("-" "-") connects from non-local addresses, blocking heaps of rogue robots, but CONNECT requests don't work anyway in apache 1.3 in default configuration .. older logs show 405 responses to these. 222.141.50.175 - - [21/May/2007:23:46:01 +1000] "GET http://www.baidu.com/ HTTP/1.1" 200 3847 "-" "Mozilla/4.0 (compatible; MSIE 4.01; Windows NT)" In this case, apache served (200 response) *my* home page (3847 bytes) on all such would-be proxy requests. Not a problem. > 122-124-129-55.dynamic.hinet.net - - [10/May/2007:18:29:38 -0400] "CONNECT > 220.1 FWIW, nearly every CONNECT request here for the last 2 years has been for or from some hinet.net host or other. They're well up in the top 10 spam sources too, so I won't see any mail from *@hinet.net complaining! Cheers, Ian