From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.50) id 1EgRmi-0003oF-Id for garchives@archives.gentoo.org; Sun, 27 Nov 2005 19:02:01 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.5/8.13.5) with SMTP id jARJ0Ws6026034; Sun, 27 Nov 2005 19:00:32 GMT Received: from sysconcept.ca (103.205-206-12-0.interbaun.com [205.206.12.103] (may be forged)) by robin.gentoo.org (8.13.5/8.13.5) with ESMTP id jARItBO9032585 for ; Sun, 27 Nov 2005 18:55:11 GMT Received: by sysconcept.ca (Postfix, from userid 1000) id DD2512EAF13; Sun, 27 Nov 2005 11:55:11 -0700 (MST) Subject: Re: [gentoo-user] Re: Security problem? - Apache access.log has: CONNECT ... 200 From: Joseph To: gentoo-user@lists.gentoo.org In-Reply-To: <200511270826.14522.ti.liame@email.it> References: <1133045772.27101.70.camel@sysconcept.ca> <200511270826.14522.ti.liame@email.it> Content-Type: text/plain Content-Transfer-Encoding: 7bit Date: Sun, 27 Nov 2005 11:55:11 -0700 Message-Id: <1133117711.21361.10.camel@sysconcept.ca> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 X-Mailer: Evolution 2.2.3 X-Archives-Salt: 98d9b016-cbd0-4f18-afc7-db75df8b13cd X-Archives-Hash: 9beca596e9f6bccc8f925939b64caa02 On Sun, 2005-11-27 at 08:26 +0100, Francesco Talamona wrote: > On Saturday 26 November 2005 23:56, Joseph wrote: > > I just have noticed that my Apache2 access.log has few entries: > > > > 220.189.234.182 - - [27/Sep/2005:03:21:59 -0600] "CONNECT > > 202.165.103.38:80 HTTP/1.1" 200 17505 61.232.83.75 - - > > [09/Oct/2005:04:33:26 -0600] "CONNECT 66.135.208.90:80 HTTP/1.1" 200 > > 25952 59.40.34.187 - - [09/Oct/2005:19:05:40 -0600] "CONNECT > > 210.59.228.72:25 HTTP/1.1" 200 17368 66.219.100.118 - - > > [18/Oct/2005:02:04:00 -0600] "CONNECT mx2.ToughGuy.net:25 HTTP/1.0" > > 200 30192 213.180.210.35 - - [26/Nov/2005:12:09:14 -0700] "CONNECT > > 213.180.193.1:25 HTTP/1.0" 200 16916 > > > > These IP's are mostly from Russian or Chines hackers. > > My proxy is not enabled in /etc/conf.d/apache2 > > APACHE2_OPTS="-D DEFAULT_VHOST -D SSL -D PHP4" > > > > Anybody has similar entries. According to Apache explanation: > > http://httpd.apache.org/docs/1.3/misc/FAQ.html#proxyscan > > "200" would indicate that somebody is using my apache as proxy, but > > how? > > > > -- > > #Joseph > > The answer is already in the page you posted. Page sizes are different, > so you are serving as a proxy. > Set NameVirtualHost and VirtualHost directives in > /etc/apache2/vhosts.d/00_default_vhost.conf and /etc/apache2/httpd.conf > as instructed in the link above. No, my server is not a proxy. This link explain hwo to test it: http://www.karkomaonline.com/article.php/20040425124146257 The reason, the page size is different is that I'm running PHP base web-page, so every time you load it the content might change. Though, I'm not sure I follow that directive. To prevent this type of request entirely. I have in my virtual host: NameVirtualHost 10.0.0.103:80 ServerName www.xxxxxx.ca Order allow,deny Deny from all DocumentRoot /var/www/localhost/htdocs/ Setenv VLOG /var/log/apache2/log_log ErrorLog /var/log/apache2/error_log If I add the directive as above it will not load my page at all, I get error 403 -- #Joseph -- gentoo-user@gentoo.org mailing list