From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.50) id 1EgH24-0006K5-Ev for garchives@archives.gentoo.org; Sun, 27 Nov 2005 07:33:08 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.5/8.13.5) with SMTP id jAR7Vpqb032699; Sun, 27 Nov 2005 07:31:51 GMT Received: from aa001msg.fastwebnet.it (213-140-2-68.ip.fastwebnet.it [213.140.2.68]) by robin.gentoo.org (8.13.5/8.13.5) with ESMTP id jAR7QF1J008873 for ; Sun, 27 Nov 2005 07:26:15 GMT Received: from ms004msg.fastwebnet.it (10.31.40.142) by aa001msg.fastwebnet.it (7.2.069.1) id 4389584A0000095C for gentoo-user@lists.gentoo.org; Sun, 27 Nov 2005 08:26:15 +0100 Received: from [1.36.68.35] (1.36.68.35) by ms004msg.fastwebnet.it (7.2.069.1) id 4381C42C0058F284 for gentoo-user@lists.gentoo.org; Sun, 27 Nov 2005 08:26:15 +0100 From: Francesco Talamona To: gentoo-user@lists.gentoo.org Subject: [gentoo-user] Re: Security problem? - Apache access.log has: CONNECT ... 200 Date: Sun, 27 Nov 2005 08:26:14 +0100 User-Agent: KMail/1.8.3 References: <1133045772.27101.70.camel@sysconcept.ca> In-Reply-To: <1133045772.27101.70.camel@sysconcept.ca> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-6" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200511270826.14522.ti.liame@email.it> X-Archives-Salt: f1f6f451-af25-40ee-928f-3a2b353e7395 X-Archives-Hash: 5c3aea52b2bc71c395ab31598e67ec8c On Saturday 26 November 2005 23:56, Joseph wrote: > I just have noticed that my Apache2 access.log has few entries: > > 220.189.234.182 - - [27/Sep/2005:03:21:59 -0600] "CONNECT > 202.165.103.38:80 HTTP/1.1" 200 17505 61.232.83.75 - - > [09/Oct/2005:04:33:26 -0600] "CONNECT 66.135.208.90:80 HTTP/1.1" 200 > 25952 59.40.34.187 - - [09/Oct/2005:19:05:40 -0600] "CONNECT > 210.59.228.72:25 HTTP/1.1" 200 17368 66.219.100.118 - - > [18/Oct/2005:02:04:00 -0600] "CONNECT mx2.ToughGuy.net:25 HTTP/1.0" > 200 30192 213.180.210.35 - - [26/Nov/2005:12:09:14 -0700] "CONNECT > 213.180.193.1:25 HTTP/1.0" 200 16916 > > These IP's are mostly from Russian or Chines hackers. > My proxy is not enabled in /etc/conf.d/apache2 > APACHE2_OPTS="-D DEFAULT_VHOST -D SSL -D PHP4" > > Anybody has similar entries. According to Apache explanation: > http://httpd.apache.org/docs/1.3/misc/FAQ.html#proxyscan > "200" would indicate that somebody is using my apache as proxy, but > how? > > -- > #Joseph The answer is already in the page you posted. Page sizes are different, so you are serving as a proxy. Set NameVirtualHost and VirtualHost directives in /etc/apache2/vhosts.d/00_default_vhost.conf and /etc/apache2/httpd.conf as instructed in the link above. Ciao Francesco -- Linux Version 2.6.12-gentoo-r9, Compiled #2 Wed Aug 24 18:43:16 CEST 2005 One 2.2GHz AMD Athlon 64 Processor, 2GB RAM, 4308.99 Bogomips Total aemaeth -- gentoo-user@gentoo.org mailing list