httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tony Anecito <adanec...@yahoo.com>
Subject Re: [users@httpd] How to prevent Spammer from abusing Apache?
Date Mon, 18 Jun 2007 22:07:07 GMT
Thanks Karel,
   
  I will implement your suggestions immediately. I already blocked in my router the company
that was making the attempt from Seattle.
   
  Many Thanks,
  -Tony

Karel Kubat <karel@e-tunity.com> wrote:
  -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Tony,

On Jun 18, 2007, at 11:25 PM, Tony Anecito wrote:

> I noticed a someone was using CONNECT xxx.xxx.xxx.xxx http command 
> against Apache. I was wondering how to disable the CONNECT command 
> from executing on Apache. In a couple of entries I noticed a 
> connection from Seattle that might be a spammer so I want to 
> disable the CONNECT command from running successfully.

I'd advise you to CLOSE THIS IMMEDIATELY. Before long your site will 
be on lists of open proxies and you'll be denied traffic. And trust 
me, it's a huge pain getting off those lists. Until you fix this 
issue, don't advertize your site - there will be plenty of spambots 
checking the openness of your proxy.

See the proxy documentation, off the top of my head (check the docs, 
I can't access them now but want to leave at least a pointer) there 
are at least 3 alternatives:

# 1. If you have a reverse proxy only, you don't need to serve proxy 
requests
ProxyRequests off

or

# 2. If you have a forwarding proxy, then you must serve proxy requests.
# Use a whitelist of the systems that are allowed to do so, and close 
all
# others. I'm not sure this is the right syntax btw...

order deny, allow
deny from all
allow from 127.0.0.1


or

3. Have your proxy listen to some odd port, say 8080, set up as a 
virtual server. Allow proxy requests only in that virtual server. 
Have your internal LAN users (who use Apache as a forwarding proxy to 
get to the outside) connect to that port, but close access to the 
port from the outside on the OS level, eg. on Linux with iptables.

Hope this helps,
Karel

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (Darwin)

iD8DBQFGdvzI23FrzRzybNURApPOAKCOtTA73RZULOmGApmFwVCeMAcOiQCfeApS
c9aeh/4r60oFTHhDGNCG6dM=
=G9Md
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org



       
---------------------------------
Be a better Heartthrob. Get better relationship answers from someone who knows.
Yahoo! Answers - Check it out. 
Mime
View raw message