httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joshua Slive" <jos...@slive.ca>
Subject Re: [users@httpd] How to prevent Spammer from abusing Apache?
Date Tue, 19 Jun 2007 13:18:57 GMT
On 6/19/07, Bob <bob@a1poweruser.com> wrote:
>
>
>
>
> I posted my question with subject line 'Deny CONNECT & GET http requests'.
> The replies to my post came back saying that apache defaults to denying
> CONNECT requests which I was not able to verify. That mod_proxy was causing
> it. I have mod-proxy commented out.

> So in apache http-conf around line 340 I added the <LimitExcept GET POST>

Sorry, I don't mind if you use that config yourself, but I really
can't accept you recommending that to others as the proper solution.

I have already pointed to several better techniques:
1. Properly configuring the module that is responding to CONNECT
requests (php in your case) not to handle them.
2. The default virtual host config listed here:
http://httpd.apache.org/docs/1.3/misc/FAQ.html#proxyscan
will deny all proxy-type requests.

Joshua.


>
> Declarative like this to the default directory definition so it looks like
> this.
>
>
>
> <Directory />
>
>     Options FollowSymLinks
>
>     AllowOverride None
>
>     Order allow,deny
>
>     Allow from all
>
>     <LimitExcept GET POST>
>
>        Require valid-user
>
>     </LimitExcept>
>
> </Directory>
>
>
>
> Now the access log shows this
>
>
>
> 61.228.120.228 - - [17/Jun/2007:22:42:49 -0400] "CONNECT 66.196.97.250:25
> HTTP/1.0" 500 602 "-" "-"
>
>
>
> And the error.log shows this
>
>
>
> [Sun Jun 17 22:42:49 2007] [crit] [client 61.228.120.228] configuration
> error:  couldn't perform authentication. AuthType not set!: /
>
>
>
>
>
> As you can see the CONNECT request is now being denied with a 500.
>
> The CONNECT requests have been stopped from attacking others.
>
>
>
> I hope this is the kind of solution you were looking for.
>
>
>
>
>
>
>
>
>
>
>
> -----Original Message-----
>  From: Tony Anecito [mailto:adanecito@yahoo.com]
>  Sent: Monday, June 18, 2007 5:25 PM
>  To: users@httpd.apache.org
>  Subject: [users@httpd] How to prevent Spammer from abusing Apache?
>
>
>
>
> Hi All,
>
>
>
> I noticed a someone was using CONNECT xxx.xxx.xxx.xxx http command against
> Apache. I was wondering how to disable the CONNECT command from executing on
> Apache. In a couple of entries I noticed a connection from Seattle that
> might be a spammer so I want to disable the CONNECT command from running
> successfully.
>
>
>
> Thanks,
>
> -Tony
>
>
>  ________________________________
>
>
> Sick sense of humor? Visit Yahoo! TV's Comedy with an Edge to see what's on,
> when.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message