Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
Received-SPF: neutral (herse.apache.org: local policy)
Date: Sat, 16 Jun 2007 18:25:51 -0700
To: users@httpd.apache.org
From: Dragon <dragon@crimson-dragon.com>
In-Reply-To: <NBECLJEKGLBKHHFFANMBAEKOCDAA.bob@a1poweruser.com>
References: <NBECLJEKGLBKHHFFANMBAEKOCDAA.bob@a1poweruser.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Message-Id: 
 <20070617012603.MZTN6565.fed1rmmtao105.cox.net@fed1rmimpo01.cox.net>
Subject: Re: [users@httpd] Deny CONNECT & GET http requests

Bob did speak thusly:
>I get 100k plus of these per month. This is really stressing my server.
>
>88.233.57.141 - - "GET http://yasann2.hp.infoseek.co.jp/cgi-bin/jenv.cgi
>HTTP/1.1" 404 300 "http://yasann2.hp.infoseek.co.jp/cgi-bin/jenv.cgi"
>"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
>88.233.57.141 - - "GET http://66.197.42.23/cgi-bin/jenv.cgi HTTP/1.1" 404
>300 "http://66.197.42.23/cgi-bin/jenv.cgi" "Mozilla/4.0 (compatible; MSIE
>6.0; Windows NT 5.1)"
>217.15.9.13 - -   "GET http://217.15.9.13:80/sex/fuck/porn/judge.php
>HTTP/1.1" 404 307 "http://217.15.9.13:80/sex/fuck/porn/judge.php"
>"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
>217.15.9.13 - -   "GET http://217.15.9.13:80/sex/fuck/porn/judge.php
>HTTP/1.1" 404 307 "http://217.15.9.13:80/sex/fuck/porn/judge.php"
>"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
>216.90.33.33 - -  "GET http://pro_xy.t35.com/AZ.php HTTP/1.1" 404 290
>"http://pro_xy.t35.com/AZ.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
>NT 5.1)"
>216.90.33.33 - -  "GET http://pro_xy.t35.com/AZ.php HTTP/1.1" 404 290
>"http://pro_xy.t35.com/AZ.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
>NT 5.1)"
>83.233.169.111 - -"GET http://www.ed.ac.uk/cgi-bin/env.cgi HTTP/1.1" 404 299
>"http://www.ed.ac.uk/cgi-bin/env.cgi" "Mozilla/4.0 (compatible; MSIE 6.0;
>Windows NT 5.1)"
>83.233.169.111 - -"GET http://www.bsnoop.de/cgi-bin/jenv.cgi HTTP/1.1" 404
>300 "http://www.bsnoop.de/cgi-bin/jenv.cgi" "Mozilla/4.0 (compatible; MSIE
>6.0; Windows NT 5.1)"
>84.178.171.91 - - "GET http://anonymous-judge.no-ip.org/azenv.php HTTP/1.1"
>404 293 "http://anonymous-judge.no-ip.org/azenv.php" "Mozilla/4.0
>(compatible; MSIE 6.0; Windows NT 5.1)"
>84.178.171.91 - - "GET http://www.proxyworld.org/azenv.php HTTP/1.1" 404 293
>"http://www.proxyworld.org/azenv.php" "Mozilla/4.0 (compatible; MSIE 6.0;
>Windows NT 5.1)"
>91.92.179.187 - - "GET http://www.internetsec.org/azenv.php HTTP/1.1" 404
>293 "http://www.internetsec.org/azenv.php" "Mozilla/4.0 (compatible; MSIE
>6.0; Windows NT 5.1)"
>91.92.179.187 - - "GET http://sevy.eu.org/azenv.php HTTP/1.1" 404 293
>"http://sevy.eu.org/azenv.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows
>NT 5.1)"
>99.243.241.161 - -"GET http://www.anonymitytest.com/cgi-bin/azenv.pl
>HTTP/1.1" 404 300 "http://www.anonymitytest.com/cgi-bin/azenv.pl"
>"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
>99.243.241.161 - -"GET http://www.ipmaster.org/cgi-bin/textenv.pl HTTP/1.1"
>404 302 "http://www.ipmaster.org/cgi-bin/textenv.pl" "Mozilla/4.0
>(compatible; MSIE 6.0; Windows NT 5.1)"
>71.145.170.187 - -"GET http://www.anonymitytest.com/cgi-bin/azenv.pl
>HTTP/1.1" 404 300 "http://www.anonymitytest.com/cgi-bin/azenv.pl"
>"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
>71.145.170.187 - -"GET http://www.anonymitytest.com/cgi-bin/textenv.pl
>HTTP/1.1" 404 302 "http://www.anonymitytest.com/cgi-bin/textenv.pl"
>"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
>125.225.140.225 - "CONNECT 209.191.118.103:25 HTTP/1.0" 200 7034 "-" "-"
>125.225.140.225 - "CONNECT 68.142.237.182:25 HTTP/1.0" 200 7034 "-" "-"
>125.225.140.225 - "CONNECT 216.39.53.2:25 HTTP/1.0" 200 7034 "-" "-"
>125.225.140.225 - "CONNECT 168.95.5.145:25 HTTP/1.0" 200 7034 "-" "-"
>125.225.140.225 - "CONNECT 168.95.5.212:25 HTTP/1.0" 200 7034 "-" "-"
>125.225.140.225 - "CONNECT 168.95.5.140:25 HTTP/1.0" 200 7034 "-" "-"
>61.228.127.171 - -"CONNECT 209.191.118.103:25 HTTP/1.0" 200 7034 "-" "-"
>61.228.127.171 - -"CONNECT 216.39.53.3:25 HTTP/1.0" 200 7034 "-" "-"
>61.228.127.171 - -"CONNECT 216.39.53.2:25 HTTP/1.0" 200 7034 "-" "-"
>61.228.127.171 - -"CONNECT 168.95.5.209:25 HTTP/1.0" 200 7034 "-" "-"
>61.228.127.171 - -"CONNECT 168.95.5.214:25 HTTP/1.0" 200 7034 "-" "-"
>61.228.127.171 - -"CONNECT 168.95.5.252:25 HTTP/1.0" 200 7034 "-" "-"
>
>Running FBSD 6.2 + apache 1.3.37_1 and the mod_proxy is commented out.
>
>I want to add declaratives to http-conf to globally deny processing
>all CONNECT & GET http requests entering the server.
>
>
>SetEnvIf  THE_REQUEST CONNECT* drop
>SetEnvIf  THE_REQUEST GET http:* drop
>
><Directory />
>  order allow,deny
>  allow from all
>  deny from env=drop
>  </Directory>
>
>
>My question is will the above declaratives do what I want?
>Need expert review.
---------------- End original message. ---------------------

Actually, I think you need to fix the underlying problem. This looks 
to me like there is (or was) an open proxy on the machine that is 
being used by third parties to anonymize their web access. Open 
proxies are BAD, almost as bad as open mail relays. A proxy should 
point to a specific resource and allow access only to that resource.

I would strongly suggest that you check this first before making any 
other changes. The GET request is not something you want to disable 
blindly as that is how a browser retrieves a page (or image, or file 
etc.) in the first place.

If you have the ProxyRequests On directive followed by a proxy block 
starting with <Proxy *> and you have not restricted access in that 
block, you have an open proxy.

Once you close the hole on your proxy (if there is one), then you 
will only see 404 responses for requests that reference URLs outside 
of your server domain. This will gradually taper off over a period of 
time as the people trying to use your box to access pages not on your 
server figure out that the gate is closed. That can take a long time 
to happen but at least you will have taken the first step to 
alleviating the problem.

As far as how you are trying to block these things... I don't think 
that would work, but I can't say for sure as I only dabble in this on the side.

And if anyone is wondering... I got bit by this and accidentally 
configured an open proxy because I really didn't understand exactly 
what I was doing at the time and didn't read everything I needed to 
read before I started mucking about with it. Moral of the story here 
is read the fine manual and understand it before you end up like me 
with a server that was overloaded to the breaking point by 
unscrupulous people.

Dragon

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  Venimus, Saltavimus, Bibimus (et naribus canium capti sumus)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org