Open Proxy probes

Forum Moderators: phranque

Message Too Old, No Replies

Open Proxy probes

Blue_Wizard

3:57 am on Feb 13, 2004 (gmt 0)

is there a way with htaccess to block all
CONNECT and POST requests for people probing for open proxies such as this

64.63.216.141 - - [12/Feb/2004:08:47:29 -0500] "POST [64.63.216.141:25...] HTTP/1.1" 200 240

64.63.216.141 - - [12/Feb/2004:08:47:31 -0500] "CONNECT vmb-ext.prodigy.net:25 HTTP/1.0" 200 231

someone suggested on another part of the forum

RewriteCond %{REQUEST_URL} \:25(/)?$
RewriteRule .* - [F]

I don't use any cgi forms on this particular site so blocking all POST requests wouldn't be a problem but I wasn't sure of the correct syntax to do so in htaccess

jdMorgan

7:15 am on Feb 13, 2004 (gmt 0)

Blue_Wizard,

It might be much simpler to block all CONNECTS and requests for resources that begin with "http://" but contain some other domain name (not your own), since that's a dead give-away that someone is trying to use your server as a proxy.

In .htaccess:


# BLOCK unsupported HTTP methods
RewriteCond %{REQUEST_METHOD} !^(GETŚHEADŚOPTIONSŚPOSTŚTRACE)$
RewriteRule .* - [F]
# Bypass remaining code to allow HTTP-compliant OPTIONS and TRACE server responses
RewriteCond %{REQUEST_METHOD} ^(OPTIONSŚTRACE)$
RewriteRule .* - [L]
# Block attempts to use our server as a proxy, but allow absolute URIs
RewriteCond %{THE_REQUEST} ^(GETŚHEADŚPOST)\ /?http:// [NC]
RewriteCond %{THE_REQUEST} !^(GETŚHEADŚPOST)\ /?http://(www\.Śtest\.)?MyDomain\.com/ [NC]
RewriteRule .* - [F]

I post this as an example of working code to address your issue. However, you must take care of side effects, such as providing for custom error page requests if you use any custom error pages. As an example, if you use a 403 ErrorDocument called "403.html", then you'll have to change all rules above to:


RewriteRule !^403\.html$ - [F]

or make other allowances so that you don't get a server loop on 403 responses. Another way to do it would be to precede the whole block of code above with:


RewriteRule ^403\.html$ - [L]

Jim

lemat

5:04 pm on Feb 13, 2004 (gmt 0)

and without mod_rewrite:

<Limit GET POST OPTIONS PROPFIND>
Order allow,deny
Allow from all
</Limit>
<LimitExcept GET POST OPTIONS PROPFIND>
Order deny,allow
Deny from all
</LimitExcept>

lemat

5:08 pm on Feb 13, 2004 (gmt 0)

and simply turn off proxy if you don't need it.

Blue_Wizard

11:07 pm on Feb 13, 2004 (gmt 0)

Jd
thanks again
that worked like the missing silver bullet in the htaccess file

Lemat

I did try
<Limit GET POST OPTIONS PROPFIND>
Order allow,deny
Allow from all
</Limit>
<LimitExcept GET POST OPTIONS PROPFIND>
Order deny,allow
Deny from all
</LimitExcept>

it gave me a 500 server error

and how do you turn off proxy?
Still new at the server side of this.

lemat

10:20 am on Feb 14, 2004 (gmt 0)

That's a part of default apache 2.0.48 config.
SOA#1 "works for me" between <directory /home/*/public_html> </directory> statements. Simply read the apache manual where you should aply Limits.

Also look at the apache error_log -> there should be an explanation why 500's show up. And of course we'd like to know it too...

And the second problem:
apache is a set of modules -> look at the directive LoadModule in config file -> try to experiment which *proxy* modules you can safe not-to-load.

You can also compile from sources a brand new apache --without-proxy (smth. like that)