turning off unused https web page - Apache Web Server forum at WebmasterWorld - WebmasterWorld

Forum Moderators: phranque

Message Too Old, No Replies

turning off unused https web page

hackers keep beating on the https page..

system

8:21 pm on Oct 6, 2004 (gmt 0)

redhat

Ok, so I really don't know what I am doing yet, but here I have a web page, very simple, and it's all http port 80 stuff. I keep getting beat on by hackers trying to do something with the 'default' https page which apache is presenting. I had no idea this was going on, and I was blaming apache, but a sniffer program showed it right up. I don't know what they are trying to do. break it? any opinions?

Sure enough, "http mysite" shows me to my page, and "https mysite" displays the 'default' apache page.

The version is Apache 1.3, the O/S is OpenVMS 7.2

How do I turn off the https server?

If anyone knows, please let me know the config file name and what to change. It is probably not VMS specific.

The guy that set this up passed away before he could insruct me on it. It's a noncommercial system delivering rare and scholarly technical content, so it's worth keeping up.

Normally I would not care about hackers since it is running on a DEC VMS system and they are not going to crash or get into the machine, but they multiply up the Apache processes and eventually run the old machine out of silicon memory and it just keeps swapping, gets real slow when there are >75 apache processes going. I've been under this attack for a while. Usually takes about 3 days for them to crap it up, and then I stop and start apache to fix it.

winglian

7:29 am on Oct 7, 2004 (gmt 0)

10+ Year Member

my favorite is just to block all ports but port 80 at the firewall, since port 443 would thereby be blocked, no more problems. Isn't the first rule of security to open what is needed anyways?

Wing

Leosghost

11:19 am on Oct 7, 2004 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Isn't the first rule of security to open what is needed anyways?

Nope ..it's do not connect it to the net and dont let anyone else touch it ..preferably don't even tell anyone you got it and keep it in Fred Krugers basement;)

close off all except 80 should do you ..oh yeah and just cos it's a good rule ..no email no xchange,squirrel,horde,..whatever,no msql,no php,no guestbooks ...no shared server ...etc etc

killroy

11:57 am on Oct 7, 2004 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Hehe, and always put epoxy glue into all plugs and holes too!

SN

system

8:34 pm on Oct 7, 2004 (gmt 0)

redhat

There's no firewall, but maybe I'll plunk one inline and see what happens. I have had this on the www for over 3 years with no issues before. Probably terrorists.

I don't run anything else on the alphaserver (yet) but I was planning on mail.

I've also been been advised by a Wizard that I'm not running "Apache", but actually "HP Secure Web Server for OpenVMS Alpha (based on Apache)" and that there's a book for it. That explains my confusion and can't find these files, etc.. trying to configure "Apache". heh joke's on me. A toast to my deceased friend!

Thanks to all and I will post later after I get some traction with it.
:)

drbrain

11:06 pm on Oct 7, 2004 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Don't start apache with -DSSL or mod_ssl in httpd.conf.

Remove the Listen 443 line from httpd.conf.

Remove the https virtual host from the config files.