It's an attempt, apparently successful, to use your server as an SMTP (e-mail) proxy.

See Apache core <Limit> and <LimitExcept>, and Order, Allow, and Deny in mod_access:

<LimitExcept GET OPTIONS POST>
Deny from all
</LimitExcept>

Jim

So I put that in the httpd.conf file?

Simpler by far to remove the Proxy features: you should certainly know whether you are using them (if you do not know, that means that you are not).

Look for:

# LoadModule proxy_module modules/mod_proxy.so
# LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
# LoadModule proxy_http_module modules/mod_proxy_http.so
# LoadModule proxy_connect_module modules/mod_proxy_connect.so
...
#<IfModule mod_proxy.c>
#ProxyRequests On
#
#<Proxy *>
# Order deny,allow
# Deny from all
# Allow from .your-domain.com
#</Proxy>

...and comment them out as shown.

The point, BTW, is that it allows others to send you mail which your machine will then proxy out to hundreds (thousands?, millions?) of other machines. Doing the above (and restarting Apache) will stop it dead. As long as you are not using the proxy for other purposes...

Then, pay attention to Mr Morgan, and read up (and implement) the commands set out above.

I'm not using proxy. No statements exists like that. I don't have a mail server either.

Why do you think there is a successful :25?

Because your access log says so:

HTTP/1.0" 200 13693

The "200" is a 200-OK server response -- the response to a successful request. 13,693 bytes were transferred.

It doesn't matter that you don't have an SMTP server, the request was to connect to the SMTP server at the 210.***.181.193 IP address given -- apparently a mail-forwarding service in Taiwan. Your IP address will appear in the full message headers as part of the return path.

You need to block these accesses as outlined above, either in httpd.conf, or in your top-level .htaccess file.

Jim

Not quite, Jim.

(According to my webhost, who checked from his own system) in the absense of any proxy directives active, they will just get the (default) webpage back, which is a 200 response, of course.

[I checked my own logs and, wouldya-believe-it, am also getting CONNECT 200 responses to the same IP-address (and others) - they most definately cannot proxy from my machine.]

I do need your help, please Jim...

I did not want these prats to be able to make such attempts, and also wanted to stop other, perhaps arbitrary (none-legal) methods, so I tried using the LimitExcept as in msg#2 - neither

Order deny,allow

nor

Deny from all

can be used in that context ("Syntax error ... deny not allowed here"). However, the Apache docs give an example of

Require valid-user

and that also gives a syntax error: "Require not allowed here". Any idea what may be going on?

#
# Stop CONNECT + arbitrary connections
# 2006-01-26 added -AK
<LimitExcept POST GET>
Require valid-user
</LimitExcept>
...
File httpd.conf saved
# apachectl graceful
apachectl: Configuration syntax error, will not run "graceful":
Syntax error on line 1022 of httpd.conf:
Require not allowed here

Just answered my own question...

Within the main server-config it needs to be placed within

<Directory> ... </Directory>

sections:

#
# 2006-01-26 added LimitExcept to restrict CONNECT + arbitrary -AK
<Directory "/server/path/to/web/directory">
<LimitExcept GET HEAD OPTIONS POST>
Order deny,allow
Deny from all
</LimitExcept>
</Directory>

I never knew that! apachectl graceful now works.

Help please!

The access logs still show CONNECT entries. Obviously there is something wrong with my entries within httpd.conf. This is the relevant section, placed within the main section (ie not a VirtualHost):

#
# 2006-01-26 added LimitExcept to restrict CONNECT + arbitrary -AK
# 2005-06-16 added belt+braces prevent file-show on no valid index file -AK
<Directory "/server/path">
Options FollowSymLinks -Indexes
AllowOverride All
Order allow,deny
Allow from all
<LimitExcept GET HEAD OPTIONS POST>
Order deny,allow
Deny from all
</LimitExcept>
</Directory>

Clearly, I am doing something wrong there, but just cannot see what it is.

Try structuring the code so that only one <Order> directive is needed within the same container.

If two are present in the same container, I think you'll find that the last one 'wins'.

Jim

Thanks for your input, Jim.

Well, stopping the CONNECT requests dead in their tracks was more difficult than anyone should expect, but I fixed it by going back to basics...

The <Location> directive (container) [httpd.apache.org] is designed to be used "to apply directives to content that lives outside the filesystem" (eg pages produced from a Database, such as PHP/MySQL pages). However,

<Location />

is "an easy way to apply a configuration to the entire server". Perfect! And just what I needed. So,

# First, we configure the "default" to be a very restrictive set of
# features.
#
<Directory />
Options FollowSymLinks
AllowOverride None
Order allow,deny
Deny from all
</Directory>
.
# 2006-02-10 added LimitExcept to restrict CONNECT + arbitrary -AK
<Location />
<LimitExcept GET HEAD OPTIONS POST>
Order allow,deny
Deny from all
</LimitExcept>
</Location>

(additions follow the bold entry)

...at the top of the server config.

<Location />

, BTW, is a directive to be careful about, since it is merged last in the order of all configuration sections [httpd.apache.org], and can therefore override other restrictions, maybe releasing documents that other directives have restricted, and therefore compromising security. Just something to be cautious of.

The Order directive [httpd.apache.org] is one of those things that does my head in. It seems that it can be used more than once in the same container, since my httpd.conf contains an example (commented out by default):

#
# Control access to UserDir directories. The following is an example
# for a site where these directories are restricted to read-only.
#
#<Directory /home/*/public_html>
# AllowOverride FileInfo AuthConfig Limit
# Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
# <Limit GET POST OPTIONS>
# Order allow,deny
# Allow from all
# </Limit>
# <LimitExcept GET POST OPTIONS>
# Order deny,allow
# Deny from all
# </LimitExcept>
#</Directory>

The important thing is that:

1. Deny,Allow: Access is allowed by default.
   
2. Allow,Deny: Access is denied by default.

The additions to httpd.conf as at top have finally worked, as shown by the following from the Apache access_log:

80.168.53.3 - - [10/Feb/2006:14:41:16 +0000] "CONNECT mail.ukfsn.org:25" 200 39569 "-" "-" In:- Out:-:-pct.
80.168.53.3 - - [10/Feb/2006:15:09:41 +0000] "CONNECT www.modem-help.com:25" 403 5044 "-" "-" In:- Out:-:-pct.
80.168.53.3 - - [10/Feb/2006:15:10:14 +0000] "CONNECT mail.ukfsn.org:25" 403 5044 "-" "-" In:- Out:-:-pct.

Those are all from my ever-helpful Host testing my setup. The very first line shows the previous setup not working (it returns the default home page) whereas the last 2 lines show a status 403 (yeah!). I will now perhaps change the default error-page to just say "piss-off", or some such helpful message.