Forum Moderators: phranque
I am running an apache server (on Gentoo Linux) at home just for testing etc., however, I recently noticed a lot of strange entries in my apache logs. They somewhat look like this:
38.***.4.56 - - [22/Nov/2003:07:22:01 -0500] "CONNECT 195.***.76.123:25 HTTP/1.0" 200 14402 "-" "-"
I found 178026 of those "CONNECT" entries from of about 5 different remote hosts.
It did not seem to bother my server at all, nor did I notice anything strange in my other log files etc. I do not have an open mail relay (or course not), and only port 80, 443, 25, 110 and 143 are open.
Can someone explain to me what this person is trying to do?
What would be the best way to avoid this "intruder"? Unfortunately my router does not have capabilities to block at the router end, so I suppose I would have to do it with apache? I saw one suggestion:
Regarding the expansion of the scope of this thread to include HTTP methods, I reject methods other than GET, HEAD, and POST using
<Files *>
<LimitExcept GET POST>
deny from all
</LimitExcept>
</Files> (GET includes HEAD)
Would this still be written to the log files though?
Thanks for any help and explanation!
DrTebi
[edited by: jdMorgan at 1:45 am (utc) on Nov. 24, 2003]
[edit reason] No specific IPs, please [/edit]
Since port 25 (smtp) has been hit, it's likely a spammer trying to use your server as a spam relay server.
The Limit rule shoud block 'em.
>Would this still be written to the log files though?
Afaik yes. But with a 403 status code instead of 200.
btw, Welcome to WebmasterWorld [webmasterworld.com], DrTebi. :)
[edited by: jdMorgan at 1:46 am (utc) on Nov. 24, 2003]
[edit reason] obscured IP [/edit]
I figured someone was trying to use my server as a spam relay server. But why did he do over 100.000 attempts?
The one thing I don't understand is why this is in my apache log? Since apache runs on port 80?
Can I prevent these connects from being logged somehow, so I don't have this messing up my log files?
Is there any other tricks to keep spam mailers out? Or maybe a endless loop-bounce-something?
Thanks.
My money's on automated scripted attempts.
>is there any other tricks to keep spam mailers out?
I'd use a firewall (either hardware or software) and block all ports that are not used ...
Sorry, i'm not familar with Linux. Nothing in the docu?
It just bothers me that (s)he fills up my logs. I am pretty sure I can figure out something how to avoid this.
Maybe I will bring my Cisco router back to work, and set up some access list or something, that works pretty nice, just the DSL card is damn expensive :(
Thanks for helping.
iptables -I INPUT -s 38.***.4.0/24 -j DROPIt was a bit of an adventure to recompile the kernel and get iptables to work, but hey, now I know how :)
Then I did a bit research on where this guy is coming from. It turned out that the network from which these connect entries are being sent from, is a major "bad kid" in the spamming world. c****tco.com is very known for hosting spammers etc. Quite interesting, they have plenty of entries at [spamhaus.org....]
When I further inspected my logs, I noticed that my apache server would simply send out the home page (as in /index.html) to a request like "CONNECT: 195.***.76.123:25 HTTP/1.0" .
The only thing I wonder about is why did the spammer never give up? Since about two weeks his script is running, wouldn't he realize not to be able to spam through my server and give up? Strange....
DrTebi
[edited by: jdMorgan at 1:48 am (utc) on Nov. 24, 2003]
[edit reason] Removed specifics [/edit]
