Re: [mod-security-users] Apache proxy abuse
Brought to you by:
victorhora,
zimmerletw
From: Alejandro C. <cas...@gm...> - 2013-02-16 17:06:49
|
Yes I think that is a kind of botnet. I understood the problem, and I thought that dropping connections was the best way, but i didn't realize that it could be interpreted as a overload of the server, you are right. I will use that setting, and monitor how the server performs. Thank you very much for your advise. I really appreciate that. Best regards Alejandro 2013/2/16 Reindl Harald <h.r...@th...> > > > Am 16.02.2013 17:26, schrieb Alejandro Casagrande: > > I don't know why you are being so rude. > > because you do not try to undersatnd the problem? > > > I know that should return 403 code > > so do it > > > but that generates output traffic > > not a relevant amount > > > using mod_security I want to drop this connection, with the > configuration that i'm using is doing that, > > but if you consider that is not right what i'm doing, I will apply your > suggestions > > you said it is a large amount of IP's > well, that sounds like a botnet > they found your machine open as proxy and started using it > > after they get enough 403 responses they will go away > dropping connections may be interpreted as "overloaded" wgile > a "403 forbidden" clearly indicated you have fixed your config > > if you are closing the connection you risk that they try much > longer to use your server as a proxy and overload you with > incoming traffic and syn-floods as if you respond clearly > with a sign "creep away, my config is fixed" > > > The VPS has preinstalled apache, and I was not quick enough to realize > this problem. That was my mistake and I'm > > working to have the best solution. > > the best solution is to have a sane config and sit > this out as they will stop trying over time without > success > > > It seems that i'm bothering in this list, if so I will quit this list > and every body happy, I just was looking for > > some useful advice, not being insulted. > > > > I'm very sorry for bothering with my emails. > > nobody said that > > but if you are advised to fix the config and how and the > apache documentation states that this is correct you should > not try to break the HTTP procotol because it will not help > you > > > 2013/2/16 Reindl Harald <h.r...@th... <mailto: > h.r...@th...>> > > > > Am 16.02.2013 16:35, schrieb Alejandro Casagrande: > > > Hi Reindl, I really appreciate your suggestions. Yes I put > ProxyRequest Off in the redirection to jetty. > > > > > > However, in the default vhost I think that I need proxyrequest on, > because if I don't have that Apache responds > > > when a proxy request attempt is done, returning 403 code. I don't > want that apache responds to that request, > > > instead I want the connection dropped. I'm doing this with the > vhost below, and mod_security is dropping the > > > connection. > > > > do yhat you want if you are thinking you are smarter as people > > with a lot of production servers, evens as the apache developers > > itself which are saying clearly DISABLE THIS BULLSHIT > > > > the HTTP proctocol is designed to respond with a status-code > > and if you would not have been so stupid at the begin allow > > proxy requests you would not have all this connections which > > will sooner or later stop if they recognize taht it is no > > longer possible and this is one reason more respond with 403 > > > > your problem is generally on the wrong mailing-list because > > a misconfiuration of httd has nothing to do with modsec which > > should be a FALLBACK and not to fix misconfiguration > > ____________________________ > > > > http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxyrequests > > > > Warning > > Do not enable proxying with ProxyRequests until you have secured > your server. > > Open proxy servers are dangerous both to your network and to the > Internet at large. > > > > This allows or prevents Apache from functioning as a forward proxy > server. > > (Setting ProxyRequests to Off does not disable use of the ProxyPass > directive.) > > > > ------------------------------------------------------------------------------ > The Go Parallel Website, sponsored by Intel - in partnership with Geeknet, > is your hub for all things parallel software development, from weekly > thought > leadership blogs to news, videos, case studies, tutorials, tech docs, > whitepapers, evaluation guides, and opinion stories. Check out the most > recent posts - join the conversation now. > http://goparallel.sourceforge.net/ > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > -- Ing. Alejandro Casagrande Advenio Software http://www.advenio.com.ar |