|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Strange CONNECT entries in apache logs
From: Darryl Luff (dluff
iitscdm.com.au)
Date: Tue Jun 10 2003 - 23:05:21 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
>
>
>On Fri, 6 Jun 2003, Rajkumar S wrote:
>
>
>
>>While going through my apache logs, I found some logs indicating CONNECT
>>requests to port 25 of other hosts.
>>
>>213.130.24.192 [06/Jun/2003:08:44:58 +0530] "CONNECT 194.67.23.20:25
>>HTTP/1.1" 302 5 "-" "-"
>>130.94.247.248 [06/Jun/2003:10:26:17 +0530] "CONNECT 207.44.188.67:25
>>HTTP/1.0" 200 14409 "-" "-"
>>130.94.247.248 [06/Jun/2003:09:56:21 +0530] "CONNECT smtp.rol.ru:25
>>HTTP/1.0" 200 17757 "-" "-"
>>
>>I found this in 2 machines in indian ip block. My another server at US
>>is not affected by this. Some one else seeing this? Could this be the
>>next wave of spam ??
>>
>>
Look at the apache docs for the "AllowCONNECT" directive. This lets you
limit the port numbers that people can connect to through the proxy.
Normally, it should be "AllowCONNECT 443". This will block any attempts
to connect to strange ports using "CONNECT". Also look at the access
restrictions on your proxy to make sure that only your aythorised users
can access it, either through IP restrictions or user authentication.
----------------------------------------------------------------------------
----------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]