LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   "CONNECT" through http? (https://www.linuxquestions.org/questions/linux-security-4/connect-through-http-292631/)

Buckyjunior 02-20-2005 12:26 PM
"CONNECT" through http?
 
Kinda new here so please forgive me if my question is incomplete. I've also searched for something similar (with no luck) but if there is another thread, please point me there.

My access logs seem to show some test of access and then connecting through my Fedora C2 install to other locations. E.g., with false ip addresses

1.2.3.4 - - [14/Feb/2005:06:53:00 -0700] "CONNECT smtp.NAME.ru:25 HTTP/1.0" 405 314 "-" "-"

This one produces an error (405), but some others seem to succeed.

5.6.7.8 - - [17/Feb/2005:17:48:08 -0700] "9.a.b.c / HTTP/1.1" 405 - "-" "-"
5.6.7.8 - - [17/Feb/2005:17:48:12 -0700] "GET http://www.yahoo.com/ HTTP/1.1" 200 1318 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"

The first entry produces an error, but the second seems to go through my machine. I've been using iptables to DROP each ip when I see a new one in my log file.

Am I guessing correctly that someone may be "using" my machine/IP to log in elsewhere? Do I need to look more closely at iptables to thwart exterior "forwarding?" Should I be doing something else?

Thanks all. I've still got a lot to learn.
Bucky

Capt_Caveman 02-20-2005 03:26 PM
Re: "CONNECT" through http?
 
1.2.3.4 - - [14/Feb/2005:06:53:00 -0700] "CONNECT smtp.NAME.ru:25 HTTP/1.0" 405 314 "-" "-"
This is a proxy attempt to a mail server. More than likely a spammer looking for someone to relay mail. The 405 indicates it failed.

5.6.7.8 - - [17/Feb/2005:17:48:12 -0700] "GET http://www.yahoo.com/ HTTP/1.1" 200 1318 "-" "Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)"
Again, someone looking for open proxies. This time it's a http proxy attempt. Apache has an odd behavior for these types of requests. The 200 status code normally indicates a successfull attempt, but the default Apache behavior is to return your default homepage or index.html instead of whatever page they were try to get via proxy (in this case www.yahoo.com). So while the status code looks like the proxy was successful, to the person making proxy attempts it really failed. You can verify this by looking at the size of the page returned to them (1318 bytes) and compare that to the size of index.html.

By default most Apache installs have all of the proxy functions disabled and you have to specifically enable them in the config file, which isn't something you could normally do by accident. You can use something like mod_rewrite to specifically return 400 status codes, but that can really cause more problems than it solves, especially since these attempts are failing anyway. Hope that helps.

Buckyjunior 02-20-2005 04:06 PM
Thanks Cap'n,

I appreciate your thoughtful, thorough reply. I understand a bit more than I did this morning.

I also need to add "Security references" in the Security Forum to my lengthening reading list.

It's good to know that I haven't made too many errors, but I'll continue to DROP the IPs of those making the attempt.

Bucky


All times are GMT -5. The time now is 11:29 PM.