Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I keep getting errors like this in my Apache logs:
Code:
Requests with error response codes
403 Forbidden
http://scifi.pages.at/myproxies/azenv.php: 12 Time(s)
http://www.eduisland.com/prx1.php: 1 Time(s)
404 Not Found
http://sevy.eu.org/azenv.php: 2 Time(s)
http://www.digconsys.com/testdir/env.cgi: 1 Time(s)
http://www.nassc.com/pr.php: 4 Time(s)
405 Method Not Allowed
www.google.com:443: 5 Time(s)
Connection attempts using mod_proxy:
222.208.183.218 -> www.google.com:443: 5 Time(s)
So I don't get it -- what does it mean that people are trying to access these external websites through my server? How would that even be done to make it show up in the logs like that?
I've had a similar issue with my home server. It's running Apache/2.2.9 over Fedora 8. Firestarter is managing the firewall.
I thought that by leaving the Proxy Server directives in my httpd.conf file commented out, I'd be safe from this type of attack. I also thought that since my logs showed a 404 response to the unwanted requests, that Apache was rejecting them without problems.
Then I got a pair of CONNECT requests to Google on port 443 that received a 200 response. And one of the attackers asking for azenv.php has been *very* persistent.
So I got worried. I've commented out the LoadModule lines in httpd.conf for the mod_proxy modules, renamed my conf.d/proxy_ajp.conf file so it doesn't load, and run apachectl -k restart.
I'm still getting requests (from the same IP address) for azenv.php, to which Apache responds with a 404.
Q: --> Should I still be worried? Could I be running a proxy server despite my precautions? And did I make matters *worse* by disabling mod_proxy?
I've RTFM 'til my eyes are bugging out. But it's a lot to absorb. I have no idea why this is fun (but it is :-) )
If I had to make a WAG, you're providing http proxy services (via mod_proxy) to nasty people on the Net.
That's kind of what it looked like to me, but to my knowledge I don't have any mod proxy module running. There's nothing that says proxy in mods-enabled, and I moved all files with a reference to proxy out of mods-available, as well as moving anything with a reference to mod_proxy out of /usr/lib/apache2/modules.
I also tried adding the proxy directive listed on the mod_proxy page, but I can't figure out where to add it.
<Proxy *>
Order Deny,Allow
Deny from all
Allow from 192.168.0
</Proxy>
I tried putting it in apache2.conf, httpd.conf, sites-available/default, and sites-enabled/000-default, but apache fails to start with an error message about it each time. Is there any way to test to see if my server can be used as a proxy?
huzbo89, thanks for the post. I hope with more exposure here we can get this issue resolved.
I can find no mod_proxy modules listed anywhere in any apache2 config file, the modules themselves have
been moved out of the /usr/lib modules directory, and httpd (apache2ctl -M) in this case does not show
any proxy modules loaded:
Today I got the http://scifi.pages.at/myproxies/azenv.php, but it's still showing up as "Forbidden," while
the others are 404, so without more evidence that the box is actually being used as a proxy successfully,
I'm not going to worry about it anymore. The most attempts I've seen are like around 10 anyway, so it's
not a big deal from this end even if it is being proxied (which I see no evidence of).
I just realized there were two people replying to this thread. (@huzbo89: the polite thing is generally to start a new thread, referencing the original.)
For grins, I tried to recreate the behavior you are seeing. I set an Apache 2.2 server as my client browser's proxy server (mod_proxy is not enabled on this server). Then I tried to cruise to a few different websites, and saw similar 404 entries in my access_log, just as you two are. As far as I can tell, when Apache is not operating as a proxy server (and someone tries to use it as one), it simply truncates the host information and tries to serve up everything following the slash (/).
Short answer is: You've both confirmed that mod_proxy is not being loaded by your configuration. AFAIK, given the precautions you've taken you can safely ignore these particular 403 / 404 errors.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.