Apache server being attacked, strange requests.
Hey guys,
I'm looking for a bit of advice to a problem I've encountered recently. I run a small home server (Debian 4), which acts as my gateway to the internet (ie, firewall) and runs a web server, dhcp, dns, and acts as a file server to the rest of the machines on my home network. Now I know it's never a smart idea to have all those services running on the same machine that is acting as a firewall, but I don't fancy running multiple servers just for home use, as it's mainly allowing me to learn system administration. Now, on to the problem. I noticed a few days ago that my internet had become unbearably slow, to the point where I could sometimes not load web pages. I spent a while searching through log files on my gateway, to try and find out what was eating up all of my bandwidth. When I came to apache's access.log file, I was confronted with this: Code:
204.45.41.82 - - [17/Oct/2010:06:25:10 +0100] "GET http://vewice6.nightmail.ru/marriott-grand-cayma.html HTTP/1.1" 200 36921 "-" "Mozilla/4.0 (compatible; M$ Multiple requests to my server, for totally random websites. I didn't even know it was possible to make those types of queries to a webserver. The only thing that is on the web server is a browser based torrent client. I have only shown a small snippet of the log file, but there are around 90k lines to different web addresses, from many different IPs. What I want to know, is what is happening? :S Why is someone querying MY web server, for web sites totally unrelated to it? And most of all, how can I stop it. My initial idea was to try and use iptables to block multiple requests from the same ip within a certain time frame, which I think would work as the server shouldn't really get many queries from external networks. Anyway, sorry for the long post, but I like to be thorough and try and provide you all with all the info you might need ;) Any help would be much appreciated, Josh. |
Are you running your web server with a proxy module enabled or are you running a proxy by any chance? Is your "browser based torrent client" only accessible from selected IP addresses or is it open to World? Are there any outgoing connections to TCP/80 right now? What does 'lsof -Pwlni|grep :80' return?
|
Thanks for the reply.
The proxy module is present in /etc/apache2/mods-enabled/ but I'm fairly sure it's not being used, and no, there isn't another proxy running. The torrent server is usually open to the world yes, but since this issue, I've blocked any connections to port 80 which are not from my network. Currently, the output of lsof -Pwlni|grep :80 is: Code:
apache2 30101 0 3u IPv6 1148417 TCP *:80 (LISTEN) Thanks for the help. |
Quote:
Quote:
|
I appreciate the help, but there's no need to be condescending.
Firstly, when I say it was "open to the world", I meant it is possible to log in to the client externally. It is passworded, so it is not totally "open". And secondly, I was hoping for some sort of explanation as to how/why these requests were being made, and how/why mod_proxy has anything to do with it. |
Absolutely you're being used as a proxy. See the "200 (OK)" status codes?
As mentioned, disable loading of the mod_proxy* modules. After doing so, you may get some syntactical errors when Apache tries to start (which - if they're referring to proxy settings - can of course be commented out or removed). Blocking the connections is fine, but there's no reason to leave the module enabled if it's not needed. --- Quote:
mod_proxy has everything to do with it. :) It allows http proxying. They're using your host as a staging point for attacks, info gathering, etc. |
Quote:
I just realised why I had enabled mod_proxy. It was to allow me to access webmin (usually accessible by domain.com:10000) by a url (domain.com/webmin/). The guide I followed recommended to set Allow ALL in the proxy.conf, which clearly is not good advice. Thanks again for the info, much appreciated. ps, just to be sure, I use a2dismod to disable the modules right? And how exactly could anyone find out that I had that module enabled? |
My (debian|buntu)-fu no good, but you should be able to directly query the Apache web server binary to learn about which modules it has compiled in, and which it has dynamically loaded.
Example command / output on a Fedora 13 system: Code:
# httpd -M The following might provide clues about which pages to review: Code:
$ apropos apache Code:
$ apropos httpd |
With a bit more researching, it seems a2dismod does the trick, and everything is sorted now, thanks a lot.
Any idea how someone could find out that I had that module enabled and what method were they using to send their requests through my server? |
Quote:
The requests are very similar to a direct request (GET) to a server, except that the host and port is included in the request. Something like this: Code:
GET http://your-ip-address/index.html HTTP/1.0 |
All times are GMT -5. The time now is 11:10 PM. |