[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <5.2.0.9.2.20030722170958.01750988@pop3.rowe-clan.net>
Date: Tue, 22 Jul 2003 17:30:39 -0500
From: "William A. Rowe, Jr." <wrowe@...che.org>
To: "Jason Robertson" <jason@...ture.com>
Subject: Re: Apache 1.3.27 mod_proxy security issue
The Security Team responded 13 minutes after Jason's initial report,
attempting to explain how he had misconfigured his server. While we
acknowledge that new directives might be desirable in limited cases,
the team determined that this is clearly a user configuration error.
The Apache HTTP Server Documentation Project has been working
to improve and further clarify the risks of open proxies, including open
faux-HTTP proxies into SMTP servers. They actively solicit contributions
to the documentation (preferably with a patch) for any ambiguous or
insufficiently covered topics;
http://httpd.apache.org/docs-project/
More details follow;
At 11:52 AM 7/22/2003, Jason Robertson wrote:
>I have found that recently a spammer has been using a mod_proxy
>configuration, (that was meant to allow for an easier transition to a
>new naming scheme, as well as changes to a backend software) as a spam
>relay.
>The spammer has been using HTTP POST requests to send these messages
>with POST HTTP://mailserver:25/ HTTP/1.1
>With some research it looks like this is an automated process including
>the initial scan stage.
>
>When I contacted Apache in regards to this, the response was not very
>promising.
>
>This problem would be a simple fix with implementing the AllowConnect
>configuration option within proxy_http, to prevent outbound
>connections.
As described in the default configuration, open proxies are never
recommended [from Apache 1.3.27 conf/httpd.conf-dist];
#
# Proxy Server directives. Uncomment the following lines to
# enable the proxy server:
#
#<IfModule mod_proxy.c>
# ProxyRequests On
# <Directory proxy:*>
# Order deny,allow
# Deny from all
# Allow from .your-domain.com
# </Directory>
#
# Enable/disable the handling of HTTP/1.1 "Via:" headers.
# ("Full" adds the server version; "Block" removes all outgoing Via: headers)
# Set to one of: Off | On | Full | Block
#
# ProxyVia On
#
# To enable the cache as well, edit and uncomment the following lines:
# (no cacheing without CacheRoot)
#
# CacheRoot "@@ServerRoot@@/proxy"
# CacheSize 5
# CacheGcInterval 4
# CacheMaxExpire 24
# CacheLastModifiedFactor 0.1
# CacheDefaultExpire 1
# NoCache a-domain.com another-domain.edu joes.garage-sale.com
#</IfModule>
# End of proxy directives.
If (for the purposes of collecting several machine's collective content)
you are attempting to ProxyPass a number of URI's to different boxes,
you should NOT be enabling ProxyRequests.
The final statements in the ProxyRequests directive documentation are;
http://httpd.apache.org/docs/mod/mod_proxy.html#proxyrequests
"This allows or prevents Apache from functioning as a proxy server.
Setting ProxyRequests to 'off' does not disable use of the <http://httpd.apache.org/docs/mod/mod_proxy.html#proxypass>ProxyPass
directive."
"Warning: Do not enable proxying until you have <http://httpd.apache.org/docs/mod/mod_proxy.html#access>secured your server.
Open proxy servers are dangerous both to your network and to the
Internet at large."
Access control is briefly illustrated further with additional references in;
http://httpd.apache.org/docs/mod/mod_proxy.html#access
Bill
Powered by blists - more mailing lists