On 03/03/2013 05:39 PM, Reindl Harald wrote:
Am 03.03.2013 22:49, schrieb Robert Moskowitz:
On 03/03/2013 04:33 PM, Reindl Harald wrote:
Am 03.03.2013 22:30, schrieb Robert Moskowitz:
I am trying to recall back at least 2 years, and my notes are poor, and my searching appears to be worst...
Seems I recall that last when I set up my apache server, the spammers were posting to it so it would send out the spam on port 25. There was some conf that I did to block this, but I did not document it, and I can't find any reference to this
what are you speaking about? apache is a WEBSERVER and has NOTHING to do with email
There was an attack, and if you search you will find references to it, where the spammers post to your web server in such a way that they relay out port 25. They send to your port 80, but you send out port 25. For example:
http://forums.fedoraforum.org/archive/index.php/t-173601.html
only if you are so stupid and enable prxy-requests and load any useless module becuse it exists - in other words: this only affects poorly wrong configured setups which have way larger problems as this one
Once upon a time, it worked this way out of the box. I did NOT set up proxy, and I was being pounded, and found I had to turn it off. Now knowing what to look for, I found my notes and it was back on my '07 server.
There is no reason for a general web server to function as a proxy, so for some time it has come with that part commented out. I looked a another '10 box (Centos 5.5) that had apache installed but never used and the proxy part was commented out.
So yes, anyone turning on proxy today without care gets what they set up. But again, who needs proxying on a general web server?
On 03/03/2013 02:54 PM, Robert Moskowitz wrote:
Once upon a time, it worked this way out of the box.
You can go all the way back to the first release of Fedora or RHEL and check the configuration files. mod_proxy has never been enabled by default, and the included example was not an open one:
#<IfModule mod_proxy.c> #ProxyRequests On # #<Proxy *> # Order deny,allow # Deny from all # Allow from .example.com #</Proxy>
If you go back as far as Apache 1.0 (late 90s), you'll find a configuration file that still does not enable proxy by default, but did not include an example of limiting the Proxy command as above.
On Mon, Mar 4, 2013 at 4:49 PM, Gordon Messmer yinyang@eburg.com wrote:
On 03/03/2013 02:54 PM, Robert Moskowitz wrote:
Once upon a time, it worked this way out of the box.
You can go all the way back to the first release of Fedora or RHEL and check the configuration files. mod_proxy has never been enabled by default, and the included example was not an open one:
#<IfModule mod_proxy.c> #ProxyRequests On # #<Proxy *> # Order deny,allow # Deny from all # Allow from .example.com #</Proxy>
If you go back as far as Apache 1.0 (late 90s), you'll find a configuration file that still does not enable proxy by default, but did not include an example of limiting the Proxy command as above.
I remember having a problem back in the RH (not RHEL) 5 or 6 era where I was using ProxyPass or rewriterules with [P} and it somehow enabled random proxy requests which I noticed when the logs filled up with requests that were intended to run up to run up some other sites ad counters. It is too far back to remember if that was the default from the install or was related to what I did to enable the specific proxy functions I needed, though.
On 03/04/2013 03:04 PM, Les Mikesell wrote:
I remember having a problem back in the RH (not RHEL) 5 or 6 era where I was using ProxyPass or rewriterules with [P} and it somehow enabled random proxy requests which I noticed when the logs filled up with requests that were intended to run up to run up some other sites ad counters. It is too far back to remember if that was the default from the install or was related to what I did to enable the specific proxy functions I needed, though.
That would have been in the Apache 1.0 era. If you enabled ProxyRequests and did not limit the Proxy command, you'd have created an open proxy.
Poorly written Rewrite rules have been problematic, even fairly recently: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3368
However, none of this affects the default configuration.
-
Gordon Messmer -
Les Mikesell -
Robert Moskowitz