I am trying to recall back at least 2 years, and my notes are poor, and my searching appears to be worst...
Seems I recall that last when I set up my apache server, the spammers were posting to it so it would send out the spam on port 25. There was some conf that I did to block this, but I did not document it, and I can't find any reference to this.
I don't think my memory is that bad, but it IS sunday...
I don't want to put up this new server and have it flooding the world with spam and then get the server blocked. So do I remember correctly that this was a problem? Is it still, and how is this prevented?
Thanks. Am putting up better notes this time around.
On 3/3/2013 1:30 PM, Robert Moskowitz wrote:
Seems I recall that last when I set up my apache server, the spammers were posting to it so it would send out the spam on port 25. There was some conf that I did to block this, but I did not document it, and I can't find any reference to this.
a webserver can't send email unless you've got email cgi or forms on/in your webpages
On 03/03/2013 04:37 PM, John R Pierce wrote:
On 3/3/2013 1:30 PM, Robert Moskowitz wrote:
Seems I recall that last when I set up my apache server, the spammers were posting to it so it would send out the spam on port 25. There was some conf that I did to block this, but I did not document it, and I can't find any reference to this.
a webserver can't send email unless you've got email cgi or forms on/in your webpages
This is probably such an old attack, that 'modern' apache builds block it by default. It had nothing to do with email cgi or forms.
On Sun, Mar 3, 2013 at 4:37 PM, John R Pierce pierce@hogranch.com wrote:
On 3/3/2013 1:30 PM, Robert Moskowitz wrote:
Seems I recall that last when I set up my apache server, the spammers were posting to it so it would send out the spam on port 25. There was some conf that I did to block this, but I did not document it, and I can't find any reference to this.
a webserver can't send email unless you've got email cgi or forms on/in your webpages
I have vague (and very distant ~98ish?) memories of apache deployments coming with a mail.cgi that was poorly secured and often exploited to send out emails, but I think that's long since gone the way of the dodo birds. you have to go to some lengths to make webservers interact with email servers. if you're really worried about it, you should also look into removing/blocking proxy connections:
http://ihazem.wordpress.com/2010/12/08/apache-forward-proxy-relay-security-p...
On 03/03/2013 04:58 PM, zGreenfelder wrote:
On Sun, Mar 3, 2013 at 4:37 PM, John R Pierce pierce@hogranch.com wrote:
On 3/3/2013 1:30 PM, Robert Moskowitz wrote:
Seems I recall that last when I set up my apache server, the spammers were posting to it so it would send out the spam on port 25. There was some conf that I did to block this, but I did not document it, and I can't find any reference to this.
a webserver can't send email unless you've got email cgi or forms on/in your webpages
I have vague (and very distant ~98ish?) memories of apache deployments coming with a mail.cgi that was poorly secured and often exploited to send out emails, but I think that's long since gone the way of the dodo birds. you have to go to some lengths to make webservers interact with email servers. if you're really worried about it, you should also look into removing/blocking proxy connections:
http://ihazem.wordpress.com/2010/12/08/apache-forward-proxy-relay-security-p...
That may have been the attack vector way back when. Now the proxy directives come commented out, so supposedly you are suppose to know the risks of running a proxy.
Am 03.03.2013 22:30, schrieb Robert Moskowitz:
I am trying to recall back at least 2 years, and my notes are poor, and my searching appears to be worst...
Seems I recall that last when I set up my apache server, the spammers were posting to it so it would send out the spam on port 25. There was some conf that I did to block this, but I did not document it, and I can't find any reference to this.
I don't think my memory is that bad, but it IS sunday...
I don't want to put up this new server and have it flooding the world with spam and then get the server blocked. So do I remember correctly that this was a problem? Is it still, and how is this prevented?
Thanks. Am putting up better notes this time around.
Don't run doubtful applications together with apache. Then there is little risk to be misused. Back in time there has been a pretty bad "formmail" cgi around which could be easily misused. Be careful with other applications these days like with wordpress and such.
The default SELinux on CentOS does prevent apache to send mail using the sendmail binary:
# getsebool httpd_can_sendmail httpd_can_sendmail --> off
Alexander
On 03/03/2013 04:39 PM, Alexander Dalloz wrote:
Am 03.03.2013 22:30, schrieb Robert Moskowitz:
I am trying to recall back at least 2 years, and my notes are poor, and my searching appears to be worst...
Seems I recall that last when I set up my apache server, the spammers were posting to it so it would send out the spam on port 25. There was some conf that I did to block this, but I did not document it, and I can't find any reference to this.
I don't think my memory is that bad, but it IS sunday...
I don't want to put up this new server and have it flooding the world with spam and then get the server blocked. So do I remember correctly that this was a problem? Is it still, and how is this prevented?
Thanks. Am putting up better notes this time around.
Don't run doubtful applications together with apache. Then there is little risk to be misused. Back in time there has been a pretty bad "formmail" cgi around which could be easily misused. Be careful with other applications these days like with wordpress and such.
The default SELinux on CentOS does prevent apache to send mail using the sendmail binary:
# getsebool httpd_can_sendmail httpd_can_sendmail --> off
Since this server is only apache and supplies ntp for internal systems, I am able to run with selinux.
On Sun, Mar 03, 2013 at 04:54:46PM -0500, Robert Moskowitz wrote:
Since this server is only apache and supplies ntp for internal systems, I am able to run with selinux.
Not to start an selinux flamewar but there is no reason that selinux can not be used on any server in any role serving any content for any audience unless there is a craptastic control panel such as cpanel or others of its ilk present.
John