stopping "connect" attacks in apache (solution)

Bob bob at a1poweruser.com
Sat Jun 30 16:07:34 UTC 2007 

>>On Jun 15, 2007, at 7:49 PM, Bob wrote:
>> Every time my apache server slows down or has denial of service the
>> access
>> log is full this
>>
>> 61.228.122.220 -  "CONNECT 66.196.97.250:25 HTTP/1.0" 200 7034 "-" "-"
>> 61.228.122.220 -  "CONNECT 216.39.53.3:25 HTTP/1.0" 200 7034 "-" "-"
>> 61.228.122.220 -  "CONNECT 216.39.53.1:25 HTTP/1.0" 200 7034 "-" "-"
>> 61.228.122.220 -  "CONNECT 168.95.5.155:25 HTTP/1.0" 200 7034 "-" "-"
>> 61.228.122.220 -  "CONNECT 168.95.5.157:25 HTTP/1.0" 200 7034 "-" "-"
>> 61.228.122.220 -  "CONNECT 168.95.5.159:25 HTTP/1.0" 200 7034 "-" "-"
>>

>IP 61.228.122.220 is using the HTTP CONNECT method to relay spam to
>port 25 on the targets via your Apache server.
>
>This almost certainly indicates that you've got mod_proxy loaded or
>something similar via mod_perl/mod_php/whatever, as the CONNECT
>attack would get a "405 Method not allowed" error otherwise.
>
>Check http://your_webserver/server-info for details.

mod_proxy is commented out but am using php5.
Tried putting  this statement   http.allowed_methods = GET & POST   into
/usr/local/etc/php.ini    but it had no effect.
The best solution was to add an location declarative with a limitexcept.
The location in the httpd-conf where to place this is very important.

First find this in the conf file

#
# Each directory to which Apache has access, can be configured with respect
# to which services and features are allowed and/or disabled in that
# directory (and its subdirectories).
#
# First, we configure the "default" to be a very restrictive set of
# permissions for directories.
#

<Directory />
    Options FollowSymLinks
    AllowOverride None
    Order allow,deny
    Deny from all
</Directory>


Then add the following right after it and restart apache to activate.

# Second, we configure the "default" Location to restrict the methods
allowed
# to stop CONNECT method attacks.
#

<Location />
    <LimitExcept GET POST>
       Order allow,deny
       Deny from all
    </LimitExcept>
</Location>


All CONNECT requests from this point on will get a status code of 403
Forbidden for both
perl and php CONNECT attacks.
Just posting this as best solution for the archives.  Good luck all.

More information about the freebsd-questions mailing list