apache security

"Davide Bianchi" <davideyeahsure.RemoveThis@onlyforfun.net> wrote in message
news:2mbqb3Fknh9lU2@uni-berlin.de...
 > Stuart Miller <stuart_miller.RemoveThis@shaw.ca> wrote:
  > > port 25, so I suspect one or two got through.
 >
 > That's just ridicolous. ALL of them goes through or NONE of them.

I guess my intended meaning there was unclear. I can see that all of the
requests would be attempted, but I thought they would all be blocked by the
target system's security on their mail server. It looks like some did get
through to the target. With the info below I will go through the logs to
determine which ones did.
 >
  > > 403 407 or 403 405 or 403 401 What would the return code be if the
connect
  > > were successful?
 >
 > A 200 followed by a number of bytes much bigger than your normal 'index'
 > page.
 >
  > > Is is possible to configure apache to refuse or ignore CONNECT attempts?
 >
 > Sure, use the Allow/Deny options.

I went through the docs, and did find the references, but it is still
somewhat fuzzy in my head.

I think this will do the job

in <lfModule mod_setenvif.c>
..... there are a number of browsermatch directives
I should add something like
SetEnvIf NoCase request_method GET ok-to-process


then further up in <Directory /Docroot> or in <Directory /> add the lines
order deny allow
deny from all
allow from env=ok-to-process


As I understand it, this will only allow apache to process http requests
which are GET
which is fine for static pages. This will eliminate apache even trying
post, connect, etc
I can figure out how to make the perl scripts work later, like perhaps put a
password on the
pages that call the scripts and 'allow' for that directory only.

The other way that looks like it would work is
<Location />
<LimitExcept GET>
Require valid_user
</Limit>
</Location>

It apears that this only applies to my file system, so I would have to add
<Location <a style='text-decoration: underline;' href="http://" target="_blank">http://</a>*>
and the same directives

From my reading of the docs, this would prevet requests for other servers
pages through this system.


Is this going in the right direction?

 >
  > > Because my server is for a limited number of visitors, would it be
helpful
  > > to switch apache to listen on another port, then advise my welcome
visitors
  > > of the new port number?
 >
 > Why should you use a non-standard port for a standard services? If you
 > have a _fixed_ number of _known_ visitors put theirs IPs in your
 > Allow option and allow only them to connect.

some of them connect through dialup so have dynamic ip's

Thanks for the help

Stuart<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: apache security 

Stuart Miller <stuart_miller.TakeThisOut@shaw.ca> wrote:
 > requests would be attempted, but I thought they would all be blocked by the
 > target system's security on their mail server.

Which 'system security' on the target? If someone is trying to fool
a mail server 'proxying' trought a Web server it means only that the
mail server is really badly configured...

 > The other way that looks like it would work is
 > <Location />
 > <LimitExcept GET>
 > Require valid_user
 > </Limit>
 > </Location>

Yes exactly, you can apply the Limit or LimitExcept to Location,
Directory an entire Host or VirtualHost.

<Limit CONNECT>
  Order deny, allow
  Deny from all
</Limit>


 > some of them connect through dialup so have dynamic ip's

Then it does make sorta-sense to have Apache on a non-standard port,
be sure that their ISP allow 'weird' ports to be used.

Davide

--
| fortune: cpu time/usefulness ratio too high -- core dumped.
|
|
|<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: apache security 

"Davide Bianchi" <davideyeahsure RemoveThis @onlyforfun.net> wrote in message
news:2mfemiFlp1tnU4@uni-berlin.de...
 > Stuart Miller <stuart_miller RemoveThis @shaw.ca> wrote:
 >
  > > The other way that looks like it would work is
  > > <Location />
  > > <LimitExcept GET>
  > > Require valid_user
  > > </Limit>
  > > </Location>
 >
 > Yes exactly, you can apply the Limit or LimitExcept to Location,
 > Directory an entire Host or VirtualHost.

This works to eliminate POST etc on my server, but what can I do about the
outside world?
I have dozens of systems which connect to mine as soon as I bring it online,
all sending GET requests

Question
I am using <Location /> for all of my system, and this appears to work
What is the format for <Location> to mean all the rest of the world?
Or, how do we define behavior for the entire host?
Even when I have it restricted so I can not do a GET to my files, others are
doing a GET on yahoo etc through me.
In about an hour I had 5000 proxy requests. Some now get a 999 or 500 return
code, but some still get a 200 code.

I want to reject all proxy attempts, then perhaps they will give up and take
me off their lists.

Stuart<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: apache security 

Stuart Miller <stuart_miller DeleteThis @shaw.ca> wrote:
 > Even when I have it restricted so I can not do a GET to my files, others are
 > doing a GET on yahoo etc through me.

They can do a 'get' on a different server only if you are running an
open proxy. If you aren't, then they get nothing.

 > In about an hour I had 5000 proxy requests. Some now get a 999 or 500 return
 > code, but some still get a 200 code.

Check the size of the returned page, chance are that they just got your
default home page instead.

Davide

--
| Boren's Laws: (1) When in charge, ponder. (2) When in trouble,
| delegate. (3) When in doubt, mumble.
|
|<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: apache security