* Paul Morgan ([EMAIL PROTECTED]) [031205 14:24]: > On Thu, 04 Dec 2003 18:05:15 -0800, Vineet Kumar wrote: > > > * Paul Morgan ([EMAIL PROTECTED]) [031204 12:32]: > >> I have all services locked down to localhost; my only connections to > >> the outside world are mail, news via nntpcached, web via squid... I run > >> Apache but it too is locked down to localhost. My mail is run through my > > > > this ... > > > >> ISP's (earthlink's) virus and spam filters before I get it (otherwise I'd > >> be getting like 10 Svens per day). I do see, from time to time, Apache > >> refusing connections attempts which are generally attacks by Windoze worms. > > > > ... and this do not add up. Methinks your apache is not "locked down to > > localhost." > > > > 150.140.128.174 - - [03/Dec/2003:08:52:40 -0500] "GET > /.hash=0df2df7b5aeac6aabb9ad2e00c0d150f831fffff HTTP/1.1" 403 322 "-" "-" > > [Wed Dec 3 08:52:40 2003] [error] [client 150.140.128.174] client denied by server > configuration: /var/www/.hash=0df2df7b5aeac6aabb9ad2e00c0d150f831fffff
That's fine. I just wouldn't consider it "locked down to localhost" if it's listening on any external interface. I'd use the Listen directive to have it bind to only 127.0.0.1:80 (and additionally use iptables to block incoming access). Relying on the server's configuration alone to reject incoming connections is subject to break if the server is broken. If it only ever bound to 127.0.0.1, any attempts to connect to an external address will get RST from TCP before apache ever knows anything about it. good times, Vineet -- http://www.doorstop.net/ -- "Extremism in the defense of liberty is no vice. Moderation in the pursuit of justice is no virtue." -- Barry Goldwater
signature.asc
Description: Digital signature