>>On Jun 15, 2007, at 7:49 PM, Bob wrote: >> Every time my apache server slows down or has denial of service the >> access >> log is full this >> >> 61.228.122.220 - "CONNECT 66.196.97.250:25 HTTP/1.0" 200 7034 "-" "-" >> 61.228.122.220 - "CONNECT 216.39.53.3:25 HTTP/1.0" 200 7034 "-" "-" >> 61.228.122.220 - "CONNECT 216.39.53.1:25 HTTP/1.0" 200 7034 "-" "-" >> 61.228.122.220 - "CONNECT 168.95.5.155:25 HTTP/1.0" 200 7034 "-" "-" >> 61.228.122.220 - "CONNECT 168.95.5.157:25 HTTP/1.0" 200 7034 "-" "-" >> 61.228.122.220 - "CONNECT 168.95.5.159:25 HTTP/1.0" 200 7034 "-" "-" >>
>IP 61.228.122.220 is using the HTTP CONNECT method to relay spam to >port 25 on the targets via your Apache server. > >This almost certainly indicates that you've got mod_proxy loaded or >something similar via mod_perl/mod_php/whatever, as the CONNECT >attack would get a "405 Method not allowed" error otherwise. > >Check http://your_webserver/server-info for details. mod_proxy is commented out but am using php5. Tried putting this statement http.allowed_methods = GET & POST into /usr/local/etc/php.ini but it had no effect. The best solution was to add an location declarative with a limitexcept. The location in the httpd-conf where to place this is very important. First find this in the conf file # # Each directory to which Apache has access, can be configured with respect # to which services and features are allowed and/or disabled in that # directory (and its subdirectories). # # First, we configure the "default" to be a very restrictive set of # permissions for directories. # <Directory /> Options FollowSymLinks AllowOverride None Order allow,deny Deny from all </Directory> Then add the following right after it and restart apache to activate. # Second, we configure the "default" Location to restrict the methods allowed # to stop CONNECT method attacks. # <Location /> <LimitExcept GET POST> Order allow,deny Deny from all </LimitExcept> </Location> All CONNECT requests from this point on will get a status code of 403 Forbidden for both perl and php CONNECT attacks. Just posting this as best solution for the archives. Good luck all. _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"