Bob did speak thusly:
I get 100k plus of these per month. This is really stressing my server.

88.233.57.141 - - "GET http://yasann2.hp.infoseek.co.jp/cgi-bin/jenv.cgi
HTTP/1.1" 404 300 "http://yasann2.hp.infoseek.co.jp/cgi-bin/jenv.cgi";
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
88.233.57.141 - - "GET http://66.197.42.23/cgi-bin/jenv.cgi HTTP/1.1" 404
300 "http://66.197.42.23/cgi-bin/jenv.cgi"; "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
217.15.9.13 - -   "GET http://217.15.9.13:80/sex/fuck/porn/judge.php
HTTP/1.1" 404 307 "http://217.15.9.13:80/sex/fuck/porn/judge.php";
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
217.15.9.13 - -   "GET http://217.15.9.13:80/sex/fuck/porn/judge.php
HTTP/1.1" 404 307 "http://217.15.9.13:80/sex/fuck/porn/judge.php";
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
216.90.33.33 - -  "GET http://pro_xy.t35.com/AZ.php HTTP/1.1" 404 290
"http://pro_xy.t35.com/AZ.php"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows
NT 5.1)"
216.90.33.33 - -  "GET http://pro_xy.t35.com/AZ.php HTTP/1.1" 404 290
"http://pro_xy.t35.com/AZ.php"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows
NT 5.1)"
83.233.169.111 - -"GET http://www.ed.ac.uk/cgi-bin/env.cgi HTTP/1.1" 404 299
"http://www.ed.ac.uk/cgi-bin/env.cgi"; "Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.1)"
83.233.169.111 - -"GET http://www.bsnoop.de/cgi-bin/jenv.cgi HTTP/1.1" 404
300 "http://www.bsnoop.de/cgi-bin/jenv.cgi"; "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
84.178.171.91 - - "GET http://anonymous-judge.no-ip.org/azenv.php HTTP/1.1"
404 293 "http://anonymous-judge.no-ip.org/azenv.php"; "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1)"
84.178.171.91 - - "GET http://www.proxyworld.org/azenv.php HTTP/1.1" 404 293
"http://www.proxyworld.org/azenv.php"; "Mozilla/4.0 (compatible; MSIE 6.0;
Windows NT 5.1)"
91.92.179.187 - - "GET http://www.internetsec.org/azenv.php HTTP/1.1" 404
293 "http://www.internetsec.org/azenv.php"; "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1)"
91.92.179.187 - - "GET http://sevy.eu.org/azenv.php HTTP/1.1" 404 293
"http://sevy.eu.org/azenv.php"; "Mozilla/4.0 (compatible; MSIE 6.0; Windows
NT 5.1)"
99.243.241.161 - -"GET http://www.anonymitytest.com/cgi-bin/azenv.pl
HTTP/1.1" 404 300 "http://www.anonymitytest.com/cgi-bin/azenv.pl";
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
99.243.241.161 - -"GET http://www.ipmaster.org/cgi-bin/textenv.pl HTTP/1.1"
404 302 "http://www.ipmaster.org/cgi-bin/textenv.pl"; "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1)"
71.145.170.187 - -"GET http://www.anonymitytest.com/cgi-bin/azenv.pl
HTTP/1.1" 404 300 "http://www.anonymitytest.com/cgi-bin/azenv.pl";
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
71.145.170.187 - -"GET http://www.anonymitytest.com/cgi-bin/textenv.pl
HTTP/1.1" 404 302 "http://www.anonymitytest.com/cgi-bin/textenv.pl";
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
125.225.140.225 - "CONNECT 209.191.118.103:25 HTTP/1.0" 200 7034 "-" "-"
125.225.140.225 - "CONNECT 68.142.237.182:25 HTTP/1.0" 200 7034 "-" "-"
125.225.140.225 - "CONNECT 216.39.53.2:25 HTTP/1.0" 200 7034 "-" "-"
125.225.140.225 - "CONNECT 168.95.5.145:25 HTTP/1.0" 200 7034 "-" "-"
125.225.140.225 - "CONNECT 168.95.5.212:25 HTTP/1.0" 200 7034 "-" "-"
125.225.140.225 - "CONNECT 168.95.5.140:25 HTTP/1.0" 200 7034 "-" "-"
61.228.127.171 - -"CONNECT 209.191.118.103:25 HTTP/1.0" 200 7034 "-" "-"
61.228.127.171 - -"CONNECT 216.39.53.3:25 HTTP/1.0" 200 7034 "-" "-"
61.228.127.171 - -"CONNECT 216.39.53.2:25 HTTP/1.0" 200 7034 "-" "-"
61.228.127.171 - -"CONNECT 168.95.5.209:25 HTTP/1.0" 200 7034 "-" "-"
61.228.127.171 - -"CONNECT 168.95.5.214:25 HTTP/1.0" 200 7034 "-" "-"
61.228.127.171 - -"CONNECT 168.95.5.252:25 HTTP/1.0" 200 7034 "-" "-"

Running FBSD 6.2 + apache 1.3.37_1 and the mod_proxy is commented out.

I want to add declaratives to http-conf to globally deny processing
all CONNECT & GET http requests entering the server.


SetEnvIf  THE_REQUEST CONNECT* drop
SetEnvIf  THE_REQUEST GET http:* drop

<Directory />
 order allow,deny
 allow from all
 deny from env=drop
 </Directory>


My question is will the above declaratives do what I want?
Need expert review.
---------------- End original message. ---------------------

Actually, I think you need to fix the underlying problem. This looks to me like there is (or was) an open proxy on the machine that is being used by third parties to anonymize their web access. Open proxies are BAD, almost as bad as open mail relays. A proxy should point to a specific resource and allow access only to that resource.

I would strongly suggest that you check this first before making any other changes. The GET request is not something you want to disable blindly as that is how a browser retrieves a page (or image, or file etc.) in the first place.

If you have the ProxyRequests On directive followed by a proxy block starting with <Proxy *> and you have not restricted access in that block, you have an open proxy.

Once you close the hole on your proxy (if there is one), then you will only see 404 responses for requests that reference URLs outside of your server domain. This will gradually taper off over a period of time as the people trying to use your box to access pages not on your server figure out that the gate is closed. That can take a long time to happen but at least you will have taken the first step to alleviating the problem.

As far as how you are trying to block these things... I don't think that would work, but I can't say for sure as I only dabble in this on the side.

And if anyone is wondering... I got bit by this and accidentally configured an open proxy because I really didn't understand exactly what I was doing at the time and didn't read everything I needed to read before I started mucking about with it. Moral of the story here is read the fine manual and understand it before you end up like me with a server that was overloaded to the breaking point by unscrupulous people.

Dragon

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Venimus, Saltavimus, Bibimus (et naribus canium capti sumus)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
  "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to