When examining the log for one of my clients, I noticed there are quite a few entries like:
Connection attempts using mod_proxy:
212.247.120.50 -> 205.188.251.43:443: 6 Time(s)
212.247.120.50 -> 64.12.202.116:443: 6 Time(s)
Since they do use proxy module on those apache servers, looks like someone are trying to use the servers as open proxy. Hmmm, worth to find more detail behind.
There are two possiblities here. One is the proxy scanner which is scanning across Internet to find the open proxy so they can use it to access some restricted services or hide their footprint. The other one is the mod_proxy vulnerability scanner which scans for a buffer overflow for mod_proxy from apache 1.3.31 and earlier.
In my case, I only need to worry about the first scenario as the apache is using much higher version than 1.3.31.
After spent some effort, I made sure the web servers are not open proxy and the attempts did not succeed at all.
Here is how you can triple sure (Defense in Depth) your web servers are not open proxy:
- Do not enable proxying with ProxyRequests until you have secured your server. Open proxy servers are dangerous both to your network and to the Internet at large. - From Mod_Proxy document.
- Review the web log to identify if proxy scanning attempts are successful or not.
- Use ModSecurity to block proxy scanning attempts. This way, you will be protected even your administrator accidently turn on the ProxyRequests for whatever reasons.
Again, this is just another example how PPT (People Process Technology) can help you achieve better security.
Recent comments
2 days 3 hours ago
2 days 4 hours ago
6 days 13 hours ago
1 week 2 days ago
1 week 2 days ago
1 week 5 days ago
1 week 5 days ago
2 weeks 1 day ago
2 weeks 4 days ago
3 weeks 1 day ago