How to disable proxy requests once a server has been added to spammers "open proxy" list?
I've just started in a new company, and have been going over the setup of their Apache webserver conf files... only to find that they've had their apache servers set up as open proxies available to all the world for the last two months. I've already set ProxyRequests Off in the httpd.conf file and restarted the web server, but the access log file is still growing at a horrendous rate (about a gig a day). I noticed that another question was posted on here about this (Apache hit with proxy request), but their access log was supposedly returning 404 errors, while mine appears to be returning 403 and 404 codes... Is this correct?
Here are a few lines out of my access log:
87.118.118.124 - - [16/Mar/2010:10:56:36 -0400] "GET http://www.c5interlude.ru/torrent/viewtopic.php?p=2501 HTTP/1.0" 404 219 "http://www.c5interlude.ru/torrent/viewtopic.php?p=2501" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)"
117.41.184.27 - - [16/Mar/2010:10:56:36 -0400] "GET http://ad.xtendmedia.com/st?ad_type=iframe&ad_size=300x250§ion=790074 HTTP/1.0" 404 200 "http://www.newbiegamer.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Alexa Toolbar)"
122.224.55.222 - - [16/Mar/2010:10:56:36 -0400] "GET http://www.188woool.net/\xb4\xf3\xd4\xcb\xb4\xab\xca\xc0.rar HTTP/1.1" 403 214 "http://www.188woool.net/\xb4\xf3\xd4\xcb\xb4\xab\xca\xc0.rar" "Mozilla/4.0"
58.55.21.40 - - [16/Mar/2010:10:56:36 -0400] "GET http://www.cpx24.com/ad1.js HTTP/1.0" 404 204 "http://thebighits.com/?id=aibux" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
122.226.223.188 - - [16/Mar/2010:10:56:36 -0400] "GET http://ad.reduxmedia.com/st?ad_type=iframe&ad_size=160x600§ion=798636 HTTP/1.0" 404 200 "http://www.gvvu.com" "Mozilla/4.0 (compatible; MSIE 5.5; AOL 6.0; Windows 98; Win 9x 4.90)"
84.51.109.31 - - [16/Mar/2010:10:56:36 -0400] "GET http://www.kslp.ru/forum/index.php HTTP/1.0" 404 213 "http://www.kslp.ru/forum/index.php" "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0 ; .NET CLR 2.0.50215; SL Commerce Client v1.0; Tablet PC 2.0"
122.224.48.49 - - [16/Mar/2010:10:56:36 -0400] "GET http://www1.vip218.com/\xb2\xca\xba\xe7\xb4\xab\xca\xc0.exe HTTP/1.1" 403 214 "http://www1.vip218.com/\xb2\xca\xba\xe7\xb4\xab\xca\xc0.exe" "Mozilla/4.0"
117.41.184.27 - - [16/Mar/2010:10:56:36 -0400] "GET http://ad.xtendmedia.com/st?ad_type=iframe&ad_size=728x90§ion=657624 HTTP/1.0" 404 200 "http://www.raiseanimals.com" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Alexa Toolbar)"
And my corresponding error log entries:
[Tue Mar 16 10:56:36 2010] [error] [client 87.118.118.124] File does not exist: C:/public_html/torrent, referer: http://www.c5interlude.ru/torrent/viewtopic.php?p=2501
[Tue Mar 16 10:56:36 2010] [error] [client 117.41.184.27] File does not exist: C:/public_html/st, referer: http://www.newbiegamer.com
[Tue Mar 16 10:56:36 2010] [error] [client 122.224.55.222] (22)Invalid argument: Cannot map GET http://www.188woool.net/\xb4\xf3\xd4\xcb\xb4\xab\xca\xc0.rar HTTP/1.1 to file, referer: http://www.188woool.net/\xb4\xf3\xd4\xcb\xb4\xab\xca\xc0.rar
[Tue Mar 16 10:56:36 2010] [error] [client 58.55.21.40] File does not exist: C:/public_html/ad1.js, referer: http://thebighits.com/?id=aibux
[Tue Mar 16 10:56:36 2010] [error] [client 122.226.223.188] File does not exist: C:/public_html/st, referer: http://www.gvvu.com
[Tue Mar 16 10:56:36 2010] [error] [client 84.51.109.31] File does not exist: C:/public_html/forum, referer: http://www.kslp.ru/forum/index.php
[Tue Mar 16 10:56:36 2010] [error] [client 122.224.48.49] (22)Invalid argument: Cannot map GET http://www1.vip218.com/\xb2\xca\xba\xe7\xb4\xab\xca\xc0.exe HTTP/1.1 to file, referer: http://www1.vip218.com/\xb2\xca\xba\xe7\xb4\xab\xca\xc0.exe
[Tue Mar 16 10:56:36 2010] [error] [client 117.41.184.27] File does not exist: C:/public_html/st, referer: http://www.raiseanimals.com
Does this in fact look like the server is blocking them correctly, and is there anything else that I could do better to cut down on my access log size? (perhaps block these requests from the server completely?)
Thanks! Matt
UPDATE:
These are the successful proxies... But I haven't enabled ProxyRequests!! (It didn't even show up in my httpd.conf file (defaulting to no) but have since added ProxyRequests Off
as the 4th line in my httpd.conf file).
95.211.14.24 - - [03/Jun/2010:12:01:24 -0400] "CONNECT mail.yahoo.com:443" 200 6103 "-" "-"
98.126.74.66 - - [03/Jun/2010:12:01:39 -0400] "CONNECT intlreg.aol.com:443 HTTP/1.1" 200 6103 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Maxthon; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) )"
98.126.74.66 - - [03/Jun/2010:12:01:40 -0400] "\x16\x03\x01" 200 6103 "-" "-"
91.5.169.251 - - [03/Jun/2010:12:01:43 -0400] "GET http://shop.breho-tools.de/index.php?cat=c95_Doppelhobel.html HTTP/1.0" 200 6103 "-" "-"
114.25.230.147 - - [03/Jun/2010:12:01:50 -0400] "CONNECT mail2000.com.tw:25 HTTP/1.0" 200 6103 "-" "-"
67.208.112.37 - - [03/Jun/2010:12:02:02 -0400] "GET http://yahoo.com:80/ HTTP/1.1" 200 6103 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 GTB7.0 (.NET CLR 3.5.30729)"
67.208.112.37 - - [03/Jun/2010:12:02:18 -0400] "GET http://yahoo.com:80/ HTTP/1.1" 200 6103 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 GTB7.0 (.NET CLR 3.5.30729)"
69.132.95.188 - - [03/Jun/2010:12:02:33 -0400] "GET http://login.vip.kr3.yahoo.com/config/isp_verify_user?l=_sunflowerwoman&p=%20%20%20%20%20 HTTP/1.0" 404 220 "-" "-"
120.37.91.109 - - [03/Jun/2010:12:02:37 -0400] "GET http://543b5be9.linkbucks.com/ HTTP/1.1" 200 6103 "http://dns.ladymx.com:1108/shangcheng/" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB6; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5.30729; InfoPath.2; .NET CLR 3.0.30729)"
120.37.91.109 - - [03/Jun/2010:12:02:37 -0400] "GET http://543b5be9.linkbucks.com/RecordClick.aspx?id=&key=&ref=&cacheBust=80493192 HTTP/1.1" 404 214 "http://dns.ladymx.com:1108/shangcheng/" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB6; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5.30729; InfoPath.2; .NET CLR 3.0.30729)"
120.37.91.109 - - [03/Jun/2010:12:02:40 -0400] "GET http://543b5be9.linkbucks.com/RecordClick.aspx?id=&key=&ref=&cacheBust=80493192 HTTP/1.1" 404 214 "http://dns.ladymx.com:1108/shangcheng/" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB6; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5.30729; InfoPath.2; .NET CLR 3.0.30729)"
66.77.255.230 - - [03/Jun/2010:12:02:40 -0400] "GET http://proxyjudge1.proxyfire.net/fastenv HTTP/1.1" 404 205 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
120.37.91.109 - - [03/Jun/2010:12:02:42 -0400] "GET http://543b5be9.linkbucks.com/RecordClick.aspx?id=&key=&ref=&cacheBust=80493192 HTTP/1.1" 404 214 "http://dns.ladymx.com:1108/shangcheng/" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; GTB6; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5.30729; InfoPath.2; .NET CLR 3.0.30729)"
89.149.223.112 - - [03/Jun/2010:12:02:43 -0400] "CONNECT mail.yahoo.com:443" 200 6103 "-" "-"
95.211.0.132 - - [03/Jun/2010:12:02:49 -0400] "CONNECT mail.yahoo.com:443" 200 6103 "-" "-"
217.133.52.34 - - [03/Jun/2010:12:02:52 -0400] "GET http://www.naturalintegrator.com/buoni-regalo-c-21.html HTTP/1.1" 404 220 "http://www.mylevis.us/" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322)"
You're returning 404 and 403 (both denies of various types), so I wouldn't worry about it. I'm guessing that you have an overly-optimistic vhost on there that is catching all of that traffic and trying to do something with it.
Just start to worry if you return 2xx on any of those without being able to explain it :)
You could also block all proxy requests from all but the internal subnets, which is recommended by http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxy and http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#access .
You can control who can access your proxy via the <Proxy> control block as in the following example:
<Proxy *>
Order Deny,Allow
Deny from all
Allow from 192.168.0
</Proxy>
For more information on access control directives, see mod_authz_host.
Strictly limiting access is essential if you are using a forward proxy (using the ProxyRequests directive). Otherwise, your server can be used by any client to access arbitrary hosts while hiding his or her true identity. This is dangerous both for your network and for the Internet at large. When using a reverse proxy (using the ProxyPass directive with ProxyRequests Off), access control is less critical because clients can only contact the hosts that you have specifically configured.
I believe this will result in "403 Forbidden` responses to the client, which is a bit less secure then a "404 Not Found" because a "403 Forbidden" provides a hint that something is still there, but is forbidden.
You should be getting proxy requests from only a few IP addresses. Firewall these addresses. At a minimum prevent access to HTTP, but I would firewall them entirely.
If proxy is a module disable the module. On Linux you can use a2dismod to disable the module(s).