mod_proxy -- should I be nervous?

security apache-2.2 mod-proxy

To the best of my knowledge, I have all the mod_proxy stuff disabled on my Apache production server. What's a reasonable way to test or confirm that? Looking at my httpd.conf I can tell you that any line that has "proxy" in it is commented, for what that's worth.

Reason I ask is that I saw this stuff in my logwatch report this morning:

 Connection attempts using mod_proxy:
   81.88.124.30 -> 64.12.202.116:443: 1 Time(s)
   81.88.124.30 -> 64.12.202.15:443: 1 Time(s)
   81.88.124.30 -> 64.12.202.1:443: 1 Time(s)
   81.88.124.30 -> 64.12.202.22:443: 1 Time(s)
   81.88.124.30 -> 64.12.202.29:443: 1 Time(s)
   81.88.124.30 -> 64.12.202.36:443: 1 Time(s)
   81.88.124.30 -> 64.12.202.43:443: 1 Time(s)
   81.88.124.30 -> 64.12.202.50:443: 1 Time(s)
   81.88.124.30 -> 64.12.202.8:443: 1 Time(s)

 Requests with error response codes
   403 Forbidden
      64.12.202.116:443: 1 Time(s)
      64.12.202.15:443: 1 Time(s)
      64.12.202.1:443: 1 Time(s)
      64.12.202.22:443: 1 Time(s)
      64.12.202.29:443: 1 Time(s)
      64.12.202.36:443: 1 Time(s)
      64.12.202.43:443: 1 Time(s)
      64.12.202.50:443: 1 Time(s)
      64.12.202.8:443: 1 Time(s)

Not something that's normally in my reports. So it looks like he got 403'd on the attempts, which I guess is good. But what made him feel it was worth a try?


Maybe he/she/it was trying to figure out if it was worth a try. It costs them nothing to just send a proxy request to a server and see if it works, so usually they send out these requests indiscriminately.

FYI one surefire way to make sure mod_proxy is disabled is to make sure the line

LoadModule mod_proxy.so proxy_module

is commented out. It should only occur in the configuration files once, but it wouldn't hurt to grep for it to make sure. Also, you can run

apache2ctl -M

(or perhaps some equivalent for your system, on mine it's /etc/init.d/apache2 modules) to list the loaded modules and verify that the proxy module is not in the list.


To test to make sure you're not an open proxy, just telnet to port 80, and send:

GET http://www.google.com/ HTTP/1.0

(you need two two line returns at the end, but it's being eaten). You should get back a 404 page. If you get back Google, you're open.

Related

How secure are wireless networks?
How can I tell if irqbalance is doing anything?
Moving a folder in SVN
ESXi Serial licensing dongle
gem vs apt-get in a server environment
Importance of Mainframe
sed php.ini memory_limit
Is it possible to stream input into RAR
(200 ok) ACCEPTED - Is this a hacking attempt?
linux CLI screenshot without X
Gigabit capacity
Migrate IMAP account between providers - client access only