mod_proxy -- should I be nervous?
To the best of my knowledge, I have all the mod_proxy stuff disabled on my Apache production server. What's a reasonable way to test or confirm that? Looking at my httpd.conf I can tell you that any line that has "proxy" in it is commented, for what that's worth.
Reason I ask is that I saw this stuff in my logwatch report this morning:
Connection attempts using mod_proxy:
81.88.124.30 -> 64.12.202.116:443: 1 Time(s)
81.88.124.30 -> 64.12.202.15:443: 1 Time(s)
81.88.124.30 -> 64.12.202.1:443: 1 Time(s)
81.88.124.30 -> 64.12.202.22:443: 1 Time(s)
81.88.124.30 -> 64.12.202.29:443: 1 Time(s)
81.88.124.30 -> 64.12.202.36:443: 1 Time(s)
81.88.124.30 -> 64.12.202.43:443: 1 Time(s)
81.88.124.30 -> 64.12.202.50:443: 1 Time(s)
81.88.124.30 -> 64.12.202.8:443: 1 Time(s)
Requests with error response codes
403 Forbidden
64.12.202.116:443: 1 Time(s)
64.12.202.15:443: 1 Time(s)
64.12.202.1:443: 1 Time(s)
64.12.202.22:443: 1 Time(s)
64.12.202.29:443: 1 Time(s)
64.12.202.36:443: 1 Time(s)
64.12.202.43:443: 1 Time(s)
64.12.202.50:443: 1 Time(s)
64.12.202.8:443: 1 Time(s)
Not something that's normally in my reports. So it looks like he got 403'd on the attempts, which I guess is good. But what made him feel it was worth a try?
Maybe he/she/it was trying to figure out if it was worth a try. It costs them nothing to just send a proxy request to a server and see if it works, so usually they send out these requests indiscriminately.
FYI one surefire way to make sure mod_proxy is disabled is to make sure the line
LoadModule mod_proxy.so proxy_module
is commented out. It should only occur in the configuration files once, but it wouldn't hurt to grep for it to make sure. Also, you can run
apache2ctl -M
(or perhaps some equivalent for your system, on mine it's /etc/init.d/apache2 modules
) to list the loaded modules and verify that the proxy module is not in the list.
To test to make sure you're not an open proxy, just telnet to port 80, and send:
GET http://www.google.com/ HTTP/1.0
(you need two two line returns at the end, but it's being eaten). You should get back a 404 page. If you get back Google, you're open.