On Wed, Apr 9, 2014 at 7:38 PM, ProgAndy firstname.lastname@example.org wrote:
Am 09.04.2014 19:32, schrieb Jameson:
On Tue, Apr 1, 2014 at 9:30 AM, Nowaker email@example.com wrote:
184.108.40.206 - - [29/Mar/2014:22:04:54 -0400]
"GET http://ro2.biz/pixel.png HTTP/1.0" 200 151
But the most interesting part is that your apache is replying with
"200", that is OK!
Nice catch! It's certainly a proxy.
Thanks for everyone's help with this. I did in fact have ProxyRequests set to On thinking it was needed for reverse proxies as well, and have turned it off. Now, when I open up port 80, it looks like they're still trying, but I'm replying with 404. Is that what it should be doing? I probably also need to make sure I have some throttling setup in case this is too much for my Internet connection.
If you know the IP addresses (or address-ranges) you use to connect to your server, I suggest you block everything else for the time being with an iptables rule.
fail2ban can do that automatically for you, with some work configuring it.
In general I think it's better not to send a 404 when someone is obviously trying to abuse your servers, that tells the bad guys that there is a web server listening there and may leak some information about your setup. It's better to block them at the firewall level, which costs you less server resources. I'd sugest that the firewall is configured to deny (that is, just drop their packets) instead of reject (which sends a rejection packet which, again, gives the bad guys more information than strictly necessary).