[arch-general] My Apache Sever Compromised?

geralt at gmail.com geralt at gmail.com
Wed Apr 9 13:52:28 EDT 2014


On Wed, Apr 9, 2014 at 7:38 PM, ProgAndy <admin at progandy.de> wrote:

> Am 09.04.2014 19:32, schrieb Jameson:
>
>  On Tue, Apr 1, 2014 at 9:30 AM, Nowaker <enwukaer at gmail.com> wrote:
>>
>>> 199.83.93.35 - - [29/Mar/2014:22:04:54 -0400]
>>>>> "GET http://ro2.biz/pixel.png HTTP/1.0" 200 151
>>>>>
>>>>
>>>  But the most interesting part is that your apache is replying with
>>>> "200",
>>>> that is OK!
>>>>
>>>
>>> Nice catch! It's certainly a proxy.
>>>
>> Thanks for everyone's help with this. I did in fact have ProxyRequests
>> set to On thinking it was needed for reverse proxies as well, and have
>> turned it off. Now, when I open up port 80, it looks like they're
>> still trying, but I'm replying with 404. Is that what it should be
>> doing? I probably also need to make sure I have some throttling setup
>> in case this is too much for my Internet connection.
>>
> If you know the IP addresses (or address-ranges) you use to connect to
> your server, I suggest you block everything else for the time being with an
> iptables rule.
>

fail2ban can do that automatically for you, with some work configuring it.

In general I think it's better not to send a 404 when someone is obviously
trying to abuse your servers, that tells the bad guys that there is a web
server listening there and may leak some information about your setup. It's
better to block them at the firewall level, which costs you less server
resources. I'd sugest that the firewall is configured to deny (that is,
just drop their packets) instead of reject (which sends a rejection packet
which, again, gives the bad guys more information than strictly necessary).


More information about the arch-general mailing list