[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: apache allowing POSTs to offsite IP
- From: Kevin Weslowski <weslowsk accesscomm ca>
- To: seawolf-list redhat com
- Subject: Re: apache allowing POSTs to offsite IP
- Date: Fri, 16 May 2003 23:19:52 -0600
the only problem with setting the firewall to block ips, is this type of "attack" is coming from other ips as well (I never showed the log file snip from the other IPs)...most others are within this user's subnet, but some also from unrelated ips...so that's why we were looking at some apache configuration to do what we needed...
thanks for the tip to the apache list...I always try here first, and then try other lists if the answer I need is too specific...
Kevin
"Steven J. Yellin" wrote:
> It seems to me that if your log file shows posts from 66.164.26.66,
> that's what your firewall should think the source is, too. So I don't
> understand why setting your firewall to block everything from 66.164.26.66
> didn't keep that particular IP away from everything in your computer,
> including the web server.
> If for some reason you can't have your firewall protect your computer
> from being misused, and nobody on this list can say how to do what's
> needed with your apache configuration file, try the mailing list "for
> users of the Apache HTTP Server to discuss Apache and help each other":
> http://httpd.apache.org/userslist.html .
>
> On Fri, 16 May 2003, Kevin Weslowski wrote:
>
> > Hi all,
> >
> > in my apache access logs, a someone has been POSTing (and succeeding)
> > through my server, to another IP, but to their port 25...there has been
> > reports from the ISP of the IP being attacked that WE have been spamming
> > them, which isn't true since we don't even have sendmail running or port
> > 25 open;
> >
> > snip:
> >
> > 66.164.26.66 - - [16/May/2003:16:23:28 -0600] "POST
> > http://142.165.49.56:25/ HTTP/1.1" 200 375
> > 66.164.26.66 - - [16/May/2003:16:23:28 -0600] "QUIT" 403 -
> > 66.164.26.66 - - [16/May/2003:16:27:21 -0600] "POST
> > http://142.165.49.6:25/ HTTP/1.1" 200 1008
> > 66.164.26.66 - - [16/May/2003:16:27:39 -0600] "POST
> > http://142.165.49.6:25/ HTTP/1.1" 200 1024
> > 66.164.26.66 - - [16/May/2003:16:27:58 -0600] "POST
> > http://142.165.49.6:25/ HTTP/1.1" 200 1000
> > 66.164.17.103 - - [16/May/2003:16:29:34 -0600] "POST
> > http://142.165.49.6:25/ HTTP/1.1" 200 1016
> > 66.164.17.103 - - [16/May/2003:16:30:07 -0600] "POST
> > http://142.165.49.6:25/ HTTP/1.1" 200 1016
> >
> > first, has any one seen these types of "proxy" POSTs? what do they mean?
> >
> > we've tried denying access to 66.164.* but he's still able to send the
> > POSTs...probably because they're not directed at my server...so I how do
> > I stop this "proxy" use of my (apache 1.3.27) server?
> >
> > any help would be much appreciated...thanks.
> >
> > Kevin
> >
> >
> > _______________________________________________
> > Seawolf-list mailing list
> > Seawolf-list redhat com
> > https://www.redhat.com/mailman/listinfo/seawolf-list
> >
>
> --
> Steven Yellin
>
> _______________________________________________
> Seawolf-list mailing list
> Seawolf-list redhat com
> https://www.redhat.com/mailman/listinfo/seawolf-list
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]