29 April 2007

Oops I had an open http proxy

I accidentally configured my apache web server to be an open proxy. I only discovered this when my own web browsing became very slow. First thing I did was reboot my server, that didnt help, so next I rebooted my netgear router, that didnt help either. I waited a day in case it was a problem at the ISP (even though their website was not showing any incidents). So the next day I ran:

netstat -a --inet --notrim

and found that a huge number of hosts were connecting to my http port. I followed this up by looking at my apache access logs and true enough, hundreds of hosts were connecting and asking for URLs that were external sites.

First things I did was access the admin site of my router and disable http/https. I then fixed my apache configuration and restarted apache, before renabling http/https on my router. After this I watched my apache access logs, as expected many hosts were still hitting my webserver, although at least now it was returning 404, rather than proxying the http request. So I installed ntop and got some statistics on which ip addresses were the biggest culprits. Armed with a list of ip addresses I blacklisted any ip traffic from them using iptables, i.e:

iptables -v -A INPUT -s 213.240.225.101 -j DROP
iptables -v -A INPUT -s 200.155.23.28 -j DROP
iptables -v -A INPUT -s 219.110.175.160 -j DROP
iptables -v -A INPUT -s 125.92.99.94 -j DROP
iptables -v -A INPUT -s 201.236.88.90 -j DROP
iptables -v -A INPUT -s 201.211.89.201 -j DROP
iptables -v -A INPUT -s 125.65.112.35 -j DROP