Error message(s)

Explanation

You are running an apache web server with PHP support, but the system does not suppress or deny the CONNECT function.
So, the following is possible with your host:
telnet <Enter your host's IP here> 80
CONNECT irc.freenet.de:6667 HTTP/1.1
Host: irc.freenet.de
<Enter a blank line here>
After doing this, you are able to communicate with the IRC server via a proxy connection through your host. This way, your machine can be used by anyone as a proxy without letting you know. Anything the potential attacker is doing, looks to others like you're doing it.
But... this doesn't only work with the harmless IRC, but also with any other internet services that can be used through a proxy connection. So, a potential attacker could abuse this possibility to trade pornographic material without your knowledge. Any police investigation would come to you sooner or later.

This is why most of the german IRCNET servers deny connections from hosts which permit that kind of connection.

Solution

Configure the following part into your httpd.conf:
<Location />
    <Limit CONNECT>
	Order deny,allow
	Deny from all
    </Limit>
</Location>
This does disable the CONNECT statement. No potential attacker can abuse your host anymore, and you're able to use german IRCNET servers again.
But remember that you need to restart your web server for the change to activate, and that the IRCNET servers cache the reject information about your host. Usually this takes about 30 minutes to reload.
You can see how long an IRCNET server does cache the information via the /STATS a <servername> command.
/STATS a freenet.de
--- * rfc931 
--- * socks log,reject,careful,cache=10
--- * webproxy ports=8080;3128;80,log,reject,cache=15
--- a :End of STATS report
The value after the cache= tag in the line beginning with webproxy shows you the amount of minutes for having your check result removed from the cache.

Additional external links


URL: http://www.ircd.de/
Stand: 2008-05-20 11:06