Error message(s)
- Denied access
- Open proxy on port 80 - access denied
Explanation
You are running an apache web server with PHP support, but the system
does not suppress or deny the CONNECT
function.
So, the following is possible with your host:
telnet <Enter your host's IP here> 80
CONNECT irc.freenet.de:6667 HTTP/1.1
Host: irc.freenet.de
<Enter a blank line here>
After doing this, you are able to communicate with the IRC server via a
proxy connection through your host. This way, your machine can be used
by anyone as a proxy without letting you know. Anything the potential
attacker is doing, looks to others like you're doing it.
But... this doesn't only work with the harmless IRC, but also with any
other internet services that can be used through a proxy connection.
So, a potential attacker could abuse this possibility to trade
pornographic material without your knowledge. Any police investigation
would come to you sooner or later.
This is why most of the german IRCNET servers deny connections from
hosts which permit that kind of connection.
Solution
Configure the following part into your httpd.conf
:
<Location />
<Limit CONNECT>
Order deny,allow
Deny from all
</Limit>
</Location>
This does disable the CONNECT
statement. No potential
attacker can abuse your host anymore, and you're able to use german
IRCNET servers again.
But remember that you need to restart your web server for the change to
activate, and that the IRCNET servers cache the reject information about
your host. Usually this takes about 30 minutes to reload.
You can see how long an IRCNET server does cache the information via the
/STATS a <servername>
command.
/STATS a freenet.de
--- * rfc931
--- * socks log,reject,careful,cache=10
--- * webproxy ports=8080;3128;80,log,reject,cache=15
--- a :End of STATS report
The value after the cache=
tag in the line beginning with
webproxy
shows you the amount of minutes for having your
check result removed from the cache.
Additional external links