httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Dessent <br...@dessent.net>
Subject Re: [users@httpd] Request !
Date Thu, 04 Sep 2003 00:04:35 GMT
KAN NAN wrote:
> 
> Dear friends,
> 
> I accept the points given by Mr. Garriss and Mr. Geoffrey.
> See, these are the log entries from Apache. It is really very
> difficult to identify what they were trying to do. The reason why I
> was quite sure that they were using telnet is, previously our system
> suffered, at that time I could see that these people were using
> CONNECT maila.microsoft.com:25....., so in my apache config file, I
> blocked all kind of CONNECT request. So, it solved me. But this time,
> just have a look at the log entries:
> 
> 211.147.1.82 - - [02/Sep/2003:08:59:31 +0100] "GET / HTTP/1.1" 400 380
> 211.147.1.82 - - [02/Sep/2003:08:59:43 +0100] "POST / HTTP/1.1" 500
> 604

First of all, please understand that a connection is a connection --
they all look the same to Apache.  The program servicing requests on
that port (Apache) has no -inherent- way to determine whether an
incoming connection is from someone using Telnet, wget, curl, a perl
module such as LWP::Simple, a browser such as Internet Explorer, or any
other of a large number of programs out there.  The only thing that
Apache has to go by is what the other end transmitts, there's no way to
close off a port from one program and not another.  Yes, you can look at
the User-Agent field but that's hardly authoritative, and by that point
the request has already been sent, i.e. it's not a form of blocking.

Second, if you put a server on the public internet you should expect to
get some bad queries, it's just how the world works.  Most of the time,
the are from other infected machines (such as Code Red and Nimda) but
they can also be from random people telnetting into port 80 and typing
whatever they want.  However, Apache (and any other web server) has been
specifically designed with this in mind, and bad queries should not
affect operation in the least.

The above log entries are invalid queries most likely because they did
not include the "Host:" header that HTTP 1.1 requires.  They would not
have affected operation of your server in the least, as the server
simply sends an error message and continues along with its duties.

There are only three circumstances where I could imagine that bad or
malformed requests would be a serious issue:

1. If you are running a particularly old version of Apache that has a
vulnerability and someone is using it.  If this is the case you should
upgrade to a recent version.

2. The person on the other end is swamping you with millions of
requests.  IN this case you should block that IP address or subnet in
the firewall or gateway router.

3. There's some new vulnerability not yet known to the Apache developers
and security research community.  This is highly unlikely, and if it
turned out to be the case there would most likely be a great deal of
noise being made about it by someone... i.e. it's not the kind of thing
you just stumble upon.

Now you said that these bad queries are affecting your operation
somehow.  The real question is, "How is that exactly?"  If you mean that
you're losing sleep over a few bad connections in a log file, then you
just need to relax (assuming your system is up to date of course.)  If
there's any sort of measurable performance impact from the occasional
bad request, then either something is configured wrong, or these queries
are more than  infrequent and the source should be blocked.

Brian

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message