我收到索尼互动娱乐有限责任公司("SIE")的消息,说我的服务器滥用他们的服务。
我检查并确保:
- 除了我之外,没有人可以远程访问我的服务器。SSH和所有其他服务只接受我的IP,所有其他服务都被防火墙阻止
- Apache(httpd)没有被黑客入侵,没有PHP,任何活动脚本都在我的服务器上运行。
- 所有日志(系统,安全,消息等)都是空的或没有任何奇怪的
除了我发现的 apache 访问日志:
77.38.177.177 - - [30/Jun/2017:19:21:48 +0000] "CONNECT auth.api.sonyentertainmentnetwork.com:443 HTTP/1.1" 400 226 "-" "-"
138.201.29.228 - - [30/Jun/2017:19:21:48 +0000] "CONNECT www.stoiximan.gr:443 HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1409.70 Safari/537.36"
94.122.39.35 - - [30/Jun/2017:19:21:49 +0000] "A" 400 226 "-" "-"
77.108.80.2 - - [30/Jun/2017:19:20:48 +0000] "CONNECT artiwell.com:443 HTTP/1.1" 200 - "-" "-"
138.201.19.161 - - [30/Jun/2017:19:21:48 +0000] "CONNECT www.bet-at-home.com:443 HTTP/1.1" 200 - "-" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/17.0.1232.63 Safari/537.36"
77.108.80.2 - - [30/Jun/2017:19:21:48 +0000] "GET http://sea-tools.com.ua/oborudovanie/betonomeshalki/filter/287-k-werk HTTP/1.1" 200 25537 "-" "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.87 Safari/537.36"
94.158.152.58 - - [30/Jun/2017:19:21:49 +0000] "A" 400 226 "-" "-"
138.201.19.161 - - [30/Jun/2017:19:21:48 +0000] "GET http://sports.titanbet.com/en/e/5260805/Ansan-Police-v-Ansan-Greeners?mkt_grp_code=TMWIN HTTP/1.1" 200 25023 "-" "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.604.118 Safari/537.36"
117.1.114.50 - - [30/Jun/2017:19:21:49 +0000] "GET http://static.doubleclick.net/instream/ad_status.js HTTP/1.1" 200 29 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36"
94.158.152.58 - - [30/Jun/2017:19:21:49 +0000] "CONNECT static.doubleclick.net:443 HTTP/1.0" 200 - "-" "-"
185.71.186.147 - - [30/Jun/2017:19:21:49 +0000] "CONNECT static.sportsinteraction.net:443 HTTP/1.1" 200 - "-" "-"
我必须设置防火墙以拒绝对外部服务器的每个HTTP请求以终止该攻击。
通过我仍然有一些无法回答的问题是:
- 为什么有人可以使用我的apache连接到外部服务器?
- 他们怎么能做到这一点?如何在不使用防火墙阻止所有事情的情况下阻止此问题?
以下是我的 apache 虚拟主机配置:
NameVirtualHost *:80
<Directory "/data/websource">
DirectoryIndex index.html index.php
AllowOverride All
# Allow open access:
Require all granted
</Directory>
<VirtualHost *:80>
ServerName subdomain1.my.domain
DocumentRoot "web_root/subdomain1/source/www"
ServerAdmin postmaster@dummy-host2.localhost
ErrorLog "logs/subdomain1-error.log"
CustomLog "logs/subdomain1-access.log" combined
#turn on proxy
ProxyPreserveHost On
ProxyRequests On
ProxyPass /classroom1 http://xyz.my.other.ip/classroom1
ProxyPassReverse /classroom1 http://xyz.my.other.ip/classroom1
ProxyPass /bigbluebutton/ http://xyz.my.other.ip/bigbluebutton/
ProxyPassReverse /bigbluebutton/ http://xyz.my.other.ip/bigbluebutton/
ProxyPass /client/ http://xyz.my.other.ip/client/
ProxyPassReverse /client/ http://xyz.my.other.ip/client/
ProxyPass /bbb http://xyz.my.other.ip/
ProxyPassReverse /bbb http://xyz.my.other.ip/
ProxyPass /demo/ http://xyz.my.other.ip/demo/
ProxyPassReverse /demo/ http://xyz.my.other.ip/demo/
ProxyPass /streams.xml http://xyz.my.other.ip/streams.xml
ProxyPassReverse /streams.html http://xyz.my.other.ip/streams.html
ProxyPass /testjava.html http://xyz.my.other.ip/testjava.html
ProxyPassReverse /testjava.html http://xyz.my.other.ip/testjava.html
ProxyPass /myngleapi/ http://xyz.my.other.ip/myngleapi/
ProxyPassReverse /myngleapi/ http://xyz.my.other.ip/myngleapi/
ProxyPass /myngleapi http://xyz.my.other.ip/myngleapi
ProxyPassReverse /myngleapi http://xyz.my.other.ip/myngleapi
ProxyPass /help.html http://xyz.my.other.ip/help.html
ProxyPassReverse /help.html http://xyz.my.other.ip/help.html
ProxyPass /call.php http://www.source/mynglevline/call.php
ProxyPassReverse /call.php http://www.source/mynglevline/call.php
</VirtualHost>
<VirtualHost *:80>
ServerName subdomain2.my.domain
DocumentRoot "web_root/subdomain1/source/admin"
ServerAdmin postmaster@dummy-host2.localhost
ErrorLog "logs/subdomain1-admin-error.log"
CustomLog "logs/subdomain1-admin-access.log" combined
</VirtualHost>
<VirtualHost *:80>
ServerName subdomain3.my.domain
DocumentRoot "web_root/subdomain3/source/www"
ServerAdmin postmaster@dummy-host2.localhost
ErrorLog "logs/subdomain3-error.log"
CustomLog "logs/subdomain3-access.log" combined
#turn on proxy
ProxyPreserveHost On
ProxyRequests On
ProxyPass /classroom1 http://xyz.my.other.ip/classroom1
ProxyPassReverse /classroom1 http://xyz.my.other.ip/classroom1
ProxyPass /bigbluebutton/ http://xyz.my.other.ip/bigbluebutton/
ProxyPassReverse /bigbluebutton/ http://xyz.my.other.ip/bigbluebutton/
ProxyPass /client/ http://xyz.my.other.ip/client/
ProxyPassReverse /client/ http://xyz.my.other.ip/client/
ProxyPass /bbb http://xyz.my.other.ip/
ProxyPassReverse /bbb http://xyz.my.other.ip/
ProxyPass /demo/ http://xyz.my.other.ip/demo/
ProxyPassReverse /demo/ http://xyz.my.other.ip/demo/
ProxyPass /streams.xml http://xyz.my.other.ip/streams.xml
ProxyPassReverse /streams.html http://xyz.my.other.ip/streams.html
ProxyPass /testjava.html http://xyz.my.other.ip/testjava.html
ProxyPassReverse /testjava.html http://xyz.my.other.ip/testjava.html
ProxyPass /myngleapi/ http://xyz.my.other.ip/myngleapi/
ProxyPassReverse /myngleapi/ http://xyz.my.other.ip/myngleapi/
ProxyPass /myngleapi http://xyz.my.other.ip/myngleapi
ProxyPassReverse /myngleapi http://xyz.my.other.ip/myngleapi
ProxyPass /help.html http://xyz.my.other.ip/help.html
ProxyPassReverse /help.html http://xyz.my.other.ip/help.html
ProxyPass /call.php http://www.source/mynglevline/call.php
ProxyPassReverse /call.php http://www.source/mynglevline/call.php
</VirtualHost>
<VirtualHost *:80>
ServerName subdomain4.my.domain
DocumentRoot "web_root/subdomain3/source/admin"
ServerAdmin postmaster@dummy-host2.localhost
ErrorLog "logs/subdomain3-admin-error.log"
CustomLog "logs/subdomain3-admin-access.log" combined
</VirtualHost>
<VirtualHost *:80>
ServerName subdomain5.my.domain
DocumentRoot "web_root/subdomain5/source/www"
ServerAdmin postmaster@dummy-host2.localhost
ErrorLog "logs/release-error.log"
CustomLog "logs/release-access.log" combined
#turn on proxy
ProxyPreserveHost On
ProxyRequests On
ProxyPass /classroom1 http://xyz.my.other.ip/classroom1
ProxyPassReverse /classroom1 http://xyz.my.other.ip/classroom1
ProxyPass /bigbluebutton/ http://xyz.my.other.ip/bigbluebutton/
ProxyPassReverse /bigbluebutton/ http://xyz.my.other.ip/bigbluebutton/
ProxyPass /client/ http://xyz.my.other.ip/client/
ProxyPassReverse /client/ http://xyz.my.other.ip/client/
ProxyPass /bbb http://xyz.my.other.ip/
ProxyPassReverse /bbb http://xyz.my.other.ip/
ProxyPass /demo/ http://xyz.my.other.ip/demo/
ProxyPassReverse /demo/ http://xyz.my.other.ip/demo/
ProxyPass /streams.xml http://xyz.my.other.ip/streams.xml
ProxyPassReverse /streams.html http://xyz.my.other.ip/streams.html
ProxyPass /testjava.html http://xyz.my.other.ip/testjava.html
ProxyPassReverse /testjava.html http://xyz.my.other.ip/testjava.html
ProxyPass /myngleapi/ http://xyz.my.other.ip/myngleapi/
ProxyPassReverse /myngleapi/ http://xyz.my.other.ip/myngleapi/
ProxyPass /myngleapi http://xyz.my.other.ip/myngleapi
ProxyPassReverse /myngleapi http://xyz.my.other.ip/myngleapi
ProxyPass /help.html http://xyz.my.other.ip/help.html
ProxyPassReverse /help.html http://xyz.my.other.ip/help.html
ProxyPass /call.php http://www.source/mynglevline/call.php
ProxyPassReverse /call.php http://www.source/mynglevline/call.php
</VirtualHost>
<VirtualHost *:80>
ServerName subdomain6.my.domain
DocumentRoot "web_root/subdomain5/source/admin"
ServerAdmin postmaster@dummy-host2.localhost
ErrorLog "logs/subdomain5-admin-error.log"
CustomLog "logs/subdomain5-admin-access.log" combined
</VirtualHost>
ProxyRequests On
这是你的问题,引用Apache的mod_proxy文档:
警告
在保护服务器之前,不要使用代理请求启用代理。开放的代理服务器对您的网络和整个互联网都是危险的。