PDA

View Full Version : tunneling? what ever it is, is there anyway of stopping it?



26-05-2002, 05:52 PM
i keep finding on my server logs, various people seem to use my server to access other websites, see below. What's going on, what is this doing to my rather limited bandwidth, and how can i stop this?

64.161.29.216 - - [26/May/2002:14:18:25 +1200] 'GET http://www.ropile.com HTTP/1.1' 200 1201
64.161.29.216 - - [26/May/2002:14:18:25 +1200] 'GET http://www.ropile.com HTTP/1.1' 200 1201 '-' 'ProxyHunter'

26-05-2002, 06:08 PM
i forgot to mention, i am running apache for windows on a win98SE machine, it may also be relevant that i have a fixed IP address.

26-05-2002, 09:51 PM
I don't know exactly how to solve your problem, Chris, but in answer to the question about 'What is tunelling?'

Thinking back to that data security lecture I mentioned in an earlier post.

Tunnelling is a form of secure communication on the internet. If I remember correctly, it is usually used for B2B communications over a secure line. Basically I think some package information is included with the data being transmitted so it known to be from the correct source. I'm not sure of exactly how it all fits together, but some how it's supposed to be difficult for any other information to infiltrate along with the correct information being transmitted (that is nobody else can insert bogus information along with the genuine stuff) and I guess that means nobody can take it out either.

As I am an internet security cynic (I think the terms are an oxymoron) I'm not sure how safe this really is, but I suspect that perhaps if there is tunnelling going on it might be that it's just being routed through your server. Obviously I doubt any legitimate business organisation would use a server they don't know and trust, so the reason may well be nefarious >:-)

I'd suggest you certainly look for a way to stop it. Indeed, I'm only blabbing from a vague memory here and I'm sure someone else would be able to either confirm or tell me where I'm wrong, and provide you with more information on how to solve the problem :)

Callum

27-05-2002, 05:23 PM
You might have a major security problem. Are you intentionally using it as a proxy server?

It's not so much tunnelling you have there; your server is a 'proxy server'. That means that it is taking requests from clients, and sending the requests out, and passing the responses to the appropriate client. If the security is not set properly, it can comply with requests from people on the outside. That is a Very Bad Idea.

A linux apache would have to be recompiled with the proxy module included for this ti happen at all. Then the 'httpd.conf' file would need the appropriate lines uncommented, and security set.

In windows you might have to search for a file 'containing' 'ProxyRequests' . You could then change the 'On' in that line to 'Off', or if you have a network using the proxy to isolate the client machines from the Internet, you need the following lines to read:

'Order deny,allow'
'Deny from all'
'Allow from .your.domain.nz'

with the last line fixed with your domain name. Watch the number of '.'s ... the first one is the equivalent of wildcarding the hostnbames in your domain.

27-05-2002, 11:54 PM
Thanks for that, quite frankly, i don't really have a clue what i am doing, but between reading the server logs and good old fasioned trial and error, i hope i will win over this.
As soon as i get paid (long story) i should move the whole thing over to a linux box i am yet to complete, and then realy get going...

Right now the proxy directive reads:

<Proxy *>
Order deny,allow
Deny from all
Allow from .something.net.nz
</Proxy>

i am of course something.net.nz

I also added this:

ProxyVia Full

which seems like a good idea, I am assume that it adds a wee header saying where the original request came from, in case people can still use me as a proxy.

28-05-2002, 04:33 PM
Those settings look as if you *should* be OK. But I was worried by that 'ProxyHunter' in your first posting. That certainly looks as if someone tried to use your server. The trouble is that if that was successful, the next step would be to use you as the interediary for distributing viruses, spam attacks, and things which could get *you* into trouble.

It would pay to set any logging options you have to make sure that you know what is coming in to your site and what is going out. Then have a look at them ... if you are getting pages for someone outside your domain and pasiing them back, kill your network connection immediately. People out there would love to find an 'open' server. They are looking 24/7 for such things.

I'll say 'RTFM' here: if you are running a web server connected to he Internet (especially with a fixed IP address), you will have to get up to speed with the security problems and fixes. There is an apache site which will have links to all sorts of things. But there will be security problems built in --- especially with a Windows version.

28-05-2002, 04:42 PM
Still seeing it.. damn!
see below.
will keep playing witrh settings.....



66.237.60.37 - - [28/May/2002:15:12:12 +1200] 'GET / HTTP/1.0' 200 1201
66.237.60.37 - - [28/May/2002:15:12:12 +1200] 'GET / HTTP/1.0' 200 1201 '-' 'Openfind data gatherer, Openbot/3.0+(robot-response@openfind.com.tw;+http://www.openfind.com.tw/robot.html)'
61.145.233.228 - - [28/May/2002:15:35:49 +1200] 'GET http://www.adm.com/ HTTP/1.1' 200 1201
61.145.233.228 - - [28/May/2002:15:35:49 +1200] 'GET http://www.adm.com/ HTTP/1.1' 200 1201 '-'

28-05-2002, 05:36 PM
It *might* just be that they are trying ... without success. Can you turn proxying off completely? Isn't there a log for security type events? I haven't looked since my servers are purely local.

28-05-2002, 05:38 PM
It *might* just be that they are trying ... without success. Can you turn proxying off completely? Isn't there a log for security type events? I haven't looked since my servers are purely local.