4

Today I noticed this entry in my log file:

Connection attempts using mod_proxy:
175.180.113.83 -> 66.135.210.61:80: 1 Time(s)

This is something I do not normally see in my logs. I have a few questions about this:

  1. What does this actually mean? Does this mean that someone tried to access my server through a proxied connection?
  2. What is the first IP address? Is this the originating IP?
  3. What is the second IP address? Is this the server they used as a proxy?
  4. If what I said for 2 and 3 are correct, how is it that Logwatch (or whatever in Linux is resolving this) can detect the originating IP? I thought that a proxy is supposed to help with anonymity and make it so that the originating IP address is completely masked?
  5. What does this mean? Are these requests usually from bots that are looking for additional security holes? What's the hole point of going through a proxy to access my server?

EDIT: It looks like 66.135.210.61 belongs to eBay and the other IP belongs to someone in Taiwan. Does this mean someone accessed my server through eBay? Shouldn't eBay's security be good enough to prevent things like that?

Thanks

Aaron
  • 702
  • 2
  • 10
  • 19

1 Answers1

7

It actually means the opposite to what you suggested: the person in Taiwan accessed (or attempted to access) eBay via your server. It means that someone was using your machine as an open proxy. Most likely they were probing to see if you had an open proxy configured. The fact that the message says "attempted" would suggest that they didn't succeed, but a bit of Googling suggests that it may mean they actually got through. What you want to do is make sure you're not running mod_proxy and you disable the CONNECT verb if you don't need them.

An article I found that might be of use is http://www.davekb.com/browse_computer_tips:logwatch_connection_attempts_using_mod_proxy:txt

womble
  • 95,029
  • 29
  • 173
  • 228
  • Thanks very much! I don't even have the mod_proxy module installed so I am all set on that front. I'll have a look at disabling CONNECT. I was looking through my Apache access.log file and found this: 175.180.113.83 - - [03/Jul/2011:22:25:14 -0400] "CONNECT 66.135.210.61:80 HTTP/1.1" 200 13888 "-" "-" 175.180.113.83 - - [03/Jul/2011:22:25:15 -0400] "GET / HTTP/1.1" 200 0 "-" "-" Do you know if that means the person was able to connect to eBay via my site or not? – Aaron Jul 05 '11 at 05:06
  • My understanding is that a CONNECT request will succeed (return a 200 response) even if the proxying wasn't successful; the solution to that is to deny CONNECT if you don't need it. I strongly suspect that CONNECT log entry is what logwatch triggered on. – womble Jul 05 '11 at 14:09
  • How about if I want to have mod_proxy enabled but that it is limited who can access it? e.g. Using an Apache web server as frontend and connecting with mod_proxy to a backend (Tomcat/Jetty/...) – ssasa Oct 02 '13 at 06:47
  • 2
    What about it? Your question appears unrelated to my answer. You might do better to ask a new question, with all relevant context, than try to get a question answered in a comment on a two year old answer. – womble Oct 02 '13 at 23:13