1

One of our Mac Pro machines running Apache was inadvertently acting as a forward proxy with a public IP, after some organisation proxy rules changed.

Consequently it was discovered by spammers and since then has been hammered on all sorts of ports by all sorts of IP addresses.

I've locked down the Apache proxy settings, and set up highly restrictive ipfw rules to deny all access outside our private network (using NoobProof) .

Is there anything else I should do to secure the server, or reduce the amount of requests coming through?

My team uses the machine for a number of applications, so it would be good to minimise downtime, and still allow them to access the same URL if I need to change the IP address.

brass-kazoo
  • 178
  • 6
  • 1
    Changing the IP address should cut down on some of the "noise" traffic - possibly a significant amount. – user48838 Aug 22 '11 at 06:50
  • I can only agree with what user48838 and Sean Kimball said, But changing the outside ip should actually illiminate all current unauthorised use, max down time would be 24hours, the ip change would be fairly instant but most dns providers give a 24hour maximal time for them to change (alltough it often is within an hour) – HTDutchy Aug 22 '11 at 14:49
  • Found a good basic guide: http://blog.gnu-designs.com/techniques-for-slowing-downstopping-external-attacks-on-your-apache-server/ – brass-kazoo Aug 30 '11 at 01:45

1 Answers1

2

A combination of blockhosts and mod_evasive have always worked very well for me, though once you have closed up all the holes, the spurious connections should drop off pretty rapidly. Changing IP may help, but may not be worth the effort if it's a public address since many of your attacks are possibly pointed at the name rather than the ip address.

Sean Kimball
  • 877
  • 1
  • 8
  • 23