科技回声

7 条评论

"How my Apache server became a malicious free internet proxy"tl;dr: Negligence, and failing to RTFM.What really horrifies me is the author doesn't seem to understand the magnitude of their error. The final quip at the end illustrates this. "Ha! someone searched manslaughter over my proxy! I had a lot of fun reading my open proxy logs..."I wonder how many stolen credit card transactions were done over his proxy, causing headaches for many innocent people? Or worse?

评论 #10411203 未加载

评论 #10411650 未加载

评论 #10410914 未加载

bognition超过 9 年前

This is a perfect example of why most people should not run their own hardware. Don't get me wrong its really fun to build and configure your own server and I openly encourage people to learn but I also remind them that its extremely difficult (for a novice) to do securely.Additionally connecting a misconfigured server to the internet doesn't just hurt the server owner but the entire network is affected, as you are providing another piece of hardware that malicious actors can use to execute their attacks.

评论 #10410649 未加载

评论 #10410484 未加载

评论 #10410836 未加载

评论 #10410529 未加载

wiradikusuma超过 9 年前

Honest question from a developer perspective: Why there isn't any "best practice/hardened by default" wizard-style configuration, something people can do right after they install their OS? E.g.:Welcome to Best Practice Linux. Click Next to continue. Which http server you want (httpd/lightttpd/...). Click Next to continue. (you get the idea).Something like apt-get but with best-practice defaults.

评论 #10411032 未加载

评论 #10411195 未加载

评论 #10410939 未加载

评论 #10410906 未加载

评论 #10410881 未加载

userbinator超过 9 年前

As someone who's used open proxies to get around geo-IP-tracking/restrictions/censoring, I get the point about excessive bandwidth usage (you can apply per-IP ratelimiting for that), but it does make me a bit sad that open proxies are now considered "malicious"...

评论 #10410768 未加载

nostalgiac超过 9 年前

So you got to the end solution of... uninstalling fail2ban to fix it? You didn't bother to check WHY it was maxing out the cpu?Glad you got the issue resolved though and didn't fork over the $10 because you would've just run into the same issue in the future if you didn't get to the root cause of it (misconfigured Apache).

评论 #10410940 未加载

jawshie超过 9 年前

Any idea what the actual vulnerability was?

评论 #10410544 未加载

评论 #10410616 未加载

评论 #10410528 未加载

评论 #10410582 未加载

mkhpalm超过 9 年前

As a long time Apache user I've never understood using its proxy modules for stuff like this. I've always felt like its much cleaner to just use a small daemon process built solely for the task of reverse proxy or balancing. e.g. haproxy, pound, etc.