0

On my debian 11 based mailserver I noticed some entries in my daily logs:

--------------------- httpd Begin ------------------------
Connection attempts using mod_proxy:

161.35.188.242 -> leakix.net:443: 1 Time(s)
92.118.39.30 -> example.com:443: 2 Time(s)

This happens almost every day for 1-3 entries with different IPs.

Researching just gives me results with httpd being a part of apache2 which I didn't install. I found some references for httpd being related to nginx which is part of my server setup.

cat /var/log/nginx/access.log | grep 161.35.188.242

indeed gives me various connection attempts to my server via the given IPs. Different threads recommend disabling mod_proxy in /etc/httpd/conf/httpd.conf and comment out everything in /etc/httpd/conf.d/proxy_ajp.conf. I don't have those files or even the httpd folder. There is a apache2 folder in /etc/ but it only contains php config stuff. I guess it's part of iRedMail to create a WebGUI for the mail access. There also seems to be a bug with apache 2.2 and apache 2.4 that will return a 200 (success) status code and the contents of the index.php site. To prevent this it's recommended to create a disable_connect.conf file in /etc/httpd/conf.d/ with some input (1) but I still don't have a /etc/httpd/ folder.

How to get rid of mod_proxy as it poses a potential security risk?

(1) https://www.davekb.com/browse_computer_tips:logwatch_connection_attempts_using_mod_proxy:txt?computer_tips:logwatch_connection_attempts_using_mod_proxy:txt[1]

EDIT: Grégory Boddin suggested to use

curl -kx http(s)://<your-server-ip>:<your-server-port> http://ifconfig.me

http:80 results in:

curl: (56) Received HTTP code 400 from proxy after CONNECT

https:443 results in:

curl: (60) SSL: no alternative certificate subject name matches target host name 'xxx.xxx.xxx' More details here: curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.

tillewolle
  • 11
  • 1
  • I would start by understanding what software you have installed and how it's configured. You don't seem to grasp what you're asking. – vidarlo Sep 23 '22 at 12:58
  • That's what I'm at right now. Tool for tool. But this question specially asks about httpd because it usually seems to be a apache2 problem which is not configured in my setup. Thats why I'm asking. – tillewolle Sep 26 '22 at 06:30

1 Answers1

1

I suggest checking if your server is vulnerable to Proxying this way :

$ curl -kx http(s)://<your-server-ip>:<your-server-port> http://ifconfig.me

And

$ curl -kx http(s)://<your-server-ip>:<your-server-port> https://ifconfig.me

The first check will ensure you're not proxying request through GET method, the second through CONNECT method.

If any of those command print your server's IP, it is vulnerable, otherwise you're safe !

Hope it helps.

Grégory Boddin
  • 101
  • 1
  • 2
  • The two commands look like they're the same. I get the following output (censored my ip): curl: (60) SSL: no alternative certificate subject name matches target host name 'xxx.xxx.xxx' More details here: https://curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above. – tillewolle Sep 19 '22 at 11:55
  • Tried it again, once with http and once with https. http: curl: (56) Received HTTP HTTP code 400 from proxy after CONNECT https: is the same output as the comment before. I'll give more infos in the OG post. – tillewolle Sep 22 '22 at 09:09
  • 0 Then it should be fine. The fact the you got an SSL error means the certificate was not for ifconfig.me ( a service that shows your ip ), but your server instead and the request was not proxied. a 400 means the method was note recognized and the request was not proxied which is good too ! As the log says they were attempts ! I don't know how iRedMail uses mod_proxy internally but it seems well configured, disabling it might cause issues with your webmail. Hope it helped ! – Grégory Boddin Sep 23 '22 at 12:04
  • Thanks! Then I'm relieved! But can you tell me the difference between your two commands? You wrote about GET and CONNECT method. But it looks like you used the same command twice. – tillewolle Sep 26 '22 at 06:32