[cross-project-issues-dev] vserver owners: new, restricted firewall sett

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[cross-project-issues-dev] vserver owners: new, restricted firewall settings

From: "Eclipse Webmaster (Denis Roy)" <webmaster@xxxxxxxxxxx>
Date: Thu, 31 May 2007 20:25:25 -0400
Delivered-to: cross-project-issues-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev>
List-help: <mailto:cross-project-issues-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev>, <mailto:cross-project-issues-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev>, <mailto:cross-project-issues-dev-request@eclipse.org?subject=unsubscribe>
User-agent: Thunderbird 2.0.0.0 (X11/20070326)

Greetings,

If your project owns a vserver at eclipse.org, the following informationmay be useful for you.

This afternoon I discovered that one of the project vservers was actingas an Open Proxy - meaning anyone could use it to browse the web and toestablish all kinds of connections on behalf of it.

The open server was used as a relay for SPAM bots, sending bulk e-mailsand posting SPAM messages on web forms everywhere (I'm sure you've seenthese types of SPAM comments on blog sites and web forums before).Additionally, the server was being used to probe for other vulnerableand open systems. At one point today, this server was consuming 7% ofeclipse.org's bandwidth to do harm.

This is serious stuff, as some sites targeted by the attacks are veryhigh-profile sites.

In light of this, tomorrow we will be applying new rules to our firewallto restrict all outgoing Internet-bound connections from all the projectvservers. Your users will still be able to connect to the servicesoffered by the server itself, but the server won't be able to establishany outbound communication. No exceptions will be made.

It's unfortunate to have to revert to these restrictions; however,security and good Internet citizenship are among the values we strive tomaintain at eclipse.org. Please remember that Matt, Karl and I (yourEclipse webmasters) are here to help you configure your vservers formaximum security, and we'll *always* treat your "I want to do X but wantto do it securely" requests with the highest priority.

Thanks for reading. Please forward this message to the vservermaintainer of your project, if they are not on this list.


Denis



NITTY GRITTY TECH STUFF

When using Apache's mod_proxy to create a reverse proxy, theProxyRequests directive does not need to be On. Enabling ProxyRequestswithout setting access limits instantly turns your Apache into an OpenProxy, and not only for http -- anyone can use your mod_proxy to connectto any host on any port. Many e-mail spammers often use Open Proxies toanonymously relay e-mail through an Open SMTP Relay on anotherill-configured machine.

The mod_proxy documentation has a prominent warning about this at thetop of the page: http://httpd.apache.org/docs/2.0/mod/mod_proxy.html


--

Eclipse WebMaster - webmaster@xxxxxxxxxxx

Questions? Consult the WebMaster FAQ athttp://wiki.eclipse.org/index.php/Webmaster_FAQ

View my status at http://wiki.eclipse.org/index.php/WebMaster

Are you registered for EclipseCON 2007 yet?
http://www.eclipsecon.org/

Prev by Date: Re: [cross-project-issues-dev] Feedback on the europa update site
Next by Date: [cross-project-issues-dev] DSDP-DD updated
Previous by thread: [cross-project-issues-dev] MDT OCL and EMF QTV RC2
Next by thread: [cross-project-issues-dev] features-birt.xml has been updated for Europa RC2
Index(es):
- Date
- Thread

Breadcrumbs