[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
[cross-project-issues-dev] vserver owners: new, restricted firewall settings
|
Greetings,
If your project owns a vserver at eclipse.org, the following information
may be useful for you.
This afternoon I discovered that one of the project vservers was acting
as an Open Proxy - meaning anyone could use it to browse the web and to
establish all kinds of connections on behalf of it.
The open server was used as a relay for SPAM bots, sending bulk e-mails
and posting SPAM messages on web forms everywhere (I'm sure you've seen
these types of SPAM comments on blog sites and web forums before).
Additionally, the server was being used to probe for other vulnerable
and open systems. At one point today, this server was consuming 7% of
eclipse.org's bandwidth to do harm.
This is serious stuff, as some sites targeted by the attacks are very
high-profile sites.
In light of this, tomorrow we will be applying new rules to our firewall
to restrict all outgoing Internet-bound connections from all the project
vservers. Your users will still be able to connect to the services
offered by the server itself, but the server won't be able to establish
any outbound communication. No exceptions will be made.
It's unfortunate to have to revert to these restrictions; however,
security and good Internet citizenship are among the values we strive to
maintain at eclipse.org. Please remember that Matt, Karl and I (your
Eclipse webmasters) are here to help you configure your vservers for
maximum security, and we'll *always* treat your "I want to do X but want
to do it securely" requests with the highest priority.
Thanks for reading. Please forward this message to the vserver
maintainer of your project, if they are not on this list.
Denis
NITTY GRITTY TECH STUFF
When using Apache's mod_proxy to create a reverse proxy, the
ProxyRequests directive does not need to be On. Enabling ProxyRequests
without setting access limits instantly turns your Apache into an Open
Proxy, and not only for http -- anyone can use your mod_proxy to connect
to any host on any port. Many e-mail spammers often use Open Proxies to
anonymously relay e-mail through an Open SMTP Relay on another
ill-configured machine.
The mod_proxy documentation has a prominent warning about this at the
top of the page: http://httpd.apache.org/docs/2.0/mod/mod_proxy.html
--
Eclipse WebMaster - webmaster@xxxxxxxxxxx
Questions? Consult the WebMaster FAQ at
http://wiki.eclipse.org/index.php/Webmaster_FAQ
View my status at http://wiki.eclipse.org/index.php/WebMaster
Are you registered for EclipseCON 2007 yet?
http://www.eclipsecon.org/