Monday, November 1, 2010

Fire on Proxy?

No, luckily there's no fire on the proxy server. However, you might have noticed these entries being logged in your web server log file: - - [01/Nov/2010:11:47:49 +0300] GET HTTP/1.1 "404" 3653 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" "-"

If you have done your job, as in searching Google for some clues, most likely you will see comments in forums, saying since your server returns 404 file not found (or sometimes 400 as bad request) there's nothing to worry about, but fail to explain what that request is.

Now, that is actually a scanning carried out by some sort of software / (ro)bots that are trying hard to check if your web server is acting as a proxy server. And you might have guessed, PF is just one of the software that anyone could use to scan for "free"/"public" proxy servers.

A pseudo scanning case looks something like:
1) Enters a range of IP address to be scanned, e.g. -
2) Selects a proxy judge.
3) Loops through the IP addresses, checks each of the IP whether it is active, and tests if it is a web server if it's active.
4) Issues a GET command to the web server, requesting for the Url to the selected proxy judge.
5) Interpret the response from the server - if the response is valid, the server will be classified accordingly based to the result from the proxy judge.

You're asking what is a proxy judge? It is some sort of scripts coded to show the level of anonymity of a proxy server, e.g. transparent, highly anonymous, etc. And, is just one of them. There's no harm visiting this Url from your browser, it would just show what your browser sends to the proxy judge. However, from the scanner point of view, it would actually see what your web server sends over, and uses that information to categorize the anonymity level. Of course, these scanners would discard invalid responses such as 400, 404, 500 and so on. So yes they are right to say you may safely ignore these log entries.

But. If you are using a front-back web server model - one front-facing web server that is acting as a cache/proxy to the back-end web server, then please make sure the front-end server is configured to serve only the domain that it is responsible for and not any others. This also means you need to do something if you are seeing entries with response code 200, such as: - - [02/Nov/2010:14:45:32 +0000] GET HTTP/1.1 "200" 421345780 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" "-"

So, this is what Fire on Proxy is all about. Take care of your servers, and don't let them run wildly in the data center.

PS: Some of you might have noticed that the bytes returned for the particular request is huge - 421345780 (read. 401MB). It is actually a junk file that we put on our servers to let the kiddie scanners download whenever they request for "fastenv". Yes, it's a junk file created with dd if=/dev/urandom. Oh, and the file is actually much larger than 401MB. :)

No comments:

Post a Comment