search

BonnyCI / projman

A project management repository -- meta
0 stars 2 forks source link

Apache misconfigured on elk host #206

Closed jesusaurus closed 7 years ago

jesusaurus commented 7 years ago

While checking the apache access log to verify that kibana is working, I noticed many arbitrary websites being accessed, such as:

elk:80 104.247.197.136 - - [05/Apr/2017:17:15:48 +0000] "GET http://cmd.internalcmd.com:5223/kss_admin/index.php HTTP/1.1" 200 1849 "-" "BaiduSpider"
elk:80 114.215.69.178 - - [05/Apr/2017:17:15:48 +0000] "CONNECT booking.jetstar.com:443 HTTP/1.1" 500 809 "-" "Apache-HttpClient/4.5.2 (Java/1.7.0_80)"
elk:80 27.156.121.7 - - [05/Apr/2017:17:15:48 +0000] "GET http://dict.youdao.com/ HTTP/1.1" 200 0 "http://dict.youdao.com" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
elk:80 198.20.175.132 - - [05/Apr/2017:17:15:49 +0000] "GET http://server.cpmstar.com/view.aspx?poolid=74275&script=1&rnd=191110 HTTP/1.1" 200 1205 "http://playtowerdefensegames.com/" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; de) Opera 11.51"
elk:80 58.221.58.187 - - [05/Apr/2017:17:15:48 +0000] "GET http://dealer.api.00bang.net/v3/Coupon/GetAuthKey?callback=jsonpcallback.GetAuthKeyCallback&authkey=&_=1491412549452 HTTP/1.1" 200 434 "http://www.sgmw.com.cn/activities/20161101/index.html" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2)"
elk:80 101.201.45.72 - - [05/Apr/2017:17:15:47 +0000] "GET http://cjob.gov.cn/search.html?AAB004=&TYPE=4&orderType=score&zcType=&pageNo=68&AREA=440300 HTTP/1.1" 404 255 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0"
elk:80 35.187.4.176 - - [05/Apr/2017:17:15:49 +0000] "GET https://ffs-gaming.com HTTP/1.1" 500 803 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/4.0; InfoPath.2; SV1; .NET CLR 2.0.50727; WOW64)"
elk:80 142.234.27.66 - - [05/Apr/2017:17:15:49 +0000] "GET http://pianziweb.com HTTP/1.1" 400 334 "http://pianziweb.com" "Mozilla/5.0 (compatible; Baiduspider/2.0; http://www.baidu.com/search/spider.html)"
elk:80 123.249.24.231 - - [05/Apr/2017:17:15:49 +0000] "GET http://vip.hg927.com/Commpart/GetMessageCount?jsonPost=1&t=1491264213 HTTP/1.1" 400 0 "-" "-"

Note that some are returning 200s.

jesusaurus commented 7 years ago

It looks like the vhost configuration has several unwanted server aliases:

<VirtualHost _default_:80>
  ServerName elk

  ServerAlias _
  ServerAlias _
  ServerAlias o
  ServerAlias m
  ServerAlias i
  ServerAlias t
  ServerAlias _
  ServerAlias p
  ServerAlias l
  ServerAlias a
  ServerAlias c
  ServerAlias e
  ServerAlias _
  ServerAlias h
  ServerAlias o
  ServerAlias l
  ServerAlias d
  ServerAlias e
  ServerAlias r
  ServerAlias _
  ServerAlias _
  ServerAlias 8
  ServerAlias 0
  ServerAlias c
  ServerAlias f
  ServerAlias 9
  ServerAlias a
  ServerAlias 3
  ServerAlias d
  ServerAlias 4
  ServerAlias c
  ServerAlias 0
  ServerAlias 4
  ServerAlias 4
  ServerAlias 4
  ServerAlias 8
  ServerAlias 7
  ServerAlias 1
  ServerAlias 4
  ServerAlias 1
  ServerAlias 8
  ServerAlias 0
  ServerAlias 6
  ServerAlias 4
  ServerAlias e
  ServerAlias c
  ServerAlias 9
  ServerAlias b
  ServerAlias 9
  ServerAlias 8
  ServerAlias e
  ServerAlias 0
  ServerAlias b
  ServerAlias f
  ServerAlias 5
  ServerAlias e
  ServerAlias 5
  ServerAlias 0
  ServerAlias 2
  ServerAlias 4
  ServerAlias 3

  ProxyPreserveHost On
  ProxyRequests On
  ProxyPass / http://127.0.0.1:5601/
  ProxyPassReverse / http://127.0.0.1:5601/

</VirtualHost>
jesusaurus commented 7 years ago

I've proposed BonnyCI/hoist#299 to remove the strange server aliases.

jesusaurus commented 7 years ago

A better server alias fix is proposed in BonnyCI/hoist#302

jesusaurus commented 7 years ago

The apache service has been stopped on elk, and ansible crons disabled to prevent the service from being re-enabled

jesusaurus commented 7 years ago

The unexpected server aliases have been removed from the configuration, and a vm rebuild has started.

jesusaurus commented 7 years ago

The ProxyRequests directive should not be enabled. BonnyCI/hoist#306 disables that directive.

gandelman-a commented 7 years ago

So it looks like we have people scanning our public IP blocks looking for things like this. It looks like this proxy got picked up and added to the backend of some public proxy service. After disabling the ProxyRequests, the server was still receiving loads of proxy requests but we were serving them the kibana dashboard in return. I've added https://github.com/BonnyCI/hoist/pull/307 which sets up the default vhost to deny all requests, and allows explicit requests to elk.bonnyci.org. Hopefully the non-200s will eventually remove the host from the proxy network

gandelman-a commented 7 years ago

Actually, I forgot to git add an inventory to properly set up the vhost, https://github.com/BonnyCI/hoist/pull/309 In the meantime, proxy requests are still denied

jesusaurus commented 7 years ago

We are no longer acting as an open proxy.