From: "Steven Levine" Received: from [192.168.100.201] (HELO mail.2rosenthals.com) by 2rosenthals.com (CommuniGate Pro SMTP 5.4.10) with ESMTPS id 2633507 for ecs-isp@2rosenthals.com; Wed, 06 Oct 2021 02:46:21 -0400 Received: from secmgr-va.2rosenthals.com ([50.73.8.217]:34602 helo=mail2.2rosenthals.com) by mail.2rosenthals.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1mY0gs-0008Bt-25 for ecs-isp@2rosenthals.com; Wed, 06 Oct 2021 02:46:10 -0400 Received: from mta-201a.oxsus-vadesecure.net ([51.81.229.180]:58217) by mail2.2rosenthals.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1mY0gp-0002k5-0J for ecs-isp@2rosenthals.com; Wed, 06 Oct 2021 02:46:07 -0400 DKIM-Signature: v=1; a=rsa-sha256; bh=L3XgptUB3ovB1pNn9JMMltesZIl9fbgW52scMs 735tc=; c=relaxed/relaxed; d=earthlink.net; h=from:reply-to:subject: date:to:cc:resent-date:resent-from:resent-to:resent-cc:in-reply-to: references:list-id:list-help:list-unsubscribe:list-subscribe:list-post: list-owner:list-archive; q=dns/txt; s=dk12062016; t=1633502766; x=1634107566; b=LSwTBby1qgdBiNeLqO7cN6TrqYbhtixEkEZFtkbLmut70UbqBLYP4t9 22DEmkc/xzgf8lUS+4EjGmTVjTv2kRywP9UqupvMYt9Y2tohVQAi1dGIz2eiGT+Ksc7SNf/ DluYLeNrC4fgfwmyiof/vbSpMDnRVDleiwjYVPTgpSUQ9wnyEEB1TStFG0+DsPiMLZDprct 0CKA2uRfW5vY3ZAprEQyoZmQCr6wALOUQdPV1q+bO5b2nf3hLw1hd4kBHokjuoOQbJyMoP5 JBInaTivcPggJcAdJvk/Nl1OwogKB6vznBI4kwkv+vxKSC1kLjFEEvwp1msooby8KaAh9P0 sJw== Received: from slamain ([108.193.252.75]) by smtp.oxsus-vadesecure.net ESMTP oxsus2nmtao01p with ngmta id 6636f845-16ab5e1c6313ce11; Wed, 06 Oct 2021 06:46:05 +0000 Date: Tue, 05 Oct 2021 23:34:13 -0800 To: "eCS ISP Mailing List" In-Reply-To: Subject: Re: [eCS-ISP] Apache 2.4.49 zero day exploit... X-Mailer: MR/2 Internet Cruiser Edition for OS/2 v3.00.11.21 BETA/60 Message-ID: In , on 10/05/21 at 10:08 PM, "Roderick Klein" said: Hi, >It seems this Apache version has a zero day exploit. >https://therecord.media/apache-fixes-actively-exploited-web-server-zero-day/ This is yet another example of how important it is to understand how to properly configure httpd or any other server, for that matter. As the CVE explains, it takes two errors for the exploit to be effective. First is the code defect. Second is a misconfigured server setup. There's no reason to not use "require all denied" except for directories that are supposed to be accessible and even then the access should be carefully controlled. Many years ago, when I first took over support of the SCOUG sever, I discovered that the previous webmaster managed to Options +ExecCGI every directory on the system. This made for interesting log entries along with processes that seemed to run for no reason. Fortunately, this was long enough ago that there were far fewer script kiddies, so no one tried to damage the system. Steven -- ---------------------------------------------------------------------- "Steven Levine" Warp/DIY/BlueLion etc. www.scoug.com www.arcanoae.com www.warpcave.com ----------------------------------------------------------------------