tl;dr: Negligence, and failing to RTFM.
What really horrifies me is the author doesn't seem to understand the magnitude of their error. The final quip at the end illustrates this. "Ha! someone searched manslaughter over my proxy! I had a lot of fun reading my open proxy logs..."
I wonder how many stolen credit card transactions were done over his proxy, causing headaches for many innocent people? Or worse?
Problem is that by default it was configured to listen on 0.0.0.0:80, making it an open HTTP proxy that everybody on the same LAN could connect to. The only real threat so far is that somebody could send in a large volume of traffic to crash the proxy, but wait and behold....
...some users were running it from hosts that are either a) directly connected to the public IP space without a firewall and b) behind NAT, but with lazy DMZ/port forwarding configuration that exposes their port 80 to the internet anyway. For about a year people have been obliviously hosting open HTTP proxies from home.
Eventually somebody found out and it took another couple of months of back and forth issue reporting and PR tugging battles to get it properly patched. Opsec is hard.
Additionally connecting a misconfigured server to the internet doesn't just hurt the server owner but the entire network is affected, as you are providing another piece of hardware that malicious actors can use to execute their attacks.
The internet has evolved beyond a network cobbled together by a bunch of academics and engineers -- its a critical piece of infrastructure.
Did you mean "should not run their own dedicated server"? The article doesn't mention anything related to hardware. It could have happened with a rented dedicated server, and even within a virtual machine.
Welcome to Best Practice Linux. Click Next to continue. Which http server you want (httpd/lightttpd/...). Click Next to continue. (you get the idea).
Something like apt-get but with best-practice defaults.
However, in my experience (as an Apache noob), the Apache community consists of experts who are so far ahead of the noobs that they can't see the issue from the perspective of noobs.
When I configured my first web box, I couldn't believe that in 2 days it was hacked open and taken over (by some hackers in China apparently -- those guys are scary good). My host (DO) couldn't provide any advice / support on what exactly had happened. I reset everything and set it up again, and again, 2 days later, the box was completely taken over (again by peeps in cn).
Finally, I did a couple of tiny tweaks in how I logged in (I disabled root login, and configured SSH keys to log-in, and changed the log-in port), and I was never hacked again. If these 3 little tweaks could be made defaults, there'd be a whole lot less hacking going on.
Glad you got the issue resolved though and didn't fork over the $10 because you would've just run into the same issue in the future if you didn't get to the root cause of it (misconfigured Apache).
Apache docs have an obvious warning about ProxyRequests and security: https://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxyre... .
This config snippet looks like it was copied/modified without understanding:
<Proxy *>
AddDefaultCharset off
Order deny,allow
Allow from .example.com
</Proxy>
Above that, there is a comment "turning ProxyRequests on and allowing proxying from all may allow spammers to use your proxy to send email", so I guess it was somewhat safe originally, until ProxyRequests was changed to On without reading and understanding the comment.
(...)
"I changed ProxyRequests On to ProxyRequests Off and restarted Apache sudo service httpd restart. My blog & my websites loaded. I finally came to the solution after a few hours of looking at configs."
(...)
"I ran top and noticed fail2ban was consuming 98-99% of my allocated CPU. [Note: As mentioned by the original author in part1, fail2ban was set up to track Apache httpd access logs, and that's (presumably) why it was consuming so much CPU. -e12e] Holy shit. This culprit was running in the background and I did not even know that it was such an intensive resource hog on my machine. I turned fail2ban's service off sudo service fail2ban stop and I removed it from2 auto-starting on system boots with chkconfig fail2ban off."
Apache is a bit of a complicated beast, and it probably doesn't help that way back when, one didn't set up proxies to web application servers, one ran code in the server (mod_php, mod_perl and even mod_python). Java/tomcat got their own proxy module (mod_jk), and after a while, as more (hw) resources became available, it started to make more sense for everyone to follow the good practice of breaking up services by user (either actual (human) user, or at least service user, like "php" or "cgi-bin" etc). And it became more common to use mod_proxy to forward requests to backends (like php-fpm).
For those new to Apache, it's still easy to miss that Apache can also work as a full http proxy -- and it's easier than it probably should be to set up an open http proxy without intending to. But you generally do have to type in a setting of "ProxyRequests On" -- which kind of does give a hint of what's going on.
[p2] http://blog.atrament.net/how-my-apache-server-became-a-malic...