Apache access log shows these attack requests
Ian Smith
smithi at nimnet.asn.au
Thu Jun 14 15:26:23 UTC 2007
On Thu, 14 Jun 2007, Norberto Meijome wrote:
> On Wed, 13 Jun 2007 10:50:20 -0400
> "Bob" <bob at a1poweruser.com> wrote:
>
> Hi Bob, please learn how to quote in a reply to a message - it's pretty hard to
> figure out who's written what otherwise.
So much so, it's easier to respond to Bob via yours :)
> > I checked with ls -l command and I have no pages 7036 in size.
>
> (hmm... does those bytes include the headers et al ? if they do, then u should
> be looking for something else other than 7036 in the filesystem...anyway...
Static pages do show the actual file size, checking here, but of course
any dynamic content (php or whatever) makes size indeterminate. Bob,
check the size shown as served for your ordinary "/" page requests?
> > My question
> > is why is apache servicing a request for "\x04\x01", this is not a valid
> > request in first place.
>
> maybe if you show us your apache config it would be easier to figure out what
> you allow or not. To make it simpler, the DEFAULT config in apache (with no
> mod_proxy) is quite secure wrt access to / .
If not too much modified, a 'diff apache.conf.installed apache.conf'
might be less wieldy and easier to grok ..
You do and will regularly see all sorts of tricks tried, aimed at
various vulnerabilities, mostly on M$ systems, and life's too short to
get too bothered by the 'background radiation' .. trust the security
teams (both apache and freebsd) to post about and deal with new vulns.
> > You wrote "because I disallow 'no referrer'
> > plus 'no browser' ("-" "-") connects from non-local addresses, blocking
> > heaps of rogue robots"
> > Could you give me a example of the httpd.config coding you used for this?
> > These denied requests get logged in the access.log, I would think they
> > should be logged in the error.log.
>
> well, they are not an error from apache's POV, are they? they get served OK :)
> therefore, access. (the fact that you dont like it doenst make it less "correct"
> for Apache ;)
Yeah. Anything invoking a 40[0-9] response, among other things, makes
it to the error log, but even errors usually send some sort of response,
and if in doubt (eg on would-be proxy requests) apache will serve "/"
For Bob and the other fellow asking: it's all in the Fine Manual apache
installed for you of course, but for simple illustration something like:
BrowserMatchNoCase "Yet Another Illbehaved Robot" go_away
SetEnvIfNoCase Referer nastysukkas\.biz go_away
BrowserMatch "Windows 98\) XX" go_away
SetEnvIf Remote_Addr 254.231.132.* go_away
[..]
# we only want to exclude those with neither (no_ref being usually ok)
# meanwhile, till finding out how .. just 'no browser' is disallowed
# SetEnvIf Referer "^$" no_ref=1
SetEnvIf User-Agent "^$" no_bro=1
# (I never did work out how to express 'no_bro AND no_ref' ?)
SetEnvIf no_bro 1 go_away
# except of course allow local "-" "-" requests - add more friendlies ..
SetEnvIf Remote_Addr my.ip.adr.ess !go_away
[..]
<Directory "/usr/local/www/data">
Options Indexes FollowSymLinks
AllowOverride AuthConfig
# 18Mar02 - always allow, even for otherwise denied bots
<Files "robots.txt">
order allow,deny
allow from all
</Files>
# Controls who can get stuff from this server.
order allow,deny
allow from all
deny from env=go_away
</Directory>
Cheers, Ian
More information about the freebsd-questions
mailing list