Yesterday we faced a strange behavior when reading access log of Apache httpd. An example of below:
207.46.13.135 - - [25/Sep/2022:15:28:28 +0700] "GET / HTTP/1.1" 302 287 (core.c/0/translate_name) - 140
This is a normal access entry: x.x.x.x - - [26/Sep/2022:14:16:57 +0700] "GET /corp/L003/consumer/theme/vn.ssc.css HTTP/1.1" 200 1043 (core.c/0/handler) - 830
We have directives to proxy and redirect the request going to the system. But why this does not redirect (the return code 302 is understandable when in debug mod but why we don't get it when having in production log) – > We suspected that these IPs used some kind of engines to flood the web server, only to response status but not the content.
Related
My Apache (Linux/CentOS) is behind a load balancer (AWS ELB). So in my Apache access_log, there are tons of useless logs, like:
- - - [13/Jan/2016:23:38:02 +0800] "GET / HTTP/1.1" 200 16 "-" "ELB-HealthChecker/1.0"
- - - [13/Jan/2016:23:42:39 +0800] "OPTIONS * HTTP/1.0" 200 - "-" "Apache (internal dummy connection)"
These two logs heavily flooded in my access_log. Actually these two are totally useless for me (since they are just internal health checkers only), but affecting/confusing to my log analyzers, like awstats. So i kinda don't want to have this kind of log entries.
Is there a way to configure Apache to WHAT NOT TO log?
I am running a website with siginup/login process. and I like to insert user ids when the user signs up or in to my website.
My apache access.log is as in the following:
115.137.10.87 - - [26/Aug/2013:07:38:52 +0900] "GET /api/game/ HTTP/1.1" 200 1402 "-" "android-async-http/1.4.3 (http://loopj.com/android-async-http)"
115.137.10.87 - - [26/Aug/2013:07:38:59 +0900] "GET /api/premium/brand HTTP/1.1" 200 721 "-" "android-async-http/1.4.3 (http://loopj.com/android-async-http)"
115.137.10.87 - - [26/Aug/2013:07:38:59 +0900] "GET /api/brand/ HTTP/1.1" 200 2510 "-" "android-async-http/1.4.3 (http://loopj.com/android-async-http)"
115.137.10.87 - - [26/Aug/2013:07:39:00 +0900] "GET /api/game/ HTTP/1.1" 200 1402 "-" "android-async-http/1.4.3 (http://loopj.com/android-async-http)"
I can clearly see what http request was sent from what ip address.
But if I put the user id (eg. $userid) to this log, it would be wonderful log, and I will be able to get a good statistic information for making decision.
If it is possible, is there any way to do this?
Any advice will be really appreciated.
The log will be like this:
115.137.10.87 - - [26/Aug/2013:07:38:52 +0900] "***[USERID]*** GET /api/game/ HTTP/1.1" 200 1402 "-" "android-async-http/1.4.3 (http://loopj.com/android-async-http)"
If you are using HTTP Basic or Digest authentication, then the user name is derived from an HTTP header and can be inserted into the log by using %u in a LogFormat directive in your apache config. If you have a login system that does not include the username in a header (likely), then the only other option I know of would be to somehow set an environment variable which Apache could then write out with %{FOOBAR}e. See http://httpd.apache.org/docs/2.2/logs.html
Otherwise, you're probably better off writing out your own log file from your application code (or use an application level logging library - Log4j, or whatever.)
I am currently getting 500 errors from Apache using a alarming probe shell script that has been provided to myself.
Unfortunately I have not been able to get to the bottom of why the script generates a 500 error when attempting to access content locally on the server but using other methods like wget and telnet works fine.
The following are the Apache access log entries for each of the attempts:
Using Wget
127.0.0.1 - "" [19/Mar/2013:14:31:44 +1100] "GET /index.html HTTP/1.1" 200 1635 "-" "Wget/1.13.3" "-"
Using Telnet
127.0.0.1 - "" [20/Mar/2013:13:12:11 +1100] "GET /index.html HTTP/1.1" 200 1635 "-" "-" "-"
Using the Probe Scripts
127.0.0.1 - - [19/Mar/2013:14:33:56 +1100] "GET /index.html HTTP/1.1" 500 - "-" "" "-"
The only difference I can see is that the probe has a - instead of a "" in the user agent (3rd item) which either way tells me it wasn't passed in any of the instances (as this is expected since there is no authentication).
I've bumped up the logging for everything in Apache and can't figure out what is amiss. There is no processing involved, it's a static file, and I have attempted with other file types too, like images to no avail.
Does anyone have any ideas or has seen something similar?
Thanks,
Tony
In Apache access.log, I am used to this kind of access log line:
127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] "GET /apache_pb.gif HTTP/1.0" 200 2326
I was checking some apache access logs this morning and found something I'm not used to:
192.168.1.10- - [20/Feb/2013:00:00:45 +0000] "POST /form/... 404 200 252 "-" "-" 435835
There are multiple status code. Does-it mean the request was sended multiple times (something like a failed/retry mechanism?
I found the following requests in my Apache web server. Are these hack attempts? Will they be harmful to the server?
My server is crashing frequently, and I don't have the reasons for it:
GET /muieblackcat HTTP/1.1" 302 214
GET //index.php HTTP/1.1" 302 214
GET //admin/index.php HTTP/1.1" 302 214
GET //admin/pma/index.php HTTP/1.1" 302 214
GET //admin/phpmyadmin/index.php HTTP/1.1" 302 214
/user/soapCaller.bs HTTP/1.1" 302 214
GET /robots.txt HTTP/1.0" 302 214.
We see a lot of requests for non-existent setup.php files:
GET /phpmyadmin/scripts/setup.php HTTP/1.1" 302 214
GET /phpMyAdmin/scripts/setup.php HTTP/1.1" 302 214
GET /MyAdmin/scripts/setup.php HTTP/1.1" 302 214
GET /myadmin/scripts/setup.php HTTP/1.1" 302 214
GET //typo3/phpmyadmin/index.php HTTP/1.1" 302 214
GET /pma/scripts/setup.php HTTP/1.1" 302 214
GET //phpMyAdmin-2.5.5/index.php HTTP/1.1" 302 214
The below request is also accessed on the server. What request is this?
95.211.124.232 - - [16/Aug/2012:18:14:52 +0800] "CONNECT yandex.ru:80 HTTP/1.1" 302 214
How should this server crash issue be understood?
Yes, this is probably attempts to hack your server. The hacker makes calls to URLs with known weaknesses. However, you are safe as long as these files don't exists on your server.
You should be concerned if you actually have a file with a known weakness.
One temporary solution would be to block the IP address that these calls are made from. You should also check if any calls from that particular IP address actually found an existing page.
The only permanent solution is to upgrade all of your software so that you are not vulnerable to known security weaknesses.
These HTTP calls can not explain why your server crashes.
PS: The /robot.txt is not a hacking attempt. This is a file that search engines like Google looks for to get instructions about how to index your site. That is perfectly OK.
I'd like to ask if you are using PHP at all. Most webspaces do support a lot of features. If you don't use PHP, CGI, SSI, etc., you could turn them off.
Also it might be an idea to watch your messages (Linux? - tail -f /var/log/messages). There you can see live actions.
Another idea would be to move well known ports of SSH and other deamons except HTTP, to upper weird ports above 1024 - or if you have an own public IP address from where you access the Internet you could set your firewall to only accept connections on those ports from your own IP address.
A good solution would be, if you are running Apache/WHM, to install Mod_security and CSFirewall. Mod_Sec will watch for malicious activity and kick IP addresses to the firewall if they trigger the same security rule to often.
Another solution, which is pretty extreme, would be to block all IP traffic in the firewall based on country code. For instance, if you notice that most your attacks are coming from Ukraine and 99% of your user-base is out of the USA then block the entire offending country. As I said... it's extreme.
Also note, that running mod_sec and csf can slow down the server since it has to check the firewall database for all incoming traffic.