Topic: Unknown apache2.4 access log

[andihdr]

I have installed apache server and i found my access log is not showing something normal. I have search for this error in google and this forum but there are no detail solution on how to fix this problem.

Here is some unknown log :

[DnvrSysEngr]

Those messages in your access logs are showing that someone somewhere is poking and prodding your Apache Server looking for clues as to what you have and how they might be able to exploit any vulnerabilities.

As to what to do, make sure that you have "hardened and secured" your Apache Server.

What you can do also, is report these hacking/exploit attempts to ABUSE for the domain and/or ISP they are originating from.

-S

[andihdr]

i have followed this link
http://wiki.apache.org/httpd/FAQ#Why_can_I_access_my_website_from_the_server_or_from_my_local_network.2C_but_I_can.27t_access_it_from_elsewhere_on_the_Internet.3F

but still the logs keep coming up in my access log...
i have search a lot of websites but i can`t get the correct answer.

i have modified httpd.conf to secure apache
http://www.petefreitag.com/item/505.cfm
but still doesn`t work at all.


Is there any suggestions please?
Does this kind of logs appear in every apache`s access log ?
How to avoid these logs?

thanks for reply.

[DnvrSysEngr]

You want to see that information in your logs. It is informational, letting you know what is going on with your WEB server.

The 404 error is letting you know that the connection attempt was unsuccessful/was not granted.

If you want to stop it completely, you can trace the IP address where the so called connection attempt originated and block it upstream (i.e. at your firewall).

I get log entries like that all the time in my access logs and use configurations in my htttpd.conf to stop them.

Look at it this way, its basically good guys (US) versus the bad guys (THEM). It is a battle that will never end. Just do your best and exercise caution to deter them the best you can.

[andihdr]

thank you DnvrSysEngr for reply.

what kind of configuration in httpd.conf (directives) should i add to stop these logs?

should i use htaccess for this purpose?

[DnvrSysEngr]

I used Mod_ip2location (not sure if Gregg of Steffen has a 32 or 64 bit version readily available) to create a blocklist by country. I placed the entries in my httpd.conf file.

However, you may want to be careful as to how you use it if you are hosting more than one site on your Web server.

You can also use mod_maxmind, which is available at https://www.apachehaus.net/temp/

[andihdr]

unfortunately, Mod_ip2location is not free...
thank you DnvrSysEngr.

[glsmith]

I think mod_maxminddb is the way to go if you have a VC14 Apache 2.4.

I do have mod_ip2location v7.0.0 for VC11 Apache 2.4 and I just put those for now also in
https://www.apachehaus.net/temp/

Both Maxmind and IP2Location have free "Lite" databases and they work good enough for blocking by country.

http://dev.maxmind.com/geoip/geoip2/geolite2/
http://lite.ip2location.com/

[andihdr]

Thank you glsmith, i will try mod_iplocation lite because i use VC11 Apache 2.4.

Is mod_security able to solve this issue?
Anyone has suggestion about this? I think it's quite frustrating to only avoid these access logs...or should i ignore them? From what i have read, status code of 200,404 and 400 with 200 of size is not a "thread to my server" right??

[glsmith]

No, mod_security might turn those 200s in your first post into 400s or 403s however.

200 means it was served, I personally like to know what has been viewed and downloaded. For instance I can see that someone from Indonesia looked on my server, came from this forum thread and was using Google Chrome on 32bit Win7. The connection was over the HTTP/2 protocol.

404 is File Not Found, I like to know this as well because there may something I think should be available but through some mistake of mine it is not.

400, 403 & 500 end up in error.log as well so I do not care if they are in the access.log, I do not block them however.

The only thing I block from my access.log is my own hits to my server. When building a site or script I hit it 100s of times to view/debug as I go, I do not need all my hits polluting up the access.log file.

<soapbox>
It's good to keep an eye on your logs. I rotate my access.log daily (mod_log_rotate) and I know what is the usual size of these files an I know that weekend traffic is typically 1/5 to 1/4 of weekdays. If all of a sudden I see a day that is more than 3 times the average size, I know something is going on and I can investigate.
</soapbox>

The question however is how to keep certain requests from being logged. It's pretty easy using SetEnvIf and CustomLog.

See the "Conditional Logs" section at
http://httpd.apache.org/docs/2.4/logs.html#accesslog

I'm pretty sure you can use any of the available environment variables (like HTTP_STATUS).

[andihdr]

I will try with setenvif and custom log. I hope this might solve my problems.

Thanks...

[andihdr]

glsmith , i have read your previous post

[andihdr]

how to RewriteCond for this?