1 |
> > Does anyone else get entries like this in their apache2 access_log: |
2 |
> > |
3 |
> > 127.0.0.1 - - [26/Sep/2007:03:10:08 -0700] "GET /" 400 470 |
4 |
> > |
5 |
> > I get a whole slew of them every day. They always show up in batches |
6 |
> > and each entry in a batch is logged at almost the same second. |
7 |
> That make sense, since 400 means 'bad request' the culprit probably |
8 |
> fails a preset number of times and then gives up. Perhaps 127.0.0.1 is |
9 |
> the setting for something in the absence of a sane configuration - in |
10 |
> other words, it might be tricky to track this one down. You'll have to |
11 |
> let us know what gurific sleuthing techniques you employ to track down |
12 |
> the bad guys. |
13 |
|
14 |
What do you mean by "bad guys"? |
15 |
|
16 |
I made a mistake in my initial post. The 127.0.0.1 entries always |
17 |
show up in ssl_access_log, not access_log. |
18 |
|
19 |
Also, I noticed that a huge block of them always appears at the very |
20 |
beginning of each day's ssl_access_log at exactly 3:10AM. |
21 |
|
22 |
> You should perhaps use combined logging so you get more information, |
23 |
> like the user agent and such. right now you're using 'common' logging |
24 |
> which has the additional disadvantage that it doesn't give you |
25 |
> particularly useful information if you decide to use a statistical |
26 |
> analyzer like awstats on your archive of logs from the past umpteen |
27 |
> years. The user agent might be useful for debugging purposes. |
28 |
|
29 |
I switched ssl_access_log temporarily to the combined format, and it |
30 |
was definitely working, but the 127.0.0.1 error looked exactly as it |
31 |
did in common format with no extra information. |
32 |
|
33 |
> You might also consider running tcpdump for a few hours or so, or |
34 |
> something, and have it watch for that port and interface and run ps or |
35 |
> something if you get output from it. Or use iptables logging for the |
36 |
> job, if you'd rather do that. |
37 |
|
38 |
Any specific commands or even just certain parameters I should look into? |
39 |
|
40 |
- Grant |
41 |
-- |
42 |
gentoo-user@g.o mailing list |