Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-user

From: Grant <emailgrant@×××××.com>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] {OT} Strange apache2 access_log entries
Date: Thu, 27 Sep 2007 02:39:43
Message-Id: 49bf44f10709261925k1eb61a00ye420df0f1c6f72d5@mail.gmail.com
1 > > Does anyone else get entries like this in their apache2 access_log:
2 > >
3 > > 127.0.0.1 - - [26/Sep/2007:03:10:08 -0700] "GET /" 400 470
4 > >
5 > > I get a whole slew of them every day. They always show up in batches
6 > > and each entry in a batch is logged at almost the same second.
7 > That make sense, since 400 means 'bad request' the culprit probably
8 > fails a preset number of times and then gives up. Perhaps 127.0.0.1 is
9 > the setting for something in the absence of a sane configuration - in
10 > other words, it might be tricky to track this one down. You'll have to
11 > let us know what gurific sleuthing techniques you employ to track down
12 > the bad guys.
13
14 What do you mean by "bad guys"?
15
16 I made a mistake in my initial post. The 127.0.0.1 entries always
17 show up in ssl_access_log, not access_log.
18
19 Also, I noticed that a huge block of them always appears at the very
20 beginning of each day's ssl_access_log at exactly 3:10AM.
21
22 > You should perhaps use combined logging so you get more information,
23 > like the user agent and such. right now you're using 'common' logging
24 > which has the additional disadvantage that it doesn't give you
25 > particularly useful information if you decide to use a statistical
26 > analyzer like awstats on your archive of logs from the past umpteen
27 > years. The user agent might be useful for debugging purposes.
28
29 I switched ssl_access_log temporarily to the combined format, and it
30 was definitely working, but the 127.0.0.1 error looked exactly as it
31 did in common format with no extra information.
32
33 > You might also consider running tcpdump for a few hours or so, or
34 > something, and have it watch for that port and interface and run ps or
35 > something if you get output from it. Or use iptables logging for the
36 > job, if you'd rather do that.
37
38 Any specific commands or even just certain parameters I should look into?
39
40 - Grant
41 --
42 gentoo-user@g.o mailing list
Report Message
Find on MARC Find on Google Groups