Apache error.log

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Apache error.log

Post by alex.barylski »

I was looking through my error log filers today and seen mostly this:

Code: Select all

[Thu Aug 26 04:04:30 2010] [error] [client 61.184.136.164] File does not exist: /var/www/aquarius-live/rpi/public/mp3
[Thu Aug 26 04:04:31 2010] [error] [client 61.184.136.164] File does not exist: /var/www/aquarius-live/rpi/public/internetshop
[Thu Aug 26 04:04:31 2010] [error] [client 61.184.136.164] File does not exist: /var/www/aquarius-live/rpi/public/babystore
[Thu Aug 26 04:04:32 2010] [error] [client 61.184.136.164] File does not exist: /var/www/aquarius-live/rpi/public/peter
[Thu Aug 26 04:04:33 2010] [error] [client 61.184.136.164] File does not exist: /var/www/aquarius-live/rpi/public/install.txt
[Thu Aug 26 04:04:34 2010] [error] [client 61.184.136.164] File does not exist: /var/www/aquarius-live/rpi/public/butik
[Thu Aug 26 06:50:00 2010] [error] [client 216.131.95.119] File does not exist: /var/www/aquarius-live/rpi/public/soapCaller.bs
[Thu Aug 26 06:50:00 2010] [error] [client 216.131.95.119] File does not exist: /var/www/aquarius-live/rpi/public/user
[Thu Aug 26 06:50:00 2010] [error] [client 216.131.95.119] File does not exist: /var/www/aquarius-live/rpi/public/soapCaller.bs
[Thu Aug 26 06:50:00 2010] [error] [client 216.131.95.119] File does not exist: /var/www/aquarius-live/rpi/public/trix
[Thu Aug 26 06:50:00 2010] [error] [client 216.131.95.119] File does not exist: /var/www/aquarius-live/rpi/public/trixbox
I'm not sure what to make of this, looks like some bot maybe scanning our web server for various packages in attempt to exploit a hole and get into system? Can I configure Apache to ignore requests?

Code: Select all

  <Directory />
    Order allow,deny
    Allow from 192.168.1.240 192.168.1.241 192.168.1.243 192.168.1.198
    Allow from 127
  </Directory>
I use something like this to limit LAN access to the development version of our software to developers and testers, I am wondering if I should do something similar for WAN addresses, of course taking a principle of least privilege approach, denying everyone adding only those who need access to the system s required???

Cheers,
Alex
Bind
Forum Contributor
Posts: 102
Joined: Wed Feb 03, 2010 1:22 am

Re: Apache error.log

Post by Bind »

the first one (61.184.136.164) is CHINANET - China Telecom's internet service (ISP) customer (probably) is crawling you - I routinely block 3rd world countries, china the middle east, and russian IPs on all my sites, which prevents 99% of wasted resources from abusive crawls and visitors. My sites are primarily western civilization targetted so there is no real loss in userbase from the blocks.

The second one (216.131.95.119) is a server crawl

apparently they, or someone who has a hosting account there, is crawling you

host info for (216.131.95.119) :
OrgName: Reliablehosting.com
OrgId: BOAK
Address: P.O. Box 19719
City: South Lake Tahoe
StateProv: CA
PostalCode: 96151
Country: US
RegDate: 2000-03-28
Updated: 2010-06-19
Ref: http://whois.arin.net/rest/org/BOAK

about 20 or so websites are hosted on that ip:
1 ADULTWEBZONE.INFO.
2 CRAZYXLINX.INFO.
3 DIRDJ.INFO.
4 DIRHOT.INFO.
5 DIRSEXY.INFO.
6 FREEZLINKS.COM.
7 GREATWEBDIR.COM.
8 GROUPHOSTDIR.COM.
9 NETCAMDIR.INFO.
10 THEHOTSOUL.INFO.
11 THEXCRAZY.INFO.
12 TOPCLASSSITES.COM.
13 URLSADULT.INFO.
14 WEBCAMDIR.INFO.
15 XDATEDIR.INFO.
16 XINDEX.INFO.
17 XPIXELS.INFO.
18 XPOWERDIR.INFO.
19 XWEBSEARCH.INFO.
20 XWEBSEEK.INFO.

to prevent access you can create a block script with data from regions and ips you want to block, that can either update htaccess or use request level blocking with php.

do some looking on google for abusive ips and ranges - there are alot of sites - update as needed. I use curl with cron to import for blocking twice a day
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Apache error.log

Post by VladSun »

If you are going to block series of IP lists, a much better solution is to use iptables + ipset - i.e. use firewall rules instead of Apache access rules - just a matter of performance.

Code: Select all

#!/bin/bash
 
ipt="/usr/local/sbin/iptables"
ips="/usr/local/sbin/ipset"

# Black IP list
$ips -N BL iphash
$ips -A BL 80.80.0.2
$ips -A BL 90.90.0.1
....
 
# Black nets list
$ips -N BLN nethash
$ips -A BLN 90.91.0.0/24
$ips -A BLN 90.98.0.0/24
....

# Block them 
$ipt -A INPUT -m set --set BL src -j DROP
$ipt -A INPUT -m set --set BLN src -j DROP
In case you want to be evil, use TARPIT target instead of DROP.

PS: You can dynamically add/remove IPs/networks from these lists without stopping the firewall.
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Apache error.log

Post by VladSun »

By "You can dynamically add/remove IPs/networks from these lists without stopping the firewall." I meant that you could catch all (or a predefined set of) missing URLs requested and add the IPs to be blacklisted in a simple PHP file.

And by "just a matter of performance." I meant "a lot of performance" - you can drop TCP/IP packets at kernel space level instead of user level.
There are 10 types of people in this world, those who understand binary and those who don't
Post Reply