[linux] apache access log messages
C. Olmsted
cliffo at u.washington.edu
Mon Apr 26 10:53:13 PDT 2004
I'm not sure I would go with that rule. There are lots of legitimate
machines that don't have IP that resolve. We also see a ton of those
types of probes in our access logs. Apache handles them with aplomb.
Since it's impossible to predict where the attempts will come from and
sometimes these probes come from resolvable IP addresses we just live with
it. It also helps to make sure apache is up to date of course.
If you see where the probes are coming from (i.e. stanford.edu perhaps),
you can try to notify their NOC if you feel it's worth it.
Cliff
On Mon, 26 Apr 2004, K. David Prince wrote:
> Well, there's a problem: This particular address doesn't resolve to
> anything. And, there are new ones coming in every day. What I'm thinking
> is to put a rule on the firewall that basically says: "If this address
> doesn't resolve into something 'real', then block it." Anyone doing this
> kind of thing?
>
> On Mon, 26 Apr 2004, Greg Stark wrote:
>
> > Id prolly just add
> >
> > ALL: 69.37.133.236
> >
> > to my /etc/hosts.deny file :-) that'll take care of him!
> >
> > Greg
> >
> > K. David Prince wrote:
> >
> > >I'm seeing these messages in one of our logs:
> > >
> > >69.37.133.236 - - [20/Mar/2004:09:49:01 -0800] "SEARCH
> > >/\x90\x02\xb1\x02\xb1<snip>
> > >
> > >Each of these messages can be quite large. What's a good technique for
> > >blocking theses sorts of probes?
> > >
> > >Dave
> > >
> > >
> >
> >
>
More information about the Linux
mailing list