[NBLUG/talk] How to read logwatch & httpd access_log

Dave Sisley dsisley at sonic.net
Sun Jan 23 21:22:50 PST 2005


[See also my response to Augie's post]

On Sun, Jan 23, 2005 at 07:52:00PM -0800, Ron Wickersham wrote:
> On Sun, 23 Jan 2005, Augie Schwer wrote:
> >
> > > My real question (finally!) has to do with my access_logs, which
> > > logwatch parses to make its report.  I saw in google that successful
> > > CONNECTs (200) might indicate trouble.  I see plenty of connects from
> > > 82.96.96.3 , which I think is okay, but I see a couple like this that
> > > make me nervous:
> > > access_log:81.219.11.226 - - [09/Jan/2005:19:04:28 -0800] "CONNECT 1.3.3.7:1337 HTTP/1.0" 200 12551 "-" "-"
> > > access_log.1:216.102.227.194 - - [06/Jan/2005:20:50:47 -0800] "CONNECT 1.3.3.7:1337 HTTP/1.0" 200 12550 "-" "-"
> > > access_log.3:216.240.146.76 - - [20/Dec/2004:17:09:02 -0800] "CONNECT 1.3.3.7:1337 HTTP/1.0" 200 12596 "-" "-"
> >
> > It looks like your box is being tested to see if it is an open proxy. A little
> 
> ---snip---
> 
> however reading the log entry your box is being asked  for a CONNECT and
> it says 200 (which is the same as saying ok here it is, and then in the
> first instance sends back 12551 bytes to the requestor's browser and
> 12550 bytes in the second instance and 12596 bytes in the third.
> 
> so apparently you're actually delivering the requested material.  otherwise
> you'd see the same request coming in but send back an error message and
> not a 200 header type.

This is what worries me.  What's the 'requested material'?

I have taken Augie's advice and commented out the mod_proxy 'load
module' lines in my httpd.conf file.  I've also not seen any further
'1337' activity in my access_log files since my original post.

FWIW, I'm running Apache 2.0.51, so I don't think I'm susceptible to
the hack Augie cited.

My problem is that I don't understand the data logwatch is sending
me.  Their website is not very helpful (documentation consists of a
reprint of the logwatch manpage).  

If I can get some time (I just started a new job), I will look for
info on how to read my access_log files. 

In the meantime, I (and perhaps others on the list) would appreciate
tips on how to keep a better eye on my server.

Thanks, 

-dave.

-- 
Dave Sisley
dsisley at sonic.net
roth-sisley.net




More information about the talk mailing list