From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1IajHz-0005w8-9v for garchives@archives.gentoo.org; Thu, 27 Sep 2007 02:39:43 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.14.1/8.14.0) with SMTP id l8R2TrIm022244; Thu, 27 Sep 2007 02:29:53 GMT Received: from nz-out-0506.google.com (nz-out-0506.google.com [64.233.162.238]) by robin.gentoo.org (8.14.1/8.14.0) with ESMTP id l8R2PO0r017435 for ; Thu, 27 Sep 2007 02:25:24 GMT Received: by nz-out-0506.google.com with SMTP id s18so1631070nze for ; Wed, 26 Sep 2007 19:25:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=6OtQnmCe10qh2jljqFoQoJDgBAuTEd+8RBmm7wLZT2Q=; b=jFlWLplL/BwVQe5Kv9Ne3N0CPpNMdhJNxpwS3yDlhMK8vKmxly4FwW0qinSNG2jrYcKMZVJ32PCnKQ7EM/Wg2e53l7VJO9ONGTpnhawcQxEseS5WHPd10QKNkUsA123giwoJOvrRqQp239LRc99MK3+qTRDOVYvYDq/8oDAX/c4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=F8QnrkIOoAe1u5IY4I0nuMXnvz1bxlCyqgPa2Ae5NbXhBxEB6+7oMNofk59e8tcPl0+5KuPoe29SwkxLQIhrfQhKjyldIzzNaurjNqi/Qyg9wPfB+kCAa6qhg1TALtxfMkhY8Pkspjz9dsV52sNsrOywO652/2UHmzZWE87od0E= Received: by 10.115.58.1 with SMTP id l1mr260043wak.1190859923280; Wed, 26 Sep 2007 19:25:23 -0700 (PDT) Received: by 10.114.175.9 with HTTP; Wed, 26 Sep 2007 19:25:23 -0700 (PDT) Message-ID: <49bf44f10709261925k1eb61a00ye420df0f1c6f72d5@mail.gmail.com> Date: Wed, 26 Sep 2007 19:25:23 -0700 From: Grant To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] {OT} Strange apache2 access_log entries In-Reply-To: <20070926182419.2c8a13cb@pascal.spore.ath.cx> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <49bf44f10709261330m23c74923l8165853e9785e811@mail.gmail.com> <20070926182419.2c8a13cb@pascal.spore.ath.cx> X-Archives-Salt: 14ffcde4-e26e-4bb3-a666-f7342bbf775e X-Archives-Hash: 410a96b83b577e6dabff951660c6b18c > > Does anyone else get entries like this in their apache2 access_log: > > > > 127.0.0.1 - - [26/Sep/2007:03:10:08 -0700] "GET /" 400 470 > > > > I get a whole slew of them every day. They always show up in batches > > and each entry in a batch is logged at almost the same second. > That make sense, since 400 means 'bad request' the culprit probably > fails a preset number of times and then gives up. Perhaps 127.0.0.1 is > the setting for something in the absence of a sane configuration - in > other words, it might be tricky to track this one down. You'll have to > let us know what gurific sleuthing techniques you employ to track down > the bad guys. What do you mean by "bad guys"? I made a mistake in my initial post. The 127.0.0.1 entries always show up in ssl_access_log, not access_log. Also, I noticed that a huge block of them always appears at the very beginning of each day's ssl_access_log at exactly 3:10AM. > You should perhaps use combined logging so you get more information, > like the user agent and such. right now you're using 'common' logging > which has the additional disadvantage that it doesn't give you > particularly useful information if you decide to use a statistical > analyzer like awstats on your archive of logs from the past umpteen > years. The user agent might be useful for debugging purposes. I switched ssl_access_log temporarily to the combined format, and it was definitely working, but the 127.0.0.1 error looked exactly as it did in common format with no extra information. > You might also consider running tcpdump for a few hours or so, or > something, and have it watch for that port and interface and run ps or > something if you get output from it. Or use iptables logging for the > job, if you'd rather do that. Any specific commands or even just certain parameters I should look into? - Grant -- gentoo-user@gentoo.org mailing list