Re: reviewing httpd access log

[J Moore <jaymo@cullmail.com>]

On Sun, Aug 01, 2004 at 11:30:35AM -0700, the unit calling itself Chuck Yerkes wrote:
> Quoting J Moore (jaymo@cullmail.com):
> > Reviewing my /var/www/logs/access_log file it seems there are a lot of 
> > "bogus" entries; i.e. people trying various hacks, looking for 
> > weaknesses, testing for win32, etc, etc.
> > 
> > Is there a good technique for automatically identifying these 
> > trouble-makers? I'd like to be able to build a "deny" table for pf to 
> > halt repeat offendors, but I can't afford the time to review the logs 
> > "manually".
> 
> On the other hand, the biggest defense is to not run IIS or
> software with holes.

What in the world gave you the idea I was running IIS?

> OpenBSD was the first OS that I was comfortable with putting
> on the net without filters in front of and on the machine.
> 
> The SunOS 4 boxes demanded a couple screens of ACLs on them
> and then a very tightly locked down machine re: the ports
> that were actually listening (generally mail,dns and web)
> along with restricting krsh and ktelnet.
> 
> Your openbsd apache may be being hit with lots of attempts to
> run cmd.exe and the like, but don't believe those attacks will
> work.
> 
> (I'm liking that PF can fingerprint, to a point.  Blocking windows
> machines' access to my SMTP server is desirable)
> 

How is this post relevant to the question?