Re: reviewing httpd access log

[Nick Holland <nick@holland-consulting.net>]

J Moore wrote:
> Reviewing my /var/www/logs/access_log file it seems there are a lot of 
> "bogus" entries; i.e. people trying various hacks, looking for 
> weaknesses, testing for win32, etc, etc.

and virus/rooted/trojaned machines...
This is probably the vast majority of that traffic you are seeing.

Innocent, no at all.  Deliberately malicious? eh..not really.  Just 
ignorant, stupid, careless, inconsiderate...


> Is there a good technique for automatically identifying these 
> trouble-makers? I'd like to be able to build a "deny" table for pf to 
> halt repeat offendors, but I can't afford the time to review the logs 
> "manually".

Do you really want to do this?
Imainge this situation:
One machine at a client/customer of yours (using a NAT) gets a virus. 
It goes probing recently visited websites, yours is one of them.  It 
trips off your probe detection system, and now their entire office which 
sends you money is now locked out of your website.  All for..what? 
Certainly no security gain -- you are looking for things that have 
already been found, added to your watch lists, and if your system is 
well maintained, probably already fixed (if it was ever vulnerable). 
Small traffic savings possibly.  Small reduction in log size.  Feeling 
that you are Doing Something.  And locking out people you want to be 
doing business with, and the time involved in "undoing" that...

My recomendation: just ignore it.  Not worth what you might end up doing 
to yourself...

Nick.
-- 
http://www.holland-consulting.net