Re: reviewing httpd access log

[Nick Holland <nick@holland-consulting.net>]

Nick Holland wrote:
...babble, babble, babble...

> My recomendation: just ignore it.  Not worth what you might end up doing 
> to yourself...

uh, forgot one of my favorite "almost obvious" tricks: I run all the 
websites as VirtualHost, even if there is only one site hosted on the 
box.  As most of the viri out there are probing by IP address rather 
than by hostname, they (usually) end up in the "site" access logs, not 
in your named host logs.

Actually, that just about does it for isolating "problem" hosts, if you 
still wished to do what you indicated.  Anything that ends up in the 
site error log gets filtered, after all, no one should be accessing your 
website by IP address, just by name.  Find the IP address in the log 
(pretty easy), feed it into a PF table for blocking.  My first thought 
was that the probes come so fast that by the time you got 'em filtered, 
you would never hear from 'em again, though looking at my logs, I see 
that they often being repeated for hours, probably multiple machines in 
one site being infected.  Pretty simple, I think, though still NOT 
something I'd recommend doing.

Hehehe...just thought of another reason one might not wish to do this: I 
can imagine someone in your own site getting a virus, probing your own 
server, and bang!  locked out of your own machine! :)

Nick.
-- 
http://www.holland-consulting.net