[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: reviewing httpd access log



Quoting J Moore (jaymo_(_at_)_cullmail_(_dot_)_com):
> Reviewing my /var/www/logs/access_log file it seems there are a lot of 
> "bogus" entries; i.e. people trying various hacks, looking for 
> weaknesses, testing for win32, etc, etc.
> 
> Is there a good technique for automatically identifying these 
> trouble-makers? I'd like to be able to build a "deny" table for pf to 
> halt repeat offendors, but I can't afford the time to review the logs 
> "manually".

On the other hand, the biggest defense is to not run IIS or
software with holes.

OpenBSD was the first OS that I was comfortable with putting
on the net without filters in front of and on the machine.

The SunOS 4 boxes demanded a couple screens of ACLs on them
and then a very tightly locked down machine re: the ports
that were actually listening (generally mail,dns and web)
along with restricting krsh and ktelnet.

Your openbsd apache may be being hit with lots of attempts to
run cmd.exe and the like, but don't believe those attacks will
work.

(I'm liking that PF can fingerprint, to a point.  Blocking windows
machines' access to my SMTP server is desirable)