[NBLUG/talk] How to read logwatch & httpd access_log
augie.schwer at gmail.com
Sun Jan 23 14:34:16 PST 2005
-----BEGIN PGP SIGNED MESSAGE-----
On Thu, 13 Jan 2005 08:27:57 -0800, Dave Sisley <dsisley at sonic.net> wrote:
> Connection attempts using mod_proxy:
> 126.96.36.199 -> 188.8.131.52:802 : 8 Time(s)
> I've been ignoring this since my httpd server isn't running
> mod_proxy. Hmmm. Or at least I don't think so. I see this in my
> httpd.conf file:
> LoadModule proxy_module modules/mod_proxy.so
> LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
> LoadModule proxy_http_module modules/mod_proxy_http.so
> LoadModule proxy_connect_module modules/mod_proxy_connect.so
> So my first assumption is that mod_proxy is NOT running on my server.
Well you are loading the code into Apache even if is not configured
to use it. If you really don't want it, then you might as well just comment
the above lines out.
> My real question (finally!) has to do with my access_logs, which
> logwatch parses to make its report. I saw in google that successful
> CONNECTs (200) might indicate trouble. I see plenty of connects from
> 184.108.40.206 , which I think is okay, but I see a couple like this that
> make me nervous:
> access_log:220.127.116.11 - - [09/Jan/2005:19:04:28 -0800] "CONNECT 18.104.22.168:1337 HTTP/1.0" 200 12551 "-" "-"
> access_log.1:22.214.171.124 - - [06/Jan/2005:20:50:47 -0800] "CONNECT 126.96.36.199:1337 HTTP/1.0" 200 12550 "-" "-"
> access_log.3:188.8.131.52 - - [20/Dec/2004:17:09:02 -0800] "CONNECT 184.108.40.206:1337 HTTP/1.0" 200 12596 "-" "-"
It looks like your box is being tested to see if it is an open proxy. A little
googling seems to confirm this:
Registered Linux user #229905
GPG Public Key: http://www.schwer.us/schwer.asc
Key fingerprint = 9815 AE19 AFD1 1FE7 5DEE 2AC3 CB99 2784 27B0 C072
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
-----END PGP SIGNATURE-----
More information about the talk