[NBLUG/talk] How to read logwatch & httpd access_log

Dave Sisley dsisley at sonic.net
Sun Jan 23 20:48:14 PST 2005


On Sun, Jan 23, 2005 at 02:34:16PM -0800, Augie Schwer wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Thu, 13 Jan 2005 08:27:57 -0800, Dave Sisley <dsisley at sonic.net> wrote:
> > Connection attempts using mod_proxy:
> >    82.96.96.3 -> 82.96.96.3:802 : 8 Time(s)
> > I've been ignoring this since my httpd server isn't running
> > mod_proxy. Hmmm. Or at least I don't think so.  I see this in my
> > httpd.conf file:
> > LoadModule proxy_module modules/mod_proxy.so
> > LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
> > LoadModule proxy_http_module modules/mod_proxy_http.so
> > LoadModule proxy_connect_module modules/mod_proxy_connect.so
> > So my first assumption is that mod_proxy is NOT running on my server.
> 
> Well you are loading the code into Apache even if is not configured 
> to use it. If you really don't want it, then you might as well just comment 
> the above lines out.

Right. That's good advice. Done.

> 
> > My real question (finally!) has to do with my access_logs, which
> > logwatch parses to make its report.  I saw in google that successful
> > CONNECTs (200) might indicate trouble.  I see plenty of connects from
> > 82.96.96.3 , which I think is okay, but I see a couple like this that
> > make me nervous:
> > access_log:81.219.11.226 - - [09/Jan/2005:19:04:28 -0800] "CONNECT 1.3.3.7:1337 HTTP/1.0" 200 12551 "-" "-"
> > access_log.1:216.102.227.194 - - [06/Jan/2005:20:50:47 -0800] "CONNECT 1.3.3.7:1337 HTTP/1.0" 200 12550 "-" "-"
> > access_log.3:216.240.146.76 - - [20/Dec/2004:17:09:02 -0800] "CONNECT 1.3.3.7:1337 HTTP/1.0" 200 12596 "-" "-"
> 
> It looks like your box is being tested to see if it is an open proxy. A little 
> googling seems to confirm this:
> 
> http://www.linuxquestions.org/questions/showthread.php?s=&threadid=265156&goto=nextnewest
>  

You know, I saw that one.  That's what I was I was referring to above
when I mentioned google and the 200 responses.

I'm also formulating a response to Ron's post.  As he points out, it's
the CONNECT I'm worried about (see my further response there...).

-dave.

-- 
Dave Sisley
dsisley at sonic.net
roth-sisley.net




More information about the talk mailing list