[NBLUG/talk] How to read logwatch & httpd access_log
dsisley at sonic.net
Thu Jan 13 08:27:57 PST 2005
[warning: this turned out to be a longer post than I thought. Extra
points for reading the whole thing!]
Bit by bit, I'm trying to learn to sift through the info that logwatch
sends to me each morning. I got a lot of useful info from the list
here with figuring out the sshd messages I was getting in logwatch
(thanks!), and now I'm curious about the messages from httpd.
I'm referrring here to a Fedora Core 2 box. I'm just running logwatch
as it came 'out of the box'; I haven't configured it in any way.
On a fairly regular basis (but not every day), I get an entry in
logwatch that looks like this (in the httpd section):
Connection attempts using mod_proxy:
18.104.22.168 -> 22.214.171.124:802 : 8 Time(s)
I've been ignoring this since my httpd server isn't running
mod_proxy. Hmmm. Or at least I don't think so. I see this in my
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
Then further down, I see that the Proxy Server directives are all
# Proxy Server directives. Uncomment the following lines to
# enable the proxy server:
# Order deny,allow
# Deny from all
# Allow from .your-domain.com
# Enable/disable the handling of HTTP/1.1 "Via:" headers.
# ("Full" adds the server version; "Block" removes all outgoing Via: headers)
# Set to one of: Off | On | Full | Block
# To enable the cache as well, edit and uncomment the following lines:
# (no cacheing without CacheRoot)
#NoCache a-domain.com another-domain.edu joes.garage-sale.com
# End of proxy directives.
So my first assumption is that mod_proxy is NOT running on my server.
I've also googled and run host on that IP address logwatch entry
(126.96.36.199) which resolves to proxyscan.freenode.net. I went to
freenode.net and poked around, and they state that they will probe
machines that use their servers. This is afterall the server that
hosts (if that's the right word) the NBLUG chat room.
My second assumption is that I don't really need to worry about that
IP address, since it's part of using #nblug.
My real question (finally!) has to do with my access_logs, which
logwatch parses to make its report. I saw in google that successful
CONNECTs (200) might indicate trouble. I see plenty of connects from
188.8.131.52, which I think is okay, but I see a couple like this that
make me nervous:
access_log:184.108.40.206 - - [09/Jan/2005:19:04:28 -0800] "CONNECT 220.127.116.11:1337 HTTP/1.0" 200 12551 "-" "-"
access_log.1:18.104.22.168 - - [06/Jan/2005:20:50:47 -0800] "CONNECT 22.214.171.124:1337 HTTP/1.0" 200 12550 "-" "-"
access_log.3:126.96.36.199 - - [20/Dec/2004:17:09:02 -0800] "CONNECT 188.8.131.52:1337 HTTP/1.0" 200 12596 "-" "-"
Obviously somebody wants to w00t me (or 'own' me, or whatever it is
these hooligans call it). What's interesting (or scary) is that these
messages are in my log file, but they don't seem to be reported by
logwatch (unless I'm misreading it).
Do I have something to worry about, and if so - what do I do about it?
Thanks in advance for the help!
dsisley at sonic.net
More information about the talk