Docs/SysAdmin/Server/ApacheLogs
From Mandriva Community Wiki
I recently had a problem where some of the new buffer overflow over attacks aimed at WinIIS servers has a tendency to create such large single entries in my combined log (/var/logs/httpd/access.log) that webalizer and other log tools were choking on the size of the URI. I've also noticed that the ratio on this site since it is low usage of real hits to false hits is skewing the data on just how many visits I actually have. So I decided to look into what I had to do in order to make sure that I only "catalog" legitimate hits on my site. Whereas this doesn't stop the "attacks" there are other ways of doing that. It does stop the logging of them in a place that gives me false data. This was all done on a MDK 9.2 and MDK 10 and then again on 10.1 it works in both Apache 1.3.x and 2.x from my testing.
Contents |
[edit] Slowing down the "attacker"
The first step uses Redirect Match. Taken from Jack Coates' Homepage at http://www.monkeynoodle.org/lrp/deworming.html#tux . The idea is to slow down the attacks by letting normal server timeout take over, holding the worm until released. The IP block 192.0.2.0/24 is an unroutable IP block reserved for use in documentation so we won't have to worry about it being actually on anyones lan. This is an edit to your httpd.conf file.
[cut below] # Redirect allows you to tell clients about documents which used to exist in # your server's namespace, but do not anymore. This allows you to tell the # clients where to look for the relocated document. # Format: Redirect old-URI new-URL RedirectMatch ^.*\.(exe|dll|ida).* http://192.0.2.1 [cut above]
The comments are included in the clip above just so that you can find where I placed everything. The uncommented line is the one you really need. This is of course assuming that your site serves a single domain. If you have VHosts consult Jack's docs for more info.
[edit] Keeping the worms out of the logs
[cut below] #make sure we log legit requests SetEnvIf Request_Method "(GET)|(POST)|(PUT)|(DELETE)|(HEAD)" log # SEARCH is not a legit method in Apache and the objective of a current # worm. So I am going to send it to oblivion. It creates broken log # files if I don't SetEnvIf Request_Method "(SEARCH)" worm # RegEx's to trap a number of windows worms I know of. Send them to # the worm logfile and not the one I mine for data. SetEnvIf Request_URI "_vti_inf\.html$" worm !log SetEnvIf Request_URI "^/_mem_bin/" worm !log SetEnvIf Request_URI "^/_vti_bin/" worm !log SetEnvIf Request_URI "^/c/" worm !log SetEnvIf Request_URI "^/d/" worm !log SetEnvIf Request_URI ^/scripts/ worm !log SetEnvIfNoCase Request_URI "^/msadc/" worm !log #Code Red SetEnvIf Request_URI "default\.ida" worm !log SetEnvIfNoCase Request_URI "null\.ida" worm !log #NIMDA SetEnvIf Request_URI "cmd\.exe" worm !log SetEnvIf Request_URI "root\.exe" worm !log SetEnvIf Request_URI "Admin\.dll" worm !log # These are optional # This sets it so that requests for your images aren't logged. SetEnvIf Request_URI "(\.gif|\.jpe?g|\.png|\.css|\.js)$" !log # this makes it so that requests from my home lan aren't logged. SetEnvIf Remote_Addr "^192\.168\." !log # If I'm on the box testing I don't want that logged. SetEnvIf Remote_Addr "^127\.0\." !log # This is an example of how to not log XXX referrer. SetEnvIf referer "somedangsite\.com" !log # Now set where the logs are. I'm sending worms to /dev/null but # it could be any full path. CustomLog /var/log/httpd/access_log combined env=log CustomLog /dev/null combined env=worm [cut above]
[edit] Edit the httpd config files so that this gets used
Last step is to edit http.conf or httpd2.conf (depending on what you have) to include this file and to not have 2 sets of logging commands. That would cause you to not see the logging being removed as desired.
Under Global Configuration (near the top of the file) add this line:
Include conf/wormlog.conf
Then look for this one, and then comment it out (otherwise both log directives will try to work, unsuccessfully, and it will appear as if nothing is happening):
CustomLog logs/access_log combined env=!VLOG
[edit] Test your setup
Restart httpd and start testing. If your results match mine all of these windows worms will no longer be filling up your log files with a Ton of BS. Advantage here is that any use tracking you do will track more legitimate hits to your site and not all of the virus infected windows boxes looking for a place to take a dump. You can also send all of your "worm" logs to a seperate log file to be handled on their own instead of doing what I did and sending them to /dev/null.
