[This isn't cryptography related, but helping John keep his web site of useful crypto information working well helps the community, so I'm allowing it. If you aren't a web server type who knows how to help, you probably want to delete this now. --Perry] We need help on analyzing the adverse effect of using .htaccess to block misbehaving IP addresses. We first installed the file in September 1999 to block a single looping machine at kisa.or.kr. Then added a few more as such loopings occurred from other addresses. Recently we discovered that nearly all our logfiles have been inaccurate and asked our provider, Verio, to tell us why. Turns out the culprit was .htaccess, according to Verio. We were blamed for listing hostnames to block rather than numeric IP addresses, which led reverse lookup to go haywire (see message below). Removal of .htaccess immediately stopped the inaccuracies, and reinstallation with only numeric addresses seems to work just fine, so that seems to have been the problem. We are attempting to analyze the inaccurate logs for a particular brief period and cannot find a pattern which would produce accuracy. (Yes, we regularly delete logfiles to protect privacy) Verio claims that the inaccurate logs were generated automatically and there is no way to regenerate them accurately. Help would be appreciated on means to figure out how to translate the inaccuracies into accuracies. This involves only about two dozen logfile entries we need to accurately identify (more on that when the details can be substantiated -- it's about suspected gov improprieties). A related odd discovery: Last December, visitors from ncsc.mil, including what we call the "NSA bot," disappeared from the logfiles. We assumed the site was no longer of interest or that cover addresses were now being used. Well, maybe wholly coincidental, when we removed .htaccess a few days ago the ncsc.mil addresses, including the NSA bot, began reappearing in the logfiles. Reinstallation of .htaccess with only numeric addresses has had no affect on the ncsc accesses. Would anyone know what to make of this? ---------- From: David Klein <[EMAIL PROTECTED]> Subject: Re: [IDS-946244] CRYPTOME.ORG and JYA.COM To: [EMAIL PROTECTED] Date: Fri, 12 May 2000 07:41:55 -0400 (EDT) Dear John, Thank you for contacting technical support. In response to your questions: Our Apache implementation has HostnameLookups turned off - the access_log.custom file should NOT have hostnames in it. The lookups are done by logparse/logip when the servers' master log file is parsed. However, you had a bunch of 'deny from' directives in his .htaccess that used hostnames: [addresses xxx'd here for privacy] <Limit GET> order allow,deny deny from 165.xx.xx deny from xxx.virtualwebsites.com deny from xxx.att.com deny from xxx.att.com deny from xxx.att.com deny from xxx.nj.dial-access.att.net deny from 208.xxx.xxx.xxx.flyswat.com allow from all </Limit> This forces Apache to look up the hostnames, so it knows where to deny from. Since they are already looked up, they are put into the log. So, when logparse runs, it takes the hostname, thinks it's an IP address, and tries to reverse it - with unpredictable results. You will need to put only IP addresses in your .htaccess file. We tried commenting out the entries with hostnames and then only IPs were logged - which would be correctly parsed by logip. I hope this clarifies things a bit more for you. If you wish to find some more information about Apache configurations, please take a look at http://home.verio.net/support/hosting/htaccess.cfm. There are also some links there for more detailed information about Apache modifications. If you have any other questions, please feel free to contact us. Have a good day. Sincerely, David K. Tech Support
