It is mind numbing to scan logs like httpd logs and see the crap your web server is hammered with constantly. I have been meaning to do some traffic analysis on all httpd traffic to mine to get an idea of how much bandwidth (not to mention CPU resources) is being taken up by this garbage. This has jogged me to get back to looking at fail2ban too.
I meant to ask if you guys at Watkins were heavily affected by flooding. I thought about you guys when I heard Metro Center had been affected. From: nlug-talk@googlegroups.com [mailto:nlug-t...@googlegroups.com] On Behalf Of Chris McQuistion Sent: Friday, May 07, 2010 3:07 PM To: nlug-talk@googlegroups.com Subject: Re: [nlug] Anyone know what these httpd log messages might mean? That's a good point about fail2ban. We actually use that on one of our other servers. I've asked Curt to look into installing it on this server, as well. It might not fix this issue, but it certainly wouldn't be a bad idea to run on this web server. Chris On Fri, May 7, 2010 at 2:01 PM, Mark J. Bailey <m...@jobsoft.com> wrote: I don't know about this particular type of request, but fail2ban (http://www.fail2ban.org/wiki/index.php/Main_Page) does some apache log scanning and will block IPs under certain criteria to limit attempts like this. I don't use it here but a customer in east Tennessee does and has been pleased with it. I have been considering it myself but just have not had time yet to really dig on it. From: nlug-talk@googlegroups.com [mailto:nlug-t...@googlegroups.com] On Behalf Of Chris McQuistion Sent: Friday, May 07, 2010 1:31 PM To: nlug-talk Subject: [nlug] Anyone know what these httpd log messages might mean? I been getting the following messages in my Logwatch emails for a few weeks, now. These started after I took this RHEL 4 server and did a physical to virtual migration over to VMware. I then upgraded it to CentOS 4, since the RHEL subscription ran out. This server primarily runs as a web server, using Coldfusion to tap into an Oracle database to display data on the web pages. The system seems to be working. I just get a VERY long Logwatch email every day with these errors. I'm including just a short bit, below. >From what I've been able to discern, these "200" responses may just be "OK messages" to indicate that responses were received. If things are OK, then why is it included in Logwatch (which usually just alerts you when something has gone wrong?) Chris --------------------- httpd Begin ------------------------ A total of 156 unidentified 'other' records logged GET /empower/fusebox.cfm?fuseaction=WEBSRQ02Image&id=%27%28%20%3F%5EZ%28%2DN%2 BP%20%20%0A HTTP/1.1 with response code(s) 200 1 responses GET /empower/fusebox.cfm?fuseaction=WEBSRQ02Image&id=%27%28%20%3F%5EYH1G%290%2 0%20%0A HTTP/1.1 with response code(s) 200 2 responses GET /empower/fusebox.cfm?fuseaction=WEBSRQ02Image&id=%27%28%20%3F%5E%5B%28%29N %28P%20%20%0A HTTP/1.1 with response code(s) 200 3 responses POST /empower/fusebox.cfm?fuseaction=ECSSRG90 HTTP/1.1 with response code(s) 200 1 responses GET /empower/logout.cfm HTTP/1.1 with response code(s) 200 7 responses GET /empower/fusebox.cfm?fuseaction=WEBCOQ03&last_page= HTTP/1.1 with response code(s) 200 4 responses GET /empower/fusebox.cfm?fuseaction=WEBSRQ02Image&id=%27%28%20%3F%5B%5B81N%28P %20%20%0A HTTP/1.1 with response code(s) 200 1 responses GET /empower/fusebox.cfm?fuseaction=WEBSRQ02Image&id=%27%28%20%3FZZX%29H%2BP%2 0%20%0A HTTP/1.1 with response code(s) 200 2 responses GET /empower/fusebox.cfm?fuseaction=WEBSRQ02Image&id=%27%28%20%3F%5B%5BXIF%290 %20%20%0A HTTP/1.1 with response code(s) 200 2 responses GET /empower/fusebox.cfm?fuseaction=WEBSRQ02Image&id=%27%28%20%3FZ%5B8%25G%29% 40%20%20%0A HTTP/1.1 with response code(s) 200 1 responses GET /empower/fusebox.cfm?fuseaction=WEBSRQ02Image&id=%27%28%20%3F%5FYHIM%29%40 %20%20%0A HTTP/1.1 with response code(s) 200 2 responses -- You received this message because you are subscribed to the Google Groups "NLUG" group. To post to this group, send email to nlug-talk@googlegroups.com To unsubscribe from this group, send email to nlug-talk+unsubscr...@googlegroups.com <mailto:nlug-talk%2bunsubscr...@googlegroups.com> For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en -- You received this message because you are subscribed to the Google Groups "NLUG" group. To post to this group, send email to nlug-talk@googlegroups.com To unsubscribe from this group, send email to nlug-talk+unsubscr...@googlegroups.com <mailto:nlug-talk%2bunsubscr...@googlegroups.com> For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en -- You received this message because you are subscribed to the Google Groups "NLUG" group. To post to this group, send email to nlug-talk@googlegroups.com To unsubscribe from this group, send email to nlug-talk+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en -- You received this message because you are subscribed to the Google Groups "NLUG" group. To post to this group, send email to nlug-talk@googlegroups.com To unsubscribe from this group, send email to nlug-talk+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en
