Re: Apache log - what is this?
This one time, at band camp, Will Aoki said: > On Mon, Dec 30, 2002 at 02:20:25PM -0500, Stephen Gran wrote: > > Hello all, > > > > I'm seeing the following in my logs (fairly frequently): > > > > 66.140.25.156 - - [30/Dec/2002:13:31:21 -0500] "CONNECT 213.92.8.4:6667 > > HTTP/1.0" 405 303 "-" "-" > > 66.140.25.156 - - [30/Dec/2002:13:31:21 -0500] "POST > > http://213.92.8.4:6667/ HTTP/1.0" 405 300 "-" "-" > > > > (Sorry about the bad wrap) > http://freenode.net/policy.shtml indicates that they automatically check > machines that connect to their network to see if they're running open > proxies. > > You aren't, perchance, IRCing from the machine you're seeing these log > entries on? It might be an automated test to keep people from connecting > through open proxies. I am in fact IRCing from a laptop being NATed through that box. That would explain it - thanks a lot! Sets my mind at ease. -- -- | Stephen Gran | We wish you a Hare Krishna We wish you | | [EMAIL PROTECTED] | a Hare Krishna We wish you a Hare | | http://www.lobefin.net/~steve | Krishna And a Sun Myung Moon! -- | || Maxwell Smart | -- pgp2zMn8WDoJU.pgp Description: PGP signature
Re: Apache log - what is this?
On Mon, Dec 30, 2002 at 02:20:25PM -0500, Stephen Gran wrote: > Hello all, > > I'm seeing the following in my logs (fairly frequently): > > 66.140.25.156 - - [30/Dec/2002:13:31:21 -0500] "CONNECT 213.92.8.4:6667 > HTTP/1.0" 405 303 "-" "-" > 66.140.25.156 - - [30/Dec/2002:13:31:21 -0500] "POST http://213.92.8.4:6667/ > HTTP/1.0" 405 300 "-" "-" > > (Sorry about the bad wrap) > > What I think this means is that somebody's trying to relay through my > Apache-running server, but is getting 405'd (not available? denied? not > sure), but I wanted to check, because I'm still fairly new to Apache. > > Is this the case, or am I accidentally running a relaying server? 66.140.25.156 is trying to proxy through your server in order to use IRC. Your server is rejecting the attempt. (405 means 'method not allowed'.) A bit of digging shows some interesting information: 66.140.25.156 resolves to stephenson.freenode.net, which resolves to the same IP. Some poking around http://freenode.net/ indicates it's an IRC network. http://freenode.net/irc_servers.shtml lists a bunch of IRC servers, one of which is calvino.freenode.net. 213.92.8.4, the IP 66.140.25.156 was trying to proxy through you to, resolves to calvino.freenode.net which resolves back to the same IP. http://freenode.net/policy.shtml indicates that they automatically check machines that connect to their network to see if they're running open proxies. You aren't, perchance, IRCing from the machine you're seeing these log entries on? It might be an automated test to keep people from connecting through open proxies. -- William Aoki [EMAIL PROTECTED] /"\ ASCII Ribbon Campaign B1FB C169 C7A6 238B 280B <- key change\ / No HTML in mail or news! 99AF A093 29AE 0AE1 9734 prev. expiredX / \
Apache log - what is this?
Hello all, I'm seeing the following in my logs (fairly frequently): 66.140.25.156 - - [30/Dec/2002:13:31:21 -0500] "CONNECT 213.92.8.4:6667 HTTP/1.0" 405 303 "-" "-" 66.140.25.156 - - [30/Dec/2002:13:31:21 -0500] "POST http://213.92.8.4:6667/ HTTP/1.0" 405 300 "-" "-" (Sorry about the bad wrap) What I think this means is that somebody's trying to relay through my Apache-running server, but is getting 405'd (not available? denied? not sure), but I wanted to check, because I'm still fairly new to Apache. Is this the case, or am I accidentally running a relaying server? TIA, -- -- | Stephen Gran | A woman should have compassion. --| | [EMAIL PROTECTED] | Kirk, "Catspaw", stardate 3018.2| | http://www.lobefin.net/~steve | | -- pgpBvn9RS5hi6.pgp Description: PGP signature
Re: Apache log - what is this?
This one time, at band camp, Will Aoki said: > On Mon, Dec 30, 2002 at 02:20:25PM -0500, Stephen Gran wrote: > > Hello all, > > > > I'm seeing the following in my logs (fairly frequently): > > > > 66.140.25.156 - - [30/Dec/2002:13:31:21 -0500] "CONNECT 213.92.8.4:6667 HTTP/1.0" >405 303 "-" "-" > > 66.140.25.156 - - [30/Dec/2002:13:31:21 -0500] "POST http://213.92.8.4:6667/ >HTTP/1.0" 405 300 "-" "-" > > > > (Sorry about the bad wrap) > http://freenode.net/policy.shtml indicates that they automatically check > machines that connect to their network to see if they're running open > proxies. > > You aren't, perchance, IRCing from the machine you're seeing these log > entries on? It might be an automated test to keep people from connecting > through open proxies. I am in fact IRCing from a laptop being NATed through that box. That would explain it - thanks a lot! Sets my mind at ease. -- -- | Stephen Gran | We wish you a Hare Krishna We wish you | | [EMAIL PROTECTED] | a Hare Krishna We wish you a Hare | | http://www.lobefin.net/~steve | Krishna And a Sun Myung Moon! -- | || Maxwell Smart | -- msg08324/pgp0.pgp Description: PGP signature
Re: Apache log - what is this?
On Mon, Dec 30, 2002 at 02:20:25PM -0500, Stephen Gran wrote: > Hello all, > > I'm seeing the following in my logs (fairly frequently): > > 66.140.25.156 - - [30/Dec/2002:13:31:21 -0500] "CONNECT 213.92.8.4:6667 HTTP/1.0" >405 303 "-" "-" > 66.140.25.156 - - [30/Dec/2002:13:31:21 -0500] "POST http://213.92.8.4:6667/ >HTTP/1.0" 405 300 "-" "-" > > (Sorry about the bad wrap) > > What I think this means is that somebody's trying to relay through my > Apache-running server, but is getting 405'd (not available? denied? not > sure), but I wanted to check, because I'm still fairly new to Apache. > > Is this the case, or am I accidentally running a relaying server? 66.140.25.156 is trying to proxy through your server in order to use IRC. Your server is rejecting the attempt. (405 means 'method not allowed'.) A bit of digging shows some interesting information: 66.140.25.156 resolves to stephenson.freenode.net, which resolves to the same IP. Some poking around http://freenode.net/ indicates it's an IRC network. http://freenode.net/irc_servers.shtml lists a bunch of IRC servers, one of which is calvino.freenode.net. 213.92.8.4, the IP 66.140.25.156 was trying to proxy through you to, resolves to calvino.freenode.net which resolves back to the same IP. http://freenode.net/policy.shtml indicates that they automatically check machines that connect to their network to see if they're running open proxies. You aren't, perchance, IRCing from the machine you're seeing these log entries on? It might be an automated test to keep people from connecting through open proxies. -- William Aoki [EMAIL PROTECTED] /"\ ASCII Ribbon Campaign B1FB C169 C7A6 238B 280B <- key change\ / No HTML in mail or news! 99AF A093 29AE 0AE1 9734 prev. expiredX / \ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Apache log - what is this?
Hello all, I'm seeing the following in my logs (fairly frequently): 66.140.25.156 - - [30/Dec/2002:13:31:21 -0500] "CONNECT 213.92.8.4:6667 HTTP/1.0" 405 303 "-" "-" 66.140.25.156 - - [30/Dec/2002:13:31:21 -0500] "POST http://213.92.8.4:6667/ HTTP/1.0" 405 300 "-" "-" (Sorry about the bad wrap) What I think this means is that somebody's trying to relay through my Apache-running server, but is getting 405'd (not available? denied? not sure), but I wanted to check, because I'm still fairly new to Apache. Is this the case, or am I accidentally running a relaying server? TIA, -- -- | Stephen Gran | A woman should have compassion. --| | [EMAIL PROTECTED] | Kirk, "Catspaw", stardate 3018.2| | http://www.lobefin.net/~steve | | -- msg08322/pgp0.pgp Description: PGP signature
Re: Updating Snort Signatures In Stable ? -- SNORT 1.9.0 for woody
* Sébastien Desse <[EMAIL PROTECTED]> wrote: > I saw a lot of discution about snort 1.9 on woody. > I just whant to tell that we do need the 1.9 ! > why don't we use an another directory (like contrib) where we can put > unstable softwares built for the stable distribution ? I would appreciate this, too. :-) > For those who are interested in snort 1.9 without using unstable and without > last glibc and uploaded it to a website : http://acdessec.chez.tiscali.fr/ Another source for a current Woody-snort is (as posted to this list here lately): http://debian.fluidsignal.com/dists/woody/updates/main/binary-i386/ Regards, Marcus -- I think I've reached that point where all the things you have to say and hopes for something more from me are just games to pass the time away. Please stop loving me, please stop loving me, I am none of these things...
RE: Updating Snort Signatures In Stable ? -- SNORT 1.9.0 for woody
Hello, I saw a lot of discution about snort 1.9 on woody. I just whant to tell that we do need the 1.9 ! why don't we use an another directory (like contrib) where we can put unstable softwares built for the stable distribution ? For those who are interested in snort 1.9 without using unstable and without last glibc and uploaded it to a website : http://acdessec.chez.tiscali.fr/ Please email me if you find bugs in these packages. Regards, Sebastien Desse > -Message d'origine- > De : Gustavo Franco [mailto:[EMAIL PROTECTED] > Envoyé : mercredi 11 décembre 2002 12:57 > À : debian-security@lists.debian.org > Objet : Re: Updating Snort Signatures In Stable ? > > > On Tue, 2002-12-10 at 16:52, Matt Zimmerman wrote: > > On Tue, Dec 10, 2002 at 04:36:08PM -0200, Gustavo Franco wrote: > > > > > No, you can't rebuild snort version from unstable. > > > > Who can't? You can't? I just did, and it was not only > possible, but easy. > Nick Boyce! > > > apt-get build-dep snort && apt-get source -b snort > > > > > And the snort updates? > > > > Yes, they are built from the same source package. > Will Nick do it daily,weekly or monthly? See below. > > > > The best alternative for you is apt-pinning feature, you can read more > > > about it at apt-howto[1]. > > > > Nope. I know how to use apt, thank you very much. And I prefer not to > > install unstable glibc on my stable systems. > It isn't for you! > > Unstable glibc is a bad idea, i known.But and about unstable snort? One > more time, and the snort updates? > > > bye, > Gustavo Franco -- <[EMAIL PROTECTED]> > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] >
Re: Updating Snort Signatures In Stable ? -- SNORT 1.9.0 for woody
* Sébastien Desse <[EMAIL PROTECTED]> wrote: > I saw a lot of discution about snort 1.9 on woody. > I just whant to tell that we do need the 1.9 ! > why don't we use an another directory (like contrib) where we can put > unstable softwares built for the stable distribution ? I would appreciate this, too. :-) > For those who are interested in snort 1.9 without using unstable and without > last glibc and uploaded it to a website : http://acdessec.chez.tiscali.fr/ Another source for a current Woody-snort is (as posted to this list here lately): http://debian.fluidsignal.com/dists/woody/updates/main/binary-i386/ Regards, Marcus -- I think I've reached that point where all the things you have to say and hopes for something more from me are just games to pass the time away. Please stop loving me, please stop loving me, I am none of these things... -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: Updating Snort Signatures In Stable ? -- SNORT 1.9.0 for woody
Hello, I saw a lot of discution about snort 1.9 on woody. I just whant to tell that we do need the 1.9 ! why don't we use an another directory (like contrib) where we can put unstable softwares built for the stable distribution ? For those who are interested in snort 1.9 without using unstable and without last glibc and uploaded it to a website : http://acdessec.chez.tiscali.fr/ Please email me if you find bugs in these packages. Regards, Sebastien Desse > -Message d'origine- > De : Gustavo Franco [mailto:[EMAIL PROTECTED]] > Envoyé : mercredi 11 décembre 2002 12:57 > À : [EMAIL PROTECTED] > Objet : Re: Updating Snort Signatures In Stable ? > > > On Tue, 2002-12-10 at 16:52, Matt Zimmerman wrote: > > On Tue, Dec 10, 2002 at 04:36:08PM -0200, Gustavo Franco wrote: > > > > > No, you can't rebuild snort version from unstable. > > > > Who can't? You can't? I just did, and it was not only > possible, but easy. > Nick Boyce! > > > apt-get build-dep snort && apt-get source -b snort > > > > > And the snort updates? > > > > Yes, they are built from the same source package. > Will Nick do it daily,weekly or monthly? See below. > > > > The best alternative for you is apt-pinning feature, you can read more > > > about it at apt-howto[1]. > > > > Nope. I know how to use apt, thank you very much. And I prefer not to > > install unstable glibc on my stable systems. > It isn't for you! > > Unstable glibc is a bad idea, i known.But and about unstable snort? One > more time, and the snort updates? > > > bye, > Gustavo Franco -- <[EMAIL PROTECTED]> > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Bind9 stopped after 34 days of uptime
El Lun 30 Dic 2002 08:16, Berend De Schouwer escribió: > I've made the mistake of running bind with debugging (to find one bug), and > have bind create a 2GB /var/named/named.run file. Bind crashed because > that file was too big. Doh! If your Bind crashes regularly after X days, > see if its creating its own (non-syslog) log file. Effects are similar to > a memory leak. It's not, but thanks anyway! Since I restarted the service on the night of the 24th, it's been running normally. Maybe I'll wait other 34 days (until January the 28th or so) and see what happens. Thank you! Pope -- Luis Gomez Miralles InfoEmergencias - Technical Department Phone (+34) 654 24 01 34 Fax (+34) 963 49 31 80 [EMAIL PROTECTED] PGP Public Key available at http://www.infoemergencias.com/lgomez.asc
Re: Bind9 stopped after 34 days of uptime
On Wednesday, 25 December 2002 21:54, Richard wrote: > On Wed, 25 Dec 2002, J.Reilink wrote: > > I've had exactly the same on our corperate primary nameserver (Slackware > > with bind 9.2.1), because there was no logging I couldn't find out why > > bind stopped working. > > Take a look at memory usage when Bind stop's working and monitor for some > time how much memory Bind is using. If that amount is growing, Bind > probably got a memory leak. ( isn't the first time :( ) I've made the mistake of running bind with debugging (to find one bug), and have bind create a 2GB /var/named/named.run file. Bind crashed because that file was too big. Doh! If your Bind crashes regularly after X days, see if its creating its own (non-syslog) log file. Effects are similar to a memory leak. > Greetings, > > Richard. > > > Paul Vixie in an interview with Sendmail.net: > > Now that the Internet has the full spectrum of humanity as users, > the technology is showing its weakness: it was designed to be > used by friendly, smart people. Spammers, as an example of a class, > are neither friendly nor smart. -- Berend De Schouwer
