Access log?

On Fri, 29 Aug 2003 11:57:10 -0700 in
<message-id:3F4FA206.70505@testedgeinc.com>
Gary Armstrong <garyarm DeleteThis @testedgeinc.com> wrote:

 > Sorry if this is the wrong group, but it appears the most appropriate.
 >
 > I've noticed a couple of entries in my access log that look like this:
 > 61.144.100.66 - - [31/Jul/2003:13:51:43 -0700] "GET
 > <a style='text-decoration: underline;' href="http://www.alltheweb.com/" target="_blank">http://www.alltheweb.com/</a> HTTP/1.1" 200 294
 >
 >
 > 61.144.100.66 doesn't resolve and I'm not alltheweb.com
 >
 >
 > Am I being abused?
 > What's the most appropriate doc?
 >
 > TIA
 > Gary
 >


The 'all the web' part you're seeing is just a referrer.



Regards,

Ian

--
Ian.H [Design & Development]
digiServ Network - Web solutions
<a style='text-decoration: underline;' href="http://www.digiserv.net" target="_blank">www.digiserv.net</a> | irc.digiserv.net | forum.digiserv.net
Programming, Web design, development & hosting.<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Access log? 

On Fri, 29 Aug 2003 19:12:48 GMT in
<message-id:20030829201307.27150f91.ian@WINDOZEdigiserv.net>
"Ian.H [dS]" <ian DeleteThis @WINDOZEdigiserv.net> wrote:

 > On Fri, 29 Aug 2003 11:57:10 -0700 in
 > <message-id:3F4FA206.70505@testedgeinc.com>
 > Gary Armstrong <garyarm DeleteThis @testedgeinc.com> wrote:
 >
  > > Sorry if this is the wrong group, but it appears the most
  > > appropriate.
  > >
  > > I've noticed a couple of entries in my access log that look like
  > > this: 61.144.100.66 - - [31/Jul/2003:13:51:43 -0700] "GET
  > > <a style='text-decoration: underline;' href="http://www.alltheweb.com/" target="_blank">http://www.alltheweb.com/</a> HTTP/1.1" 200 294
  > >
  > >
  > > 61.144.100.66 doesn't resolve and I'm not alltheweb.com
  > >
  > >
  > > Am I being abused?
  > > What's the most appropriate doc?

 >
 > The 'all the web' part you're seeing is just a referrer.


Oops.. apologies.. misread your snippet.

It's a proxy / relay attempt.



Regards,

Ian

--
Ian.H [Design & Development]
digiServ Network - Web solutions
<a style='text-decoration: underline;' href="http://www.digiserv.net" target="_blank">www.digiserv.net</a> | irc.digiserv.net | forum.digiserv.net
Programming, Web design, development & hosting.<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Access log? 

Gary Armstrong <garyarm.RemoveThis@testedgeinc.com> wrote:
 > I've noticed a couple of entries in my access log that look like this:
 > 61.144.100.66 - - [31/Jul/2003:13:51:43 -0700] "GET
 > <a style='text-decoration: underline;' href="http://www.alltheweb.com/" target="_blank">http://www.alltheweb.com/</a> HTTP/1.1" 200 294

Someone is using your system as an open proxy. Check that he can't
be done and add that IP to your firewall.

Davide<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Access log? 

Davide Bianchi wrote:
 > Gary Armstrong <garyarm DeleteThis @testedgeinc.com> wrote:
 >
  >>I've noticed a couple of entries in my access log that look like this:
  >>61.144.100.66 - - [31/Jul/2003:13:51:43 -0700] "GET
  >>http://www.alltheweb.com/ HTTP/1.1" 200 294
 >
 >
 > Someone is using your system as an open proxy. Check that he can't
 > be done and add that IP to your firewall.
 >
 > Davide

That is what I feared. Looking at httpd.conf, I see:

#ProxyRequests On

This line is commented out and the doc states that, I should uncomment
it too turn on the proxy server. Yet the access log shows the server
returned 200. What Am I missing?

TIA
Gary<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Access log? 

Hmm, in addition to my last email i just tried a block on my friends
ip address ( 81.128.235.54) but it doesnt work, he can still access my
websites without any problem.

Any ideas?




#
# This should be changed to whatever you set DocumentRoot to.
#
<Directory "/usr/local/apache2/htdocs">
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs-2.0/mod/core.html#options
# for more information.
#
Options Indexes FollowSymLinks
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
AllowOverride None

#
# Controls who can get stuff from this server.
#
Order allow,deny
Allow from all
Deny from 81.128.235.54

</Directory>

=======================
 >> Stay informed about: Access log? 

Andy wrote:
 > Hmm, in addition to my last email i just tried a block on my friends
 > ip address ( 81.128.235.54) but it doesnt work, he can still access my
 > websites without any problem.
 >
 > Any ideas?

 > <Directory "/usr/local/apache2/htdocs">
[...]
 > Options Indexes FollowSymLinks
[...]
 > AllowOverride None
[...]
 > Order allow,deny
 > Allow from all
 > Deny from 81.128.235.54
 >
 > </Directory>

you are denying him access to the htdocs directory.
I ran into that problem too ;o)

look for the following entry a few lines above
<Directory "/usr/local/apache2/htdocs">

<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>

and modify it to
<Directory />
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
Deny from 81.128.235.54
</Directory>


your friend will be cast out ;o)


HTH

--
Robi<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Access log? 

"Robi" <r_buecheler.RemoveThis@remove.yahoo.com> wrote in message
news:vkvjqomrdiu58f@corp.supernews.com...
 > Andy wrote:
  > > Hmm, in addition to my last email i just tried a block on my friends
  > > ip address ( 81.128.235.54) but it doesnt work, he can still access my
  > > websites without any problem.
  > >
  > > Any ideas?
 >
  > > <Directory "/usr/local/apache2/htdocs">
 > [...]
  > > Options Indexes FollowSymLinks
 > [...]
  > > AllowOverride None
 > [...]
  > > Order allow,deny
  > > Allow from all
  > > Deny from 81.128.235.54
  > >
  > > </Directory>
 >
 > you are denying him access to the htdocs directory.
 > I ran into that problem too ;o)
 >
 > look for the following entry a few lines above
 > <Directory "/usr/local/apache2/htdocs">
 >
 > <Directory />
 > Options FollowSymLinks
 > AllowOverride None
 > </Directory>
 >
 > and modify it to
 > <Directory />
 > Options FollowSymLinks
 > AllowOverride None
 > Order allow,deny
 > Allow from all
 > Deny from 81.128.235.54
 > </Directory>
 >
 >
 > your friend will be cast out ;o)
 >
 >
 > HTH
 >
 > --
 > Robi



Ah ok, thats where you have to add the ip's for deny. Thanks Robi.
It wasn't clear, i imagine alot of people must make that mistake.
You expect it to go under
# Controls who can get stuff from this server.

Thanks again<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Access log? 

Andy wrote:

 > Ah ok, thats where you have to add the ip's for deny. Thanks Robi.

you're welcome

 > It wasn't clear, i imagine alot of people must make that mistake.

everybody learns. I did ;o)

 > You expect it to go under
 > # Controls who can get stuff from this server.

And precisely that line made me make the mistake.

A little story of my mistake:
I added a PC address in the LAN to the deny command and always had access.
I also added the hostname to the list and still no beef.
I then started looking more closely what <directory> I das denying access to
and that's when I realized the mistake, so I moved the deny to the root
directory and I had success, the PC was denied access, but now I suddenly
had hostnames in my logs, and I only wanted simple IP addresses in them.
Following the thread "Blocking visitors from a certain country?" I saw the
mentioning of the hostname in djs' post and I realized what was getting my
logs filled with hostnames instead of IP numbers.

So, as I already said, everybody learns .

--
Robi<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Access log? 

Gary Armstrong wrote:
 >
 >
 > Davide Bianchi wrote:
 >
  >> Gary Armstrong <garyarm.RemoveThis@testedgeinc.com> wrote:
  >>
   >>> I've noticed a couple of entries in my access log that look like this:
   >>> 61.144.100.66 - - [31/Jul/2003:13:51:43 -0700] "GET
   >>> <a style='text-decoration: underline;' href="http://www.alltheweb.com/" target="_blank">http://www.alltheweb.com/</a> HTTP/1.1" 200 294
  >>
  >>
  >>
  >> Someone is using your system as an open proxy. Check that he can't
  >> be done and add that IP to your firewall.
  >>
  >> Davide
 >
 >
 > That is what I feared. Looking at httpd.conf, I see:
 >
 > #ProxyRequests On
 >
 > This line is commented out and the doc states that, I should uncomment
 > it too turn on the proxy server. Yet the access log shows the server
 > returned 200. What Am I missing?
 >

Ah well, it means they can still TRY to use ite as an open proxy, but it doesn't mean they succeed with it. Someone is probably just scanning a whole lot of ip adresses in order to find someone as stupid as I once was. Trust me, if you have an open proxy, your internet connection will soon be flooded and you WILL notice. If you have only a few of those entries in your log files, don't worry about it.

<rip>
+ <p>If your server is configured properly, then the attempt to
+ proxy through your server will fail. If you see a status
+ code of <code>404</code> (file not found) in the log, then
+ you know that the request failed. If you see a status code
+ of <code>200</code> (success), that does not necessarily mean
+ that the attempt to proxy succeeded. RFC2616 section 5.1.2
+ mandates that Apache must accept requests with absolute URLs
+ in the request-URI, even for non-proxy requests. Since
+ Apache has no way to know all the different names that your
+ server may be known under, it cannot simply reject hostnames
+ it does not recognize. Instead, it will serve requests for
+ unknown sites locally by stripping off the hostname and using
+ the default server or virtual host. Therefore you can
+ compare the size of the file (1456 in the above example) to
+ the size of the corresponding file in your default server.
+ If they are the same, then the proxy attempt failed, since a
+ document from your server was delivered, not a document from
+ <code>www.yahoo.com</code>.</p>
</rip>


i.e. instead of serving <a style='text-decoration: underline;' href="http://www.alltheweb.com/" target="_blank">http://www.alltheweb.com/</a> through a proxy, apache served <a style='text-decoration: underline;' href="http://www.yourdomain.com/" target="_blank">http://www.yourdomain.com/</a> with status 400.

Michiel.<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Access log? 

Michiel wrote:
 > Gary Armstrong wrote:
   > >>> I've noticed a couple of entries in my access log that look like this:
   > >>> 61.144.100.66 - - [31/Jul/2003:13:51:43 -0700] "GET
   > >>> <a style='text-decoration: underline;' href="http://www.alltheweb.com/" target="_blank">http://www.alltheweb.com/</a> HTTP/1.1" 200 294
^^^
[...]
 > instead of serving <a style='text-decoration: underline;' href="http://www.alltheweb.com/" target="_blank">http://www.alltheweb.com/</a> through a proxy, apache served
 > <a style='text-decoration: underline;' href="http://www.yourdomain.com/" target="_blank">http://www.yourdomain.com/</a> with status 400.
^^^
make this a 200 ;o)

--
Robi<!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: Access log?