What is happening here?

A

Aziz

Verified User
Joined
Oct 4, 2004
Messages
125
I am having a problem, starting a week ago I am starting to have too many HTTPD requests.

When checking the access logs (attached) it seems someone is trying to attack my server uselessly using awstat and other things I dont have on the server.

Now I cant block the IP because it keeps on changing every hour or so.

I also tried to create a cron job every 5 minutes to restart httpd (as seen on some other topics) but that would somewhat crash the httpd with this message, which I have to restart the server:

Code: 
Starting httpd: [Sat Jan 21 16:52:00 2006] [warn] NameVirtualHost 207.234.212.219:80 has no VirtualHosts [Sat Jan 21 16:52:00 2006] [warn] NameVirtualHost 207.234.212.219:443 has no VirtualHosts [Sat Jan 21 16:52:00 2006] [warn] NameVirtualHost 207.234.212.218:80 has no VirtualHosts [Sat Jan 21 16:52:00 2006] [warn] NameVirtualHost 207.234.212.218:443 has no VirtualHosts [Sat Jan 21 16:52:00 2006] [warn] NameVirtualHost 207.234.212.221:80 has no VirtualHosts [Sat Jan 21 16:52:00 2006] [warn] NameVirtualHost 207.234.212.221:443 has no VirtualHosts [Sat Jan 21 16:52:00 2006] [warn] NameVirtualHost 207.234.212.220:80 has no VirtualHosts [Sat Jan 21 16:52:00 2006] [warn] NameVirtualHost 207.234.212.220:443 has no VirtualHosts [Sat Jan 21 16:52:00 2006] [warn] NameVirtualHost 207.234.212.222:80 has no VirtualHosts [Sat Jan 21 16:52:00 2006] [warn] NameVirtualHost 207.234.212.222:443 has no VirtualHosts [FAILED]

The above messages also come up when the starting also is good (Something is messy with the nameservers, but that shouldn't be a problem, never was).

Any ideas on how I can stop this person from bothering the server?

Thanks,
Aziz
 

Attachments

I've not taken the time to study your access log; I'm taking you at your word.

If the IP# changes every hour or so, then certainly there are enough hits from the same IP# for a brute-force detection system to help you.

If you're using linux, then I suggest you look at APF (search the forum for the APF firewall) with BFD (Advanced Policy Firewall for Brute Force Detection).

If you're using FreeBSD you'll need to find another solution, using the same concept.

Jeff
 
jlasman said:
I've not taken the time to study your access log; I'm taking you at your word.

If the IP# changes every hour or so, then certainly there are enough hits from the same IP# for a brute-force detection system to help you.

If you're using linux, then I suggest you look at APF (search the forum for the APF firewall) with BFD (Advanced Policy Firewall for Brute Force Detection).

If you're using FreeBSD you'll need to find another solution, using the same concept.

Jeff
Click to expand...

As always a good helping hand. Thank you.

I have installed the firewall, seems to be doing a great job.

Somehow I commented the firewall cron job (thinking I was commenting the http restart command) then the server went unrepondent after a while.

Fixed it now and seems to be doing just create, I did not install the brute force thing as I don't think the person wanted to get the passwords but rather bring the server down..

Thanks again,

Peace,
 
Where are the access logs on a linux server that contain the log data that I see in the txt file above? I don't see this type of info in the logs I view, so perhaps there is a log file I don't know about.

My server is CentOS, DA. Anyone that can help point out where this file is, I would appreciate it. Thanks.
 
tony1234 said:
Where are the access logs on a linux server that contain the log data that I see in the txt file above? I don't see this type of info in the logs I view, so perhaps there is a log file I don't know about.

My server is CentOS, DA. Anyone that can help point out where this file is, I would appreciate it. Thanks.
Click to expand...

i guess if you search the documentation for CentOS you will find the location of your logs, accesss, error, etc..

or just search the computer for access

Peace,
 
I found the logs that contain this data. Just a few different locations for main versus domains, and surprised how clean my access logs are. (mod_security is great) Thanks.
 
You must log in or register to reply here.
Back
Top