Why many ::1 in access_log

chronic

Verified User
Joined
Dec 14, 2006
Messages
96
Can someone help me understand why the access_log file is always full of these lines? Should I be worried?

Thanks in advance

::1 - - [19/Feb/2014:22:37:51 +0100] "OPTIONS * HTTP/1.0" 200 105
::1 - - [19/Feb/2014:22:39:03 +0100] "OPTIONS * HTTP/1.0" 200 105
::1 - - [19/Feb/2014:22:47:17 +0100] "OPTIONS * HTTP/1.0" 200 105
::1 - - [19/Feb/2014:22:47:18 +0100] "OPTIONS * HTTP/1.0" 200 105
::1 - - [19/Feb/2014:22:47:19 +0100] "OPTIONS * HTTP/1.0" 200 105
::1 - - [19/Feb/2014:22:48:21 +0100] "OPTIONS * HTTP/1.0" 200 105
::1 - - [19/Feb/2014:22:48:23 +0100] "OPTIONS * HTTP/1.0" 200 105
::1 - - [19/Feb/2014:22:51:08 +0100] "OPTIONS * HTTP/1.0" 200 105
::1 - - [19/Feb/2014:22:51:09 +0100] "OPTIONS * HTTP/1.0" 200 105
::1 - - [19/Feb/2014:22:51:10 +0100] "OPTIONS * HTTP/1.0" 200 105
::1 - - [19/Feb/2014:22:57:55 +0100] "OPTIONS * HTTP/1.0" 200 105
::1 - - [19/Feb/2014:22:58:45 +0100] "OPTIONS * HTTP/1.0" 200 105
::1 - - [19/Feb/2014:22:58:46 +0100] "OPTIONS * HTTP/1.0" 200 105
::1 - - [19/Feb/2014:23:01:05 +0100] "OPTIONS * HTTP/1.0" 200 105
::1 - - [19/Feb/2014:23:01:07 +0100] "OPTIONS * HTTP/1.0" 200 105
::1 - - [19/Feb/2014:23:01:08 +0100] "OPTIONS * HTTP/1.0" 200 105
::1 - - [19/Feb/2014:23:06:08 +0100] "OPTIONS * HTTP/1.0" 200 105
::1 - - [19/Feb/2014:23:06:09 +0100] "OPTIONS * HTTP/1.0" 200 105
::1 - - [19/Feb/2014:23:06:10 +0100] "OPTIONS * HTTP/1.0" 200 105
::1 - - [19/Feb/2014:23:06:13 +0100] "OPTIONS * HTTP/1.0" 200 105
::1 - - [19/Feb/2014:23:08:33 +0100] "OPTIONS * HTTP/1.0" 200 105
::1 - - [19/Feb/2014:23:08:40 +0100] "OPTIONS * HTTP/1.0" 200 105
::1 - - [19/Feb/2014:23:08:59 +0100] "OPTIONS * HTTP/1.0" 200 105
::1 - - [19/Feb/2014:23:09:00 +0100] "OPTIONS * HTTP/1.0" 200 105
::1 - - [19/Feb/2014:23:09:01 +0100] "OPTIONS * HTTP/1.0" 200 105
::1 - - [19/Feb/2014:23:21:36 +0100] "OPTIONS * HTTP/1.0" 200 105
::1 - - [19/Feb/2014:23:21:47 +0100] "OPTIONS * HTTP/1.0" 200 105
::1 - - [19/Feb/2014:23:21:48 +0100] "OPTIONS * HTTP/1.0" 200 105
::1 - - [19/Feb/2014:23:21:50 +0100] "OPTIONS * HTTP/1.0" 200 105
::1 - - [19/Feb/2014:23:22:00 +0100] "OPTIONS * HTTP/1.0" 200 105
::1 - - [19/Feb/2014:23:23:56 +0100] "OPTIONS * HTTP/1.0" 200 105
::1 - - [19/Feb/2014:23:28:19 +0100] "OPTIONS * HTTP/1.0" 200 105
::1 - - [19/Feb/2014:23:28:20 +0100] "OPTIONS * HTTP/1.0" 200 105
::1 - - [19/Feb/2014:23:28:21 +0100] "OPTIONS * HTTP/1.0" 200 105
::1 - - [19/Feb/2014:23:38:17 +0100] "OPTIONS * HTTP/1.0" 200 105
::1 - - [19/Feb/2014:23:41:04 +0100] "OPTIONS * HTTP/1.0" 200 105
::1 - - [19/Feb/2014:23:41:05 +0100] "OPTIONS * HTTP/1.0" 200 105
::1 - - [19/Feb/2014:23:41:06 +0100] "OPTIONS * HTTP/1.0" 200 105
::1 - - [19/Feb/2014:23:41:07 +0100] "OPTIONS * HTTP/1.0" 200 105
::1 - - [19/Feb/2014:23:41:08 +0100] "OPTIONS * HTTP/1.0" 200 105
::1 - - [19/Feb/2014:23:41:09 +0100] "OPTIONS * HTTP/1.0" 200 105
::1 - - [19/Feb/2014:23:41:10 +0100] "OPTIONS * HTTP/1.0" 200 105
::1 - - [19/Feb/2014:23:41:11 +0100] "OPTIONS * HTTP/1.0" 200 105
::1 - - [19/Feb/2014:23:41:12 +0100] "OPTIONS * HTTP/1.0" 200 105
::1 - - [19/Feb/2014:23:41:13 +0100] "OPTIONS * HTTP/1.0" 200 105
::1 - - [19/Feb/2014:23:41:14 +0100] "OPTIONS * HTTP/1.0" 200 105
::1 - - [19/Feb/2014:23:41:15 +0100] "OPTIONS * HTTP/1.0" 200 105
::1 - - [19/Feb/2014:23:41:16 +0100] "OPTIONS * HTTP/1.0" 200 105
::1 - - [19/Feb/2014:23:41:17 +0100] "OPTIONS * HTTP/1.0" 200 105
::1 - - [19/Feb/2014:23:41:18 +0100] "OPTIONS * HTTP/1.0" 200 105
 
If I recall correctly, ::1 is IPv6 for localhost. Put it into your /etc/hosts file and it should show up as localhost in your logs.

Jeff
 
Should I be worried?

Probably no, as it does not seem to be threatening. Who knows? That depends. If you want to know all the details, you'd better start searching who or what is trying your server from inside.
 
If I recall correctly, ::1 is IPv6 for localhost. Put it into your /etc/hosts file and it should show up as localhost in your logs.

Jeff

Thanks Jeff, i checked the file and it seems all right.

::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

Probably no, as it does not seem to be threatening. Who knows? That depends. If you want to know all the details, you'd better start searching who or what is trying your server from inside.

Alex where I can start looking to see? Do you have any suggestions?
I do not use any ipv6 address on my server, you say that it is the case that I disable the support for ipv6 on the server or in any case this is an unnecessary?

Sorry for all these questions but I'm not prepared for this type of problem and do not know where to start ...
 
Not too sure, sorry, where you could start from. Probably "ps aux" or "top" output, or logs. You might want to compare time of requests with other requests in apache, system logs. The requests does not seem to be made by cron, as the number of them within one minute and time is not logical. Probably you have a nginx frontend? Or any monitoring software running on your server?

The requests I guess might be ignored unless they make higher load on your server.
 
No Alex, i don't have nginx frontend and no monitoring software installed on server. I've tried with "ps aux" and "top" but i didn't find nothing relevant

I looked to other my 3 servers and i've the same situation in access_log.

Yesterday i've try to disable ipv6 on server and now i've the same situation but with ipv4 localhost:

127.0.0.1 - - [21/Feb/2014:15:50:46 +0100] "OPTIONS * HTTP/1.0" 200 105
127.0.0.1 - - [21/Feb/2014:15:51:11 +0100] "OPTIONS * HTTP/1.0" 200 105
127.0.0.1 - - [21/Feb/2014:15:51:12 +0100] "OPTIONS * HTTP/1.0" 200 105
127.0.0.1 - - [21/Feb/2014:15:51:15 +0100] "OPTIONS * HTTP/1.0" 200 105
127.0.0.1 - - [21/Feb/2014:15:51:16 +0100] "OPTIONS * HTTP/1.0" 200 105
127.0.0.1 - - [21/Feb/2014:15:51:28 +0100] "OPTIONS * HTTP/1.0" 200 105
127.0.0.1 - - [21/Feb/2014:15:54:14 +0100] "OPTIONS * HTTP/1.0" 200 105
127.0.0.1 - - [21/Feb/2014:15:54:31 +0100] "OPTIONS * HTTP/1.0" 200 105
127.0.0.1 - - [21/Feb/2014:15:54:48 +0100] "OPTIONS * HTTP/1.0" 200 105
127.0.0.1 - - [21/Feb/2014:15:54:49 +0100] "OPTIONS * HTTP/1.0" 200 105
127.0.0.1 - - [21/Feb/2014:15:55:43 +0100] "OPTIONS * HTTP/1.0" 200 105
127.0.0.1 - - [21/Feb/2014:15:55:45 +0100] "OPTIONS * HTTP/1.0" 200 105
127.0.0.1 - - [21/Feb/2014:15:56:37 +0100] "OPTIONS * HTTP/1.0" 200 105
127.0.0.1 - - [21/Feb/2014:15:56:38 +0100] "OPTIONS * HTTP/1.0" 200 105
127.0.0.1 - - [21/Feb/2014:15:56:39 +0100] "OPTIONS * HTTP/1.0" 200 105
127.0.0.1 - - [21/Feb/2014:15:56:44 +0100] "OPTIONS * HTTP/1.0" 200 105
127.0.0.1 - - [21/Feb/2014:15:56:45 +0100] "OPTIONS * HTTP/1.0" 200 105
127.0.0.1 - - [21/Feb/2014:15:56:57 +0100] "OPTIONS * HTTP/1.0" 200 105
127.0.0.1 - - [21/Feb/2014:15:56:58 +0100] "OPTIONS * HTTP/1.0" 200 105
127.0.0.1 - - [21/Feb/2014:15:57:04 +0100] "OPTIONS * HTTP/1.0" 200 105
127.0.0.1 - - [21/Feb/2014:15:57:05 +0100] "OPTIONS * HTTP/1.0" 200 105
127.0.0.1 - - [21/Feb/2014:15:57:08 +0100] "OPTIONS * HTTP/1.0" 200 105
127.0.0.1 - - [21/Feb/2014:15:57:09 +0100] "OPTIONS * HTTP/1.0" 200 105
127.0.0.1 - - [21/Feb/2014:15:58:01 +0100] "OPTIONS * HTTP/1.0" 200 105
127.0.0.1 - - [21/Feb/2014:15:58:02 +0100] "OPTIONS * HTTP/1.0" 200 105
127.0.0.1 - - [21/Feb/2014:15:58:21 +0100] "OPTIONS * HTTP/1.0" 200 105
127.0.0.1 - - [21/Feb/2014:15:58:23 +0100] "OPTIONS * HTTP/1.0" 200 105
127.0.0.1 - - [21/Feb/2014:15:58:24 +0100] "OPTIONS * HTTP/1.0" 200 105
127.0.0.1 - - [21/Feb/2014:15:58:40 +0100] "OPTIONS * HTTP/1.0" 200 105
127.0.0.1 - - [21/Feb/2014:15:58:41 +0100] "OPTIONS * HTTP/1.0" 200 105
127.0.0.1 - - [21/Feb/2014:15:58:42 +0100] "OPTIONS * HTTP/1.0" 200 105
127.0.0.1 - - [21/Feb/2014:15:58:43 +0100] "OPTIONS * HTTP/1.0" 200 105
127.0.0.1 - - [21/Feb/2014:15:58:44 +0100] "OPTIONS * HTTP/1.0" 200 105
127.0.0.1 - - [21/Feb/2014:15:58:45 +0100] "OPTIONS * HTTP/1.0" 200 105
127.0.0.1 - - [21/Feb/2014:15:58:46 +0100] "OPTIONS * HTTP/1.0" 200 105
127.0.0.1 - - [21/Feb/2014:15:59:16 +0100] "OPTIONS * HTTP/1.0" 200 105
127.0.0.1 - - [21/Feb/2014:15:59:17 +0100] "OPTIONS * HTTP/1.0" 200 105
127.0.0.1 - - [21/Feb/2014:15:59:19 +0100] "OPTIONS * HTTP/1.0" 200 105
127.0.0.1 - - [21/Feb/2014:15:59:34 +0100] "OPTIONS * HTTP/1.0" 200 105
127.0.0.1 - - [21/Feb/2014:16:00:05 +0100] "OPTIONS * HTTP/1.0" 200 105
127.0.0.1 - - [21/Feb/2014:16:00:19 +0100] "OPTIONS * HTTP/1.0" 200 105
127.0.0.1 - - [21/Feb/2014:16:00:31 +0100] "OPTIONS * HTTP/1.0" 200 105
127.0.0.1 - - [21/Feb/2014:16:00:32 +0100] "OPTIONS * HTTP/1.0" 200 105
127.0.0.1 - - [21/Feb/2014:16:00:39 +0100] "OPTIONS * HTTP/1.0" 200 105
127.0.0.1 - - [21/Feb/2014:16:00:40 +0100] "OPTIONS * HTTP/1.0" 200 105
127.0.0.1 - - [21/Feb/2014:16:00:41 +0100] "OPTIONS * HTTP/1.0" 200 105
127.0.0.1 - - [21/Feb/2014:16:00:46 +0100] "OPTIONS * HTTP/1.0" 200 105
127.0.0.1 - - [21/Feb/2014:16:00:47 +0100] "OPTIONS * HTTP/1.0" 200 105
127.0.0.1 - - [21/Feb/2014:16:00:48 +0100] "OPTIONS * HTTP/1.0" 200 105
127.0.0.1 - - [21/Feb/2014:16:01:10 +0100] "OPTIONS * HTTP/1.0" 200 105

I've looked the server-status and i've similar situation

14-0 - 0/0/279 . 1.83 332 0 0.0 0.00 3.09 127.0.0.1 server.myserver.com:80 OPTIONS * HTTP/1.0
15-0 - 0/0/282 . 0.00 413 0 0.0 0.00 2.11 127.0.0.1 server.myserver.com:80 OPTIONS * HTTP/1.0
16-0 - 0/0/339 . 1.92 406 0 0.0 0.00 4.21 127.0.0.1 server.myserver.com:80 OPTIONS * HTTP/1.0
17-0 - 0/0/29 . 2.54 274 0 0.0 0.00 0.19 127.0.0.1 server.myserver.com:80 OPTIONS * HTTP/1.0
18-0 - 0/0/102 . 3.20 2152 0 0.0 0.00 0.89 127.0.0.1 server.myserver.com:80 OPTIONS * HTTP/1.0
19-0 - 0/0/138 . 5.74 1572 0 0.0 0.00 1.73 127.0.0.1 server.myserver.com:80 OPTIONS * HTTP/1.0
20-0 - 0/0/7 . 0.00 3208 0 0.0 0.00 0.01 127.0.0.1 server.myserver.com:80 OPTIONS * HTTP/1.0
21-0 - 0/0/66 . 0.67 2869 0 0.0 0.00 0.47 127.0.0.1 server.myserver.com:80 OPTIONS * HTTP/1.0
22-0 - 0/0/23 . 0.00 3205 0 0.0 0.00 0.06 127.0.0.1 server.myserver.com:80 OPTIONS * HTTP/1.0
23-0 - 0/0/25 . 0.09 3156 0 0.0 0.00 0.10 127.0.0.1 server.myserver.com:80 OPTIONS * HTTP/1.0
24-0 - 0/0/7 . 0.00 3210 0 0.0 0.00 0.01 127.0.0.1 server.myserver.com:80 OPTIONS * HTTP/1.0
25-0 - 0/0/1 . 0.00 6485 0 0.0 0.00 0.00 127.0.0.1 server.myserver.com:80 OPTIONS * HTTP/1.0
26-0 - 0/0/1 . 0.00 6483 0 0.0 0.00 0.00 127.0.0.1 server.myserver.com:80 OPTIONS * HTTP/1.0
27-0 - 0/0/8 . 0.03 6398 0 0.0 0.00 0.10 127.0.0.1 server.myserver.com:80 OPTIONS * HTTP/1.0

Probably as you say it is nothing serious and actually do not have a high load on the server, but since about a month I have hundreds of bruteforce attacks every day, I had the suspicion that somehow things might be connected.

In any case you have any other suggestion to investigate?

Thanks
 
That might be the reason:

InternalDummyConnection - Requests From the Server to Itself

When the Apache HTTP Server manages its child processes, it needs a way to wake up processes that are listening for new connections. To do this, it sends a simple HTTP request back to itself. This request will appear in the access_log file with the remote address set to the loop-back interface (typically 127.0.0.1 or ::1 if IPv6 is configured).

If you log the User-Agent string (as in the combined log format), you will see the server signature followed by "(internal dummy connection)" on non-SSL servers. During certain periods you may see up to one such request for each httpd child process.

These requests are perfectly normal and you do not, in general, need to worry about them. They can simply be ignored.

http://wiki.apache.org/httpd/InternalDummyConnection

And according to apache configuration, no User-Agent is logged into the access_log:

Code:
# grep common /etc/httpd/conf/httpd.conf
      LogFormat "%h %l %u %t \"%r\" %>s %O" common
    CustomLog /var/log/httpd/access_log common
 
Ok then I consider the mystery solved. Thank you so much for your suggestions and your help Alex.
 
Back
Top