From owner-freebsd-questions@FreeBSD.ORG Thu Nov 17 18:02:19 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6496E16A41F for ; Thu, 17 Nov 2005 18:02:19 +0000 (GMT) (envelope-from smithi@nimnet.asn.au) Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8E88F43D45 for ; Thu, 17 Nov 2005 18:02:16 +0000 (GMT) (envelope-from smithi@nimnet.asn.au) Received: from localhost (smithi@localhost) by gaia.nimnet.asn.au (8.8.8/8.8.8R1.4) with SMTP id FAA23308; Fri, 18 Nov 2005 05:01:50 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Fri, 18 Nov 2005 05:01:49 +1100 (EST) From: Ian Smith To: dick hoogendijk In-Reply-To: <20051117001957.AF03516A429@hub.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-questions@freebsd.org Subject: strange msg lines.. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Nov 2005 18:02:19 -0000 Re: freebsd-questions Digest, Vol 113, Issue 12 > Message: 28 > Date: Wed, 16 Nov 2005 23:56:06 +0100 > From: dick hoogendijk > I get a lot of these rules in my log file lately. Don't know why they > are not logged in the error.log file. And if they are harmful or not. > > ==--== > 83.30.48.99 - - [16/Nov/2005:23:44:18 +0100] "GET / HTTP/1.1" 200 > 1860 "http://puttane-grandi-tette.com" "Mozilla/4.0 (compatible; MSIE > 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)" > 85.106.229.37 - - [16/Nov/2005:23:44:24 +0100] "GET / HTTP/1.1" 200 > 1860 "http://hosting-siti-adulti.com" "Mozilla/4.0 (compatible; MSIE > 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)" [.. etc ..] I've seen Dinesh's reply, and your later response, but I've seen batches of these at various times too, and think it's something other than DNS (though it did look like maybe a test of a distributed fetch, many IPs) > These are not normal requests to my apache server. But it seems to > "listen" to them. Am I 'in danger?' No, they're not errors, they're just requests for your home page (GET /) which is presumably 1860 bytes .. the Referer (sic) in each case is one of these apparent porn sites, but could easily be forged - it's unlikely that the pages at the URLs given do in fact have any link to your site; more than likely they want you go check out their stuff looking for one! So there's no danger involved, unless there are enough of them to DoS your server. I tend to deal with such as these by blocking them in apache|httpd.conf so they just get a 403 access denied response, eg: # 1/3/5 multiple browsers, multiple IPs, all the same referrer: SetEnvIfNoCase Referer buy-vicodin-online\.us go_away or in this other case, various different GETs attempting to access various porn URLs as wannabe proxy requests, all from the one IP: # 6/10/5 porn link referers regularly, different browsers .. SetEnvIf Remote_Addr 209\.172\.35\.44 go_away In your case, the browser identification, most likely bogus, is a common factor in each, and could be blocked with such as: BrowserMatch "Mozilla/4\.0 \(compatible; MSIE 6\.0b; Windows NT 5\.0; \.NET CLR 1\.0\.2914\)" go_away or some unique part of that string. whereas others as above will cycle through different browser strings - there's usually some common thread to such bot-made requests. I only hit on them when they become annoying (but sometimes I'm easily annoyed :) Then of course you'd need something along the lines of: [.. other stuff ..] # 18Mar02 - allow only this file to otherwise denied bots order allow,deny allow from all order allow,deny allow from all deny from env=go_away Cheers, Ian