From owner-freebsd-questions@FreeBSD.ORG Sat Jun 5 23:16:31 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5429816A4CE for ; Sat, 5 Jun 2004 23:16:31 -0700 (PDT) Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4EBCE43D31 for ; Sat, 5 Jun 2004 23:16:28 -0700 (PDT) (envelope-from smithi@nimnet.asn.au) Received: from localhost (smithi@localhost) by gaia.nimnet.asn.au (8.8.8/8.8.8R1.4) with SMTP id QAA19040; Sun, 6 Jun 2004 16:16:15 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Sun, 6 Jun 2004 16:16:14 +1000 (EST) From: Ian Smith To: Hasse In-Reply-To: <20040605154600.949B416A4CF@hub.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-questions@freebsd.org Subject: Sending a message to another computer on the network X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Jun 2004 06:16:31 -0000 On Sat, 5 Jun 2004 freebsd-questions-request@freebsd.org wrote: > I'm on a FreeBSD 4.10-STABLE machine on 217.209.211.x , > and would like to send a message to Win-box ( on the same network, but not my > machine ) that's filling up my httpd-access.log with junk. Yes, these log-bombs are a pain, making it difficult (and slow) to scan webserver logs with, say, less .. I had to write a script run hourly to clean these out of our main apache and several vhost logs. How can you be sure that they're coming from a Windows box, though? > The only thing I know is his IP-adress. > Is this possible ? If it is, how. > Or do I have to block his IP ? Not much use if it changes, as you say yourself later .. best just send a few of these log entries, with your later list of times received, to your/his ISP asking for some action to hassle the (l)user concerned. > The junk I receive in my log looks like this : > ----------------- > httpd-error.log : > [Sat Jun 05 14:13:43 2004] [error] [client 217.209.211.183] request > failed: URI too long (longer than 8190) Yes, they're all around 8300 bytes here, obvious buffer-overflow fodder, though I don't know which webserver/s are targetted. Some days we get between 10-20 per day from a range of IPs in the north-east Asia region, where it's almost never any use trying to contact the ISPs concerned. > ----------------- > httpd-access.log : > > 217.209.211.183 - - [05/Jun/2004:14:11:28 +0200] "SEARCH /\x90\x02\xb1\ > > and the last line ending with : > \x90\x90\x90\x90" 414 391 "-" "-" > ---------------- Them's the ones. You're in a much better position than we are to stop these, being (at least apparently) from IPs of your own ISP. I'm unsure whether these are real attack attempts by some worm, or are just designed as log bombs. Either way, they got me scriptin' .. email me (anyone) if you could use my apache.logclean sh script. It's a bit heavy-duty (having to stop apache briefly to clean logs) but has made maintenance easier here, and kept log sizes down by up to 150K per day. Cheers, Ian