[Linux-bruxelles] faille Apache2 ? ... DOS attack...

Mar 23 Juin 14:02:53 CEST 2009

linux-bruxelles-bounces at lists.bxlug.be wrote on 23/06/2009 13:20:55:

> Salut,
> 
> Pour commencer, que disent les logs d'apache ?
> 
> La prochaine fois que ça arrive, fais un :
> 
> netstat -tanpu | grep ":80 " | awk {'print $4'} | sort | uniq -c

J'ai ceci "au repos" :

didier at abrasd03:~$ sudo netstat -tanpu | grep ":80 " | awk {'print $4'} | 
sort |
[sudo] password for didier:
      1 0.0.0.0:80
      2 127.0.0.1:80
      2 192.168.168.251:80

Mais est-ce que j'arriverai à passer cette commande en cas de saturation 
du serveur...

On verra.

---------------------

Dans les logs :

dans /log/apache2/access.log.1

localhost - - [06/Jan/2008:15:35:21 +0100] "GET /server-status?auto 
HTTP/1.1" 200 299 "-" "libwww-perl/5.805"
localhost - - [06/Jan/2008:15:40:06 +0100] "GET /server-status?auto 
HTTP/1.1" 200 299 "-" "libwww-perl/5.805"
localhost - - [06/Jan/2008:15:45:04 +0100] "GET /server-status?auto 
HTTP/1.1" 200 299 "-" "libwww-perl/5.805"
127.0.0.1 - - [06/Jan/2008:15:47:27 +0100] "GET / HTTP/1.0" 403 267 "-" 
"Apache (internal dummy connection)"
127.0.0.1 - - [06/Jan/2008:15:47:27 +0100] "GET / HTTP/1.0" 403 267 "-" 
"Apache (internal dummy connection)"
127.0.0.1 - - [06/Jan/2008:15:47:27 +0100] "GET / HTTP/1.0" 403 267 "-" 
"Apache (internal dummy connection)"
127.0.0.1 - - [06/Jan/2008:15:47:27 +0100] "GET / HTTP/1.0" 403 267 "-" 
"Apache (internal dummy connection)"
127.0.0.1 - - [06/Jan/2008:15:47:27 +0100] "GET / HTTP/1.0" 403 267 "-" 
"Apache (internal dummy connection)"
127.0.0.1 - - [06/Jan/2008:15:47:27 +0100] "GET / HTTP/1.0" 403 267 "-" 
"Apache (internal dummy connection)"
127.0.0.1 - - [06/Jan/2008:15:47:27 +0100] "GET / HTTP/1.0" 403 267 "-" 
"Apache (internal dummy connection)"
127.0.0.1 - - [06/Jan/2008:15:47:30 +0100] "GET / HTTP/1.0" 403 267 "-" 
"Apache (internal dummy connection)"
127.0.0.1 - - [06/Jan/2008:15:47:30 +0100] "GET / HTTP/1.0" 403 267 "-" 
"Apache (internal dummy connection)"
127.0.0.1 - - [06/Jan/2008:15:47:30 +0100] "GET / HTTP/1.0" 403 267 "-" 
"Apache (internal dummy connection)"
127.0.0.1 - - [06/Jan/2008:15:47:30 +0100] "GET / HTTP/1.0" 403 267 "-" 
"Apache (internal dummy connection)"
127.0.0.1 - - [06/Jan/2008:15:47:30 +0100] "GET / HTTP/1.0" 403 267 "-" 
"Apache (internal dummy connection)"
localhost - - [06/Jan/2008:15:50:04 +0100] "GET /server-status?auto 
HTTP/1.1" 200 299 "-" "libwww-perl/5.805"
127.0.0.1 - - [06/Jan/2008:15:51:51 +0100] "GET / HTTP/1.0" 403 267 "-" 
"Apache (internal dummy connection)"
127.0.0.1 - - [06/Jan/2008:15:51:51 +0100] "GET / HTTP/1.0" 403 267 "-" 
"Apache (internal dummy connection)"
127.0.0.1 - - [06/Jan/2008:15:51:51 +0100] "GET / HTTP/1.0" 403 267 "-" 
"Apache (internal dummy connection)"
127.0.0.1 - - [06/Jan/2008:15:51:51 +0100] "GET / HTTP/1.0" 403 267 "-" 
"Apache (internal dummy connection)"
127.0.0.1 - - [06/Jan/2008:15:51:51 +0100] "GET / HTTP/1.0" 403 267 "-" 
"Apache (internal dummy connection)"
127.0.0.1 - - [06/Jan/2008:15:51:51 +0100] "GET / HTTP/1.0" 403 267 "-" 
"Apache (internal dummy connection)"
127.0.0.1 - - [06/Jan/2008:15:51:51 +0100] "GET / HTTP/1.0" 403 267 "-" 
"Apache (internal dummy connection)"
127.0.0.1 - - [06/Jan/2008:15:51:51 +0100] "GET / HTTP/1.0" 403 267 "-" 
"Apache (internal dummy connection)"
127.0.0.1 - - [06/Jan/2008:15:51:51 +0100] "GET / HTTP/1.0" 403 267 "-" 
"Apache (internal dummy connection)"
127.0.0.1 - - [06/Jan/2008:15:51:51 +0100] "GET / HTTP/1.0" 403 267 "-" 
"Apache (internal dummy connection)"
localhost - - [06/Jan/2008:15:55:05 +0100] "GET /server-status?auto 
HTTP/1.1" 200 299 "-" "libwww-perl/5.805"
192.168.168.20 - - [06/Jan/2008:15:59:14 +0100] "GET / HTTP/1.1" 403 259 
"-" "Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.8.1.11) Gecko/20071204 
Ubuntu/7.10 (gutsy) Firefox/2.0.0.11"
192.168.168.20 - - [06/Jan/2008:15:59:19 +0100] "GET / HTTP/1.1" 403 259 
"-" "Mozilla/5.0 (X11; U; Linux i686; fr; rv:1.8.1.11) Gecko/20071204 
Ubuntu/7.10 (gutsy) Firefox/2.0.0.11"
127.0.0.1 - - [06/Jan/2008:23:48:21 +0100] "GET / HTTP/1.0" 403 267 "-" 
"Apache (internal dummy connection)"
127.0.0.1 - - [06/Jan/2008:23:48:21 +0100] "GET / HTTP/1.0" 403 267 "-" 
"Apache (internal dummy connection)"
127.0.0.1 - - [06/Jan/2008:23:48:21 +0100] "GET / HTTP/1.0" 403 267 "-" 
"Apache (internal dummy connection)"
127.0.0.1 - - [06/Jan/2008:23:48:21 +0100] "GET / HTTP/1.0" 403 267 "-" 
"Apache (internal dummy connection)"
127.0.0.1 - - [06/Jan/2008:23:48:21 +0100] "GET / HTTP/1.0" 403 267 "-" 
"Apache (internal dummy connection)"
127.0.0.1 - - [06/Jan/2008:23:48:21 +0100] "GET / HTTP/1.0" 403 267 "-" 
"Apache (internal dummy connection)"

Normal ces "Internal dummy connection" ?
Remarque que je n'ai pas ce message ce matin !

----------------------------------------

Pas évident de s'y retrouver dans les logs... 
Les logs d'Apache2 lui-même ? Ceux du domaine (je les ai séparé) ?
d'accès ou d'erreur ?

Merci,

-- 
Didier
-------------- section suivante --------------
Une pièce jointe HTML a été nettoyée...
URL: </pipermail/linux-bruxelles/attachments/20090623/915a5c0d/attachment-0002.html>