tekim
Posts: 13
Joined: Fri Sep 28, 2012 7:14 pm
Location: U.K.

Apache2 access log

Mon Jun 16, 2014 4:48 pm

Greetings,

The set-up:-
Router forwarding port 8080 to RasPi
Apache2 running on RasPi listens and will reply
All working OK
The RasPi is not, as far as I know running anything other than Apache2.
O.S. is wheezy.

However in the Apache2 access log file are messages similar to these:-

61.231.89.98 - - [15/Jun/2014:21:07:08 +0000] "CONNECT mx0.mail2000.com.tw:25 HTTP/1.0" 405 562 "-" "-"
61.231.86.95 - - [15/Jun/2014:21:48:24 +0000] "CONNECT mx3.mail2000.com.tw:25 HTTP/1.0" 405 562 "-" "-"
93.174.93.51 - - [16/Jun/2014:08:52:21 +0000] "GET http://ipv4scan.com/hello/check.txt HTTP/1.1" 404 450 "-" "IPv4Scan (+http://ipv4scan.com)"
1.163.193.25 - - [16/Jun/2014:11:21:15 +0000] "CONNECT mx3.mail2000.com.tw:25 HTTP/1.0" 405 562 "-" "-"

Questions:-

The requests are forwarded thro' the router if they use port 8080, how can this be proved?
and
What are these requests for? Two seem to be to do with email but why send to a web server?

Thanks in advance for any help,

tekim

User avatar
FLYFISH TECHNOLOGIES
Posts: 1750
Joined: Thu Oct 03, 2013 7:48 am
Location: Ljubljana, Slovenia
Contact: Website

Re: Apache2 access log

Mon Jun 16, 2014 4:58 pm

Hi,
tekim wrote:The requests are forwarded thro' the router if they use port 8080, how can this be proved?
With packets sniffer (eg. tcpdump).
But... since these records are in Apache's log file, it means that the Apache has received them (so port forwarding is working properly and everything is ok). To sleep well, check also Apache's error log file - you'll find these records also there, so Apache has detected that they are improper and has properly handled (disposed) them.
tekim wrote:What are these requests for?
Bad guys are checking if they can abuse you.
tekim wrote:Two seem to be to do with email but why send to a web server?
As said, bad guys are checking various things...


Best wishes, Ivan Zilic.
Running out of GPIO pins and/or need to read analog values?
Solution: http://www.flyfish-tech.com/FF32

tekim
Posts: 13
Joined: Fri Sep 28, 2012 7:14 pm
Location: U.K.

Re: Apache2 access log

Mon Jun 16, 2014 7:02 pm

Greetings,

Thanks for your very rapid reply.

I was hoping that Apache2 could be set to include the port number along
with the IP address as recorded in the log file, my knowledge is very limited regarding the
configuration of Apache2 all a bit 'try it and see'.

On reflection maybe port 8080 was not a good choice for me to use.

Many thanks for the input,

Cheers,

tekim

User avatar
FLYFISH TECHNOLOGIES
Posts: 1750
Joined: Thu Oct 03, 2013 7:48 am
Location: Ljubljana, Slovenia
Contact: Website

Re: Apache2 access log

Mon Jun 16, 2014 7:15 pm

Hi,
tekim wrote:I was hoping that Apache2 could be set to include the port number
Not needed, because you know the port - it is the one which you set on the router as a destination port next to RasPi's IP address (default 80).
tekim wrote:On reflection maybe port 8080 was not a good choice for me to use.
"Security through obscurity" is not the solution. Bad guys are also scanning all ports range, so they can knock at you on any port.

The solution is to invest some time to get an overview about the subject... when you connect any box to the internet, you immediately expose it.


Best wishes, Ivan Zilic.
Running out of GPIO pins and/or need to read analog values?
Solution: http://www.flyfish-tech.com/FF32

User avatar
rpdom
Posts: 17976
Joined: Sun May 06, 2012 5:17 am
Location: Chelmsford, Essex, UK

Re: Apache2 access log

Mon Jun 16, 2014 7:32 pm

You can change the format of the access log with a custom format. Putting a "%p" in the format string will give the port number.

Look at the default "LogFormat" in /etc/apache2/apache2.conf. Create a file in /etc/apache2/conf.d/ ideally ending in .conf and add that "LogFormat directive into it with a %p added somewhere. Then restart apache with apachectl2 restart or service apache2 restart or /etc/init.d/apache2 restart or by rebooting (You will need sudo for all of this stuff unless you are root).

tekim
Posts: 13
Joined: Fri Sep 28, 2012 7:14 pm
Location: U.K.

Re: Apache2 access log

Mon Jun 16, 2014 11:27 pm

Greetings,

Thanks for the Apache2 log format parameter %p I have included this and will see what happens.
As pointed out previously port 8080 must be being used as the router is not thought to be faulty but
this will prove the point.

Cheers,

tekim

tekim
Posts: 13
Joined: Fri Sep 28, 2012 7:14 pm
Location: U.K.

Re: Apache2 access log

Sat Aug 30, 2014 1:53 pm

Greetings,

Thanks for the %p parameter use, this was included in some of the log formating templates
but not part of the template that was being used, sods law.

Having added %p the log messages did show the 8080 port, it's nice to have proof.

Port 8080 is shown in some listings as being a substitute for port 80 or in one list as being used
by Apache software, I have no proof of this though.

Have changed the port to 8888 and no longer have the intruder logged.

Thanks for all advice.

Cheers

Return to “Beginners”