[討論] httpd-*.log 的怪log + 用script+pf動態deny

看板FreeBSD作者thieftwo (賊二)時間20年前 (2005/04/26 03:09)推噓0(0推 0噓 0→)

留言0則, 0人參與討論串1/1

各位前輩好昨天晚上發現的問題 ... |||| 有一台主機的 httpd log 非常怪 =_= httpd-error.log [Tue Apr 26 01:48:53 2005] [error] [client 24.136.131.224] File does not exist: /usr/local/www/data/upload/config/LOGIN [Tue Apr 26 01:49:12 2005] [error] [client 61.190.137.23] File does not exist: /usr/local/www/data/upload/getimage [Tue Apr 26 01:49:44 2005] [error] [client 217.225.101.39] File does not exist: /usr/local/www/data/upload/config/login [Tue Apr 26 01:50:09 2005] [error] [client 65.35.89.119] File does not exist: /usr/local/www/data/upload/config/login [Tue Apr 26 01:50:58 2005] [error] [client 70.104.115.30] File does not exist: /usr/local/www/data/upload/config/login [Tue Apr 26 01:51:59 2005] [error] [client 217.225.101.39] File does not exist: /usr/local/www/data/upload/config/login [Tue Apr 26 01:53:59 2005] [error] [client 217.225.101.39] File does not exist: /usr/local/www/data/upload/config/login [Tue Apr 26 01:54:34 2005] [error] [client 24.136.131.224] File does not exist: /usr/local/www/data/upload/config/LOGIN httpd-access.log 70.104.115.30 - - [26/Apr/2005:02:08:55 +0800] "GET http://edit.tpe.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us&.byp ass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=brave.b-323&passwd=suckit HTTP/1.0" 404 281 "-" "-" 217.225.101.39 - - [26/Apr/2005:02:10:02 +0800] "GET http://login.yahoo.com/config/login?.tries=1&.src=bl&login=that_lonly_guy_over_there&passwd=Y+A+H+O+O&n=1 HTTP/1.1" 404 293 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)" 65.35.89.119 - - [26/Apr/2005:02:10:11 +0800] "GET http://e6.member.ukl.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us& .bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=PeeNutLMS&passwd=abc123 HTTP/1.0" 404 281 "-" "-" 24.136.131.224 - - [26/Apr/2005:02:11:06 +0800] "GET http://login.korea.yahoo.com/config/LOGIN?.form=ym%20signup%20more%20info&.intl=au&new=1&passwd=BABY&.don e=http%3a//jpager.yahoo.com/jpager/pager2.shtml&.src=jpg&.last=&Login=angel420_69&.u=0&.partner=&Login=&= HTTP/1.0" 404 281 "-" "-" 65.35.89.119 - - [26/Apr/2005:02:12:01 +0800] "GET http://p3.movies.scd.yahoo.com/profiles/EVIL_MATRIX_ICE_K1NG HTTP/1.0" 404 298 "-" "-" 217.225.101.39 - - [26/Apr/2005:02:12:05 +0800] "GET http://login.yahoo.com/config/login?.tries=1&.src=bl&login=t0ddy&passwd=:)&n=1 HTTP/1.1" 404 293 "-" "Moz illa/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)" 不知道為什麼會這樣只好寫一個產生動態 deny list 的script (很粗淺的寫法 ^^||) httpd-error.log 有error 的 and httpd-access.log 有yahoo 的 ip 全都 > /etc/pf.conf 去 #httpd-error.log tail -n 2000 /var/log/httpd-error.log |grep error|awk '{print $8}'|cut -d "]" -f 1|sort -u > /etc/pf.conf #httpd-access.log deny *yahoo* tail -n 2000 /var/log/httpd-access.log |grep yahoo|awk '{print $1}'|cut -d "]" -f 1|sort -u>> /etc/pf.conf # tail -n 2000 大概是接近半個月的log cd /etc/ sed s/^/"block in on vr0 proto tcp from "/ pf.conf > pfreal.conf cp pfreal.conf pf.conf sed s/$/" to any queue std_in "/ pf.conf > pfreal.conf sort -u pfreal.conf > pf.conf #將只有 ip 加上 block in on vr0 proto tcp from ip to any queue std_in pfctl -f /etc/pf.conf # pf 讀入設定檔其他台主機沒看過這麼怪的log 我打算把全部軟體移掉重裝一次 =_= (有原因所以不打算重裝) 只能治標不能治本 (因為我也不知道request那裡來只能來一個檔一個) 不知道有沒有前輩遇到同樣的問題? XD ps 排版會亂掉 , 把東西貼到 http://t.no-ip.info/wiki/doku.php?id=quest 去 ... -- 昏迷指數 1分值多少？存活的機率 1％值多少？你願意花多少錢，留在世上跟心愛的人再吃一餐飯我願出一萬買一頂好的安全帽你呢？ by idanny@scumotor http://tinyurl.com/5gnya -- ※ 發信站: 批踢踢實業坊(ptt.cc) ◆ From: 61.57.101.111