:: [DNG] Apache 2 - "X sites probed th…
Top Page
Delete this message
Reply to this message
Author: onefang
Date:  
To: dng
Subject: [DNG] Apache 2 - "X sites probed the server"
I'm running Apache 2 on my server. Every day I get an email from
logwatch to summarise important stuff in my logs. It includes -

--------------------- httpd Begin ------------------------


 A total of 6126 sites probed the server 
    1.122.146.15
    1.141.148.168
    1.145.123.157


Then lists the other 6123 IPs. After the thousands of IPs, it has -


 Requests with error response codes
    400 Bad Request
       /: 22 Time(s)
       null: 22 Time(s)
       *: 4 Time(s)
       ../../proc/: 4 Time(s)
    403 Forbidden
       /drupal/?q=node/add: 71 Time(s)
       /drupal/user/2981/xmlrpc.php: 3 Time(s)
       /drupal/user/2981/edit/xmlrpc.php: 2 Time(s)
       /drupal/search/node/Popular%2Bbroadband%2B ... Bconfigurations: 1 Time(s)
    404 Not Found
       /merged/dists/ascii/InRelease: 1795 Time(s)


And thousands of others in other categories.

Yes I am actually running Drupal. The merged/dists/ascii/InRelease and
similar is coz my package mirror no longer has ASCII, since that got
archived. I guess the message that ASCII got moved to the archive server
hasn't gotten through to a lot of people that are still running ASCII.

There will also be lots of errors for URLs that I don't have, looking
like people are trying to crack my server.

After that section is -

---------------------- httpd End -------------------------


--------------------- HTTPD Errors Begin ------------------------


 Level error :     67 Time(s) 
 ---------------------- HTTPD Errors End ------------------------- 


Which long ago I was wondering "What is a level error" then I figured out
error is the level, coz there is also sometimes "Level critical".

This is copied from this mornings email. Notably the "X sites probed the
server" has typically been in the few hundreds, but has lately been sky
rocketing very quickly. Was 1000 couple of days age, 2000 yesterday,
6000 today.

Apache could be a bit more obvious what these things actually mean. Does
"probed the server" mean "someone tried something evil"? I did a quick
web search, didn't help. Can anyone shed some light on these things?

When I saw the 1000 one I did try reverse lookup on some of them that
looked like they was from the same subnet. Lots of
bytespider-110-249-*-*.crawl.bytedance.com. on the ones that started with
110.249.*.*, which was a lot of those listed IPs. Sooooo sounds like
bytedance has a crazy amount of IPs hitting me daily for their search
engine web crawler / spider? Lot's from other places, but I wasn't in
the mood to test all of them.

Would be nice if there was more details about what this all means. Would
be nice if fail2ban didn't fail2ban, the only rule that actually works is
the one I wrote myself. Any one got clue? I could use some.

I'm considering switching to nginx some day, though not sure if that'll
help with this.

--
A big old stinking pile of genius that no one wants
coz there are too many silver coated monkeys in the world.