DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Ports and Packages

FreeBSD Ports and Packages Installation and upgrading of ports and packages on FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 2nd August 2010
Mantazz Mantazz is offline
Shell Scout
 
Join Date: Oct 2008
Posts: 90
Thanked 0 Times in 0 Posts
Default Apached checking its own status?

My webserver at home, running 6.2-release with Apache 2.2, has been running now for some 298 days uninterrupted. However in the past couple days I have seen a lot of
Code:
 - [02/Aug/2010:10:55:42 -0400] "GET / HTTP/1.1" 200 710 "-" "-"
In my /var/log/httpd-access.log. The IP address that is listed at the start of the line is my own IP address, so it seems that the request starts on my home network. I see these lines every 5 minutes in the log.

I'm not sure how to interpret these lines. There is no system information in the line to help me deduce what kind of system is doing this (there are multiple systems on my home network) - is it the local system (if so why is it originating from the IP address and not the local address)?
Reply With Quote
  #2   (View Single Post)  
Old 2nd August 2010
3th3r 3th3r is offline
New User
 
Join Date: May 2010
Location: Los Angeles
Posts: 6
Thanked 0 Times in 0 Posts
Default

From the official Apache docs, this is the explanation of the first field in the access log entry:

"This is the IP address of the client (remote host) which made the request to the server. If HostnameLookups is set to On, then the server will try to determine the hostname and log it in place of the IP address. However, this configuration is not recommended since it can significantly slow the server. Instead, it is best to use a log post-processor such as logresolve to determine the hostnames. The IP address reported here is not necessarily the address of the machine at which the user is sitting. If a proxy server exists between the user and the server, this address will be the address of the proxy, rather than the originating machine."
Reply With Quote
  #3   (View Single Post)  
Old 3rd August 2010
Mantazz Mantazz is offline
Shell Scout
 
Join Date: Oct 2008
Posts: 90
Thanked 0 Times in 0 Posts
Default

Thank you for the suggestion, however it is not the case with my webserver. I can say this because I have hostnamelookup turned off (as it was by default), and also because these lines are appearing every 5 minutes regardless of whether or not there is traffic to my webserver.

Also this is something that has started only in the past 2 days, while the webserver itself has been running for over 289 days continuously at this point.

It might be worthwhile to point out at this point that this is just a "hobby" webserver that I run at home. It mostly has family pictures and that type of stuff, and has very little traffic - so little that our ISP hasn't bothered to try to sell us more bandwidth yet.

Last edited by Mantazz; 3rd August 2010 at 12:55 AM. Reason: adding information
Reply With Quote
  #4   (View Single Post)  
Old 3rd August 2010
comet--berkeley comet--berkeley is offline
Old programmer/hacker
 
Join Date: Apr 2009
Posts: 85
Thanked 1 Time in 1 Post
Default Apached checking its own status? No. Would you believe NoScript?

This is caused by a client browser running the new version of NoScript 2.0 which came out last week:

http: forums.informaction.com/viewtopic.php?f=7&t=4743

To fix it go to each browser and change the NoScript option:

"you're likely among the few people who may want to disable this feature, since you've got a web server meant to be public on that IP.

Just uncheck NoScript Options|Advanced|ABE|WAN IP ∈ LOCAL."

This new anti-dns-rebinding version of NoScript 2.0 was prompted by the recent Black Hat meeting where dns-rebinding was featured.

Craig Heffner
"How to Hack Millions of Routers"

http: blackhat.com/html/bh-us-10/bh-us-10-briefings.html#Heffner

The broken urls are because:
You are only allowed to post URLs once you have at least 5 posts.

--------------------------------------------------------------------------------------------------
OpenBSD Only two remote holes in the default install, in a heck of a long time!

Last edited by comet--berkeley; 3rd August 2010 at 04:13 AM. Reason: signature
Reply With Quote
  #5   (View Single Post)  
Old 3rd August 2010
Mantazz Mantazz is offline
Shell Scout
 
Join Date: Oct 2008
Posts: 90
Thanked 0 Times in 0 Posts
Default

Good call, that seems to have done it. Indeed I had just upgraded the noscript plugin on my notebook on the same network but I didn't really suspect previously that to be the culprit. I turned off that setting and the self-requests went away.

Out of curiosity, how did you find that? The line from httpd-access.log was virtually impossible to use as a meaningful google query (or at least I couldn't craft it into one).

Thanks!
Reply With Quote
  #6   (View Single Post)  
Old 4th August 2010
comet--berkeley comet--berkeley is offline
Old programmer/hacker
 
Join Date: Apr 2009
Posts: 85
Thanked 1 Time in 1 Post
Default

Quote:
Originally Posted by Mantazz View Post
Out of curiosity, how did you find that?
I was at wits end with similar page requests appearing on my home web server.

But after running tcpdump I saw the page request every 5 minutes coming from my own machine.

And after turning off all the Firefox plugins the page requests stopped.

Going to Google I searched on this: NoScript "5 minutes" and found this

http://forums.informaction.com/viewtopic.php?f=7&t=4743

--------------------------------------------------------------------------------------------------------
Now that I described how I found it, let me talk about DNS rebinding which the NoScript is trying to stop.

Besides putting NoScript on every client browser in your house it is good to beef up the DNS server on the router.

If the router uses dnsmasq as the DNS then add the "stop-dns-rebind" option to it.

And configure the web server to reject invalid Host headers.

One straightforward way to do this is to turn on "Virtual Hosting".

Here is the wikipedia article about DNS rebinding:

http://en.wikipedia.org/wiki/DNS_rebinding
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
checking upgrade worked? carpman FreeBSD Installation and Upgrading 2 6th February 2009 11:37 PM
What is the status of KDE4? wubrgamer General software and network 10 24th September 2008 03:58 AM
Status of Xen on OpenBSD Oko OpenBSD General 2 19th June 2008 09:02 PM
checking if UIC has KDE plugins available... ccc FreeBSD Ports and Packages 14 14th June 2008 09:36 PM
WARNING: Vulnerability database out of date, checking anyway mfaridi FreeBSD Security 9 8th May 2008 06:13 AM


All times are GMT. The time now is 10:27 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick