本地站點的 Apache 日誌中出現異常命中
我有一個在 Windows 7 上執行的 Apache 2.2 網路伺服器,並設置了六個虛擬主機。
- 域名A指向
?:/.../urls/1/
- 域名B指向
?:/.../urls/2/
- 域名C+D指向
?:/.../urls/3/
- 域名 E* 指向
?:/.../urls/4/
- 我的公共 IP 指向
?:/.../urls/5/
- 本地主機+網路IP指向
?:/.../urls/6/
(偽地址和路徑)
編輯:配置中的實際順序
- 本地主機+網路IP指向
?:/.../urls/6/
- 我的公共 IP 指向
?:/.../urls/5/
- 域名A指向
?:/.../urls/1/
- 域名B指向
?:/.../urls/2/
- 域名C+D指向
?:/.../urls/3/
- 域名 E 指向*
?:/.../urls/4/
結束編輯
我還沒有域名 E,所以現在我在我的 hosts 文件中定義了它,當我嘗試通過域名在瀏覽器中訪問它時它可以工作。
我一直在做一些廣泛的文件結構更改並稍微改變了我的虛擬主機,所以現在每個站點都只是顯示一個測試頁面,簡單地說明它是哪個站點。域名A/B/C/等。每個站點都有自己的訪問日誌和錯誤日誌。所有看似簡單的東西。在本地主機上擁有一個私人網站對我來說是新的。過去localhost、網路IP和域名A都指向我的主站點,所以沒有考慮隱私。
我現在擔心的是站點 6,它只能由和訪問
localhost
,正在訪問日誌中記錄來自外部地址的命中。該站點拒絕除我自己的地址之外的所有地址,並且無論他們嘗試訪問 index.html 之類的真實文件還是偽造的文件,外國請求都按預期導致了 403,儘管一些請求導致了 400 錯誤,我是不熟悉。當某些常見錯誤被觸發時,我重定向到一個自定義錯誤腳本,將 %ENV 數據轉儲到文件中,希望我可以收集有關這些命中的一些有用資訊,並將錯誤頁面返回給使用者。到目前為止,對我來說沒有任何意義。127.0.0.1``192.168.1.100``?code=$HTTP_CODE
我想知道這些請求是如何/為什麼到達我的內部地址的,我是否應該擔心任何
?:/.../urls/6/
對公眾可見的東西,我是否在 Apache 中錯誤配置了任何東西,如果是,如何修復它。以下是一些可能相關的片段。路徑和我的網址已被混淆。
主機文件
127.0.0.1 domain-name-E.com # domain that i don't own yet 127.0.0.1 www.domain-name-E.com # domain that i don't own yet
httpd-vhosts.conf編輯:調整以顯示 VH 的實際順序
<Directory "?:/.../urls/"> Order Deny,Allow Allow from all </Directory> NameVirtualHost *:80 # site 6: private <VirtualHost *:80> DocumentRoot "?:/.../urls/6/www/" ServerName localhost ServerAlias 127.0.0.1 ServerAlias 192.168.1.100 ScriptAlias /cgi/ "?:/.../urls/6/cgi/" <Directory "?:/.../urls/6/cgi/"> AllowOverride All </Directory> ErrorLog "?:/.../logs/errors-site6.log" # CustomLog "?:/.../logs/access-site6.log" common LogFormat "%{%Y/%m/%d (%a) at %H:%M:%S}t %a Login: %u Sent: %B B in %D µs Status: %s/%>s for %H %m %{Host}i%U%q Using: %{User-agent}i From: %{Referer}i" custom CustomLog "?:/.../logs/access-site6.log" custom env=!dontlog SetEnvIf Remote_Addr "127\.0\.0\.1" dontlog SetEnvIf Remote_Addr "192\.168\.1\..*" dontlog SetEnvIf Remote_Addr "XXX\.XXX\.XXX\.XXX" dontlog # my public IP address </VirtualHost> # site 5 here # site 1 here # site 2 here # site 3 here # site 4 here
?:/…/urls/6/.htaccess
# site 6: private Deny from all Allow from 127.0.0.1 Allow from 192.168.1 Allow from XXX.XXX.XXX.XXX # my public IP address
?:/…/logs/access-site6.log (對齊整理了一下)
# timestamp # IP # domain/path?query # agent # referrer 2019/06/24 (Mon) at 18:50:52 61.219.11.153 Login: - Sent: 226 B in 3001 µs Status: 400/400 for HTTP/1.1 GET -/ Using: - From: - 2019/06/24 (Mon) at 19:08:14 104.152.52.22 Login: - Sent: 1211 B in 512029 µs Status: 403/403 for HTTP/1.0 GET -/?code=403 Using: masscan/1.0 (https://github.com/robertdavidgraham/masscan) From: - 2019/06/25 (Tue) at 00:12:51 138.99.29.110 Login: - Sent: 226 B in 3001 µs Status: 400/400 for HTTP/1.1 GET -/Login.htm Using: - From: - 2019/06/25 (Tue) at 02:26:21 122.116.24.230 Login: - Sent: 226 B in 3000 µs Status: 400/400 for HTTP/1.1 GET -/Login.htm Using: - From: - 2019/06/25 (Tue) at 04:21:55 92.63.194.15 Login: - Sent: 1211 B in 365021 µs Status: 403/403 for HTTP/0.9 GET -/?code=403 Using: - From: - 2019/06/25 (Tue) at 09:28:05 89.248.169.12 Login: - Sent: 1211 B in 309018 µs Status: 403/403 for HTTP/1.1 GET 80/?code=403 Using: Mozilla/5.0 zgrab/0.x From: - 2019/06/25 (Tue) at 10:07:53 185.53.88.37 Login: - Sent: 0 B in 384022 µs Status: 403/403 for HTTP/1.0 GET -/robots.txt?code=403 Using: - From: - 2019/06/25 (Tue) at 10:48:16 77.247.110.106 Login: - Sent: 0 B in 464027 µs Status: 403/403 for HTTP/1.0 GET -/robots.txt?code=403 Using: - From: - 2019/06/25 (Tue) at 13:46:30 192.31.231.241 Login: - Sent: 1211 B in 519029 µs Status: 403/403 for HTTP/1.1 GET default/.html?code=403 Using: curl/7.64.1 From: - 2019/06/25 (Tue) at 15:14:24 77.247.110.106 Login: - Sent: 0 B in 375022 µs Status: 403/403 for HTTP/1.0 GET -/robots.txt?code=403 Using: - From: - 2019/06/25 (Tue) at 21:00:55 220.133.33.166 Login: - Sent: 226 B in 3001 µs Status: 400/400 for HTTP/1.1 GET -/Login.htm Using: - From: - 2019/06/26 (Wed) at 01:33:22 110.249.212.46 Login: - Sent: 226 B in 2000 µs Status: 400/400 for HTTP/1.1 GET -/testget?q=23333&port=80 Using: - From: -
?:/…/logs/errors-site6.log
[Mon Jun 24 18:50:52 2019] [error] [client 61.219.11.153] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): / [Mon Jun 24 19:08:14 2019] [error] [client 104.152.52.22] client denied by server configuration: ?:/.../urls/6/www/ [Tue Jun 25 00:12:51 2019] [error] [client 138.99.29.110] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /Login.htm [Tue Jun 25 02:26:21 2019] [error] [client 122.116.24.230] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /Login.htm [Tue Jun 25 04:21:55 2019] [error] [client 92.63.194.15] client denied by server configuration: ?:/.../urls/6/www/ [Tue Jun 25 09:28:05 2019] [error] [client 89.248.169.12] client denied by server configuration: ?:/.../urls/6/www/ [Tue Jun 25 10:07:53 2019] [error] [client 185.53.88.37] client denied by server configuration: ?:/.../urls/6/www/robots.txt [Tue Jun 25 10:48:17 2019] [error] [client 77.247.110.106] client denied by server configuration: ?:/.../urls/6/www/robots.txt [Tue Jun 25 13:46:30 2019] [error] [client 192.31.231.241] client denied by server configuration: ?:/.../urls/6/www/.html [Tue Jun 25 15:14:24 2019] [error] [client 77.247.110.106] client denied by server configuration: ?:/.../urls/6/www/robots.txt [Tue Jun 25 21:00:55 2019] [error] [client 220.133.33.166] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /Login.htm [Wed Jun 26 01:33:22 2019] [error] [client 110.249.212.46] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /testget
?:/…/logs/detail-site6.log (對齊整理了一下,省略了一些不相關的鍵/值對)
2019/06/24 at 07:08:15 PM $VAR1 = { 'DOCUMENT_ROOT' => '?:/.../urls/6/www/', 'GATEWAY_INTERFACE' => 'CGI/1.1', 'HTTP_ACCEPT' => '*/*', 'HTTP_USER_AGENT' => 'masscan/1.0 (https://github.com/robertdavidgraham/masscan)', 'QUERY_STRING' => 'code=403', 'REDIRECT_REQUEST_METHOD' => 'GET', 'REDIRECT_STATUS' => '403', 'REDIRECT_URL' => '/', 'REMOTE_ADDR' => '104.152.52.22', 'REMOTE_PORT' => '48100', 'REQUEST_METHOD' => 'GET', 'REQUEST_URI' => '/', 'SCRIPT_FILENAME' => '?:/.../urls/6/cgi/error/.pl', 'SCRIPT_NAME' => '/cgi/error/.pl', 'SERVER_ADDR' => '192.168.1.100', 'SERVER_NAME' => 'localhost', 'SERVER_PORT' => '80', 'SERVER_PROTOCOL' => 'HTTP/1.0', 'SERVER_SIGNATURE' => '', 'SERVER_SOFTWARE' => 'Apache', }; 2019/06/25 at 04:21:55 AM $VAR1 = { 'DOCUMENT_ROOT' => '?:/.../urls/6/www/', 'GATEWAY_INTERFACE' => 'CGI/1.1', 'QUERY_STRING' => 'code=403', 'REDIRECT_REQUEST_METHOD' => '', 'REDIRECT_STATUS' => '403', 'REDIRECT_URL' => '/', 'REMOTE_ADDR' => '92.63.194.15', 'REMOTE_PORT' => '1468', 'REQUEST_METHOD' => 'GET', 'REQUEST_URI' => '', 'SCRIPT_FILENAME' => '?:/.../urls/6/cgi/error/.pl', 'SCRIPT_NAME' => '/cgi/error/.pl', 'SERVER_ADDR' => '192.168.1.100', 'SERVER_NAME' => 'localhost', 'SERVER_PORT' => '80', 'SERVER_PROTOCOL' => 'HTTP/0.9', 'SERVER_SIGNATURE' => '', 'SERVER_SOFTWARE' => 'Apache', }; 2019/06/25 at 09:28:05 AM $VAR1 = { 'DOCUMENT_ROOT' => '?:/.../urls/6/www/', 'GATEWAY_INTERFACE' => 'CGI/1.1', 'HTTP_ACCEPT' => '*/*', 'HTTP_ACCEPT_ENCODING' => 'gzip', 'HTTP_HOST' => '80', 'HTTP_USER_AGENT' => 'Mozilla/5.0 zgrab/0.x', 'QUERY_STRING' => 'code=403', 'REDIRECT_REQUEST_METHOD' => 'GET', 'REDIRECT_STATUS' => '403', 'REDIRECT_URL' => '/', 'REMOTE_ADDR' => '89.248.169.12', 'REMOTE_PORT' => '32902', 'REQUEST_METHOD' => 'GET', 'REQUEST_URI' => '/', 'SCRIPT_FILENAME' => '?:/.../urls/6/cgi/error/.pl', 'SCRIPT_NAME' => '/cgi/error/.pl', 'SERVER_ADDR' => '192.168.1.100', 'SERVER_NAME' => '80', 'SERVER_PORT' => '80', 'SERVER_PROTOCOL' => 'HTTP/1.1', 'SERVER_SIGNATURE' => '', 'SERVER_SOFTWARE' => 'Apache', }; 2019/06/25 at 10:07:53 AM $VAR1 = { 'DOCUMENT_ROOT' => '?:/.../urls/6/www/', 'GATEWAY_INTERFACE' => 'CGI/1.1', 'QUERY_STRING' => 'code=403', 'REDIRECT_REQUEST_METHOD' => 'HEAD', 'REDIRECT_STATUS' => '403', 'REDIRECT_URL' => '/robots.txt', 'REMOTE_ADDR' => '185.53.88.37', 'REMOTE_PORT' => '58418', 'REQUEST_METHOD' => 'GET', 'REQUEST_URI' => '/robots.txt', 'SCRIPT_FILENAME' => '?:/.../urls/6/cgi/error/.pl', 'SCRIPT_NAME' => '/cgi/error/.pl', 'SERVER_ADDR' => '192.168.1.100', 'SERVER_NAME' => 'localhost', 'SERVER_PORT' => '80', 'SERVER_PROTOCOL' => 'HTTP/1.0', 'SERVER_SIGNATURE' => '', 'SERVER_SOFTWARE' => 'Apache', }; 2019/06/25 at 10:48:17 AM $VAR1 = { 'DOCUMENT_ROOT' => '?:/.../urls/6/www/', 'GATEWAY_INTERFACE' => 'CGI/1.1', 'QUERY_STRING' => 'code=403', 'REDIRECT_REQUEST_METHOD' => 'HEAD', 'REDIRECT_STATUS' => '403', 'REDIRECT_URL' => '/robots.txt', 'REMOTE_ADDR' => '77.247.110.106', 'REMOTE_PORT' => '54263', 'REQUEST_METHOD' => 'GET', 'REQUEST_URI' => '/robots.txt', 'SCRIPT_FILENAME' => '?:/.../urls/6/cgi/error/.pl', 'SCRIPT_NAME' => '/cgi/error/.pl', 'SERVER_ADDR' => '192.168.1.100', 'SERVER_NAME' => 'localhost', 'SERVER_PORT' => '80', 'SERVER_PROTOCOL' => 'HTTP/1.0', 'SERVER_SIGNATURE' => '', 'SERVER_SOFTWARE' => 'Apache', }; 2019/06/25 at 01:46:30 PM $VAR1 = { 'DOCUMENT_ROOT' => '?:/.../urls/6/www/', 'GATEWAY_INTERFACE' => 'CGI/1.1', 'HTTP_ACCEPT' => '*/*', 'HTTP_HOST' => 'default', 'HTTP_USER_AGENT' => 'curl/7.64.1', 'QUERY_STRING' => 'code=403', 'REDIRECT_REQUEST_METHOD' => 'DKEMDIF&0', 'REDIRECT_STATUS' => '403', 'REDIRECT_URL' => '/.html', 'REMOTE_ADDR' => '192.31.231.241', 'REMOTE_PORT' => '33716', 'REQUEST_METHOD' => 'GET', 'REQUEST_URI' => '/.html', 'SCRIPT_FILENAME' => '?:/.../urls/6/cgi/error/.pl', 'SCRIPT_NAME' => '/cgi/error/.pl', 'SERVER_ADDR' => '192.168.1.100', 'SERVER_NAME' => 'default', 'SERVER_PORT' => '80', 'SERVER_PROTOCOL' => 'HTTP/1.1', 'SERVER_SIGNATURE' => '', 'SERVER_SOFTWARE' => 'Apache', }; 2019/06/25 at 03:14:24 PM $VAR1 = { 'DOCUMENT_ROOT' => '?:/.../urls/6/www/', 'GATEWAY_INTERFACE' => 'CGI/1.1', 'QUERY_STRING' => 'code=403', 'REDIRECT_REQUEST_METHOD' => 'HEAD', 'REDIRECT_STATUS' => '403', 'REDIRECT_URL' => '/robots.txt', 'REMOTE_ADDR' => '77.247.110.106', 'REMOTE_PORT' => '61954', 'REQUEST_METHOD' => 'GET', 'REQUEST_URI' => '/robots.txt', 'SCRIPT_FILENAME' => '?:/.../urls/6/cgi/error/.pl', 'SCRIPT_NAME' => '/cgi/error/.pl', 'SERVER_ADDR' => '192.168.1.100', 'SERVER_NAME' => 'localhost', 'SERVER_PORT' => '80', 'SERVER_PROTOCOL' => 'HTTP/1.0', 'SERVER_SIGNATURE' => '', 'SERVER_SOFTWARE' => 'Apache', };
這可能是我的路由器上的錯誤配置嗎?或者我的機器或路由器上的惡意軟體正在打電話回家?如果是這樣,我該如何檢查,我可以盡快停止嗎?
或者這只是正常的混亂網際網路流量,我可以忽略並放心知道它永遠不會看到我的私人網站?
當您想要一個僅響應查詢的虛擬主機時,
http://localhost
不要使該虛擬主機在所有帶有 IP 地址萬用字元的 IP 地址上可用:<VirtualHost *:80> ServerName localhost
有關確切的 VHost 匹配規則,請參閱手冊,但執行上述操作僅給 Apache httpd 提供了一個鑑別器,用於選擇應由該虛擬主機處理哪些請求,即當請求包含
Host: localhost
標頭時,它不會驗證請求是對localhost
IP 地址127.0.0.1
或環回網路介面進行設置。而是將該 VHost 綁定到特定的本地主機 IP 地址
<VirtualHost 127.0.0.1:80> ServerName localhost
或同等的
<VirtualHost localhost:80> ServerName localhost