[Solved] Apache2 log with "no-revers-dns.set"

Message

ZeLegolas · Post by **ZeLegolas** » Wed Aug 18, 2010 2:46 pm

Hi

On a server I see on the access.log file some traces beginning with "no-revers-dns.set"
What does that mean? How I can set Apache to detect and refused this type of access?

I'm also interested to know if it's possible to ask Apache to check automatically the remote who it try access to the website. If Apache can not get an valid ip address for each request I would like to reject the session automatically.

Regards

francofallica · Post by **francofallica** » Wed Aug 18, 2010 4:32 pm

Ok, First: I wasn't able to confirm my idea and I am not sure about it but I think it means that apache was not able to resolve an ip to a domain name. But it could also mean that you need to enable reverse lookups in your apache config.

second:
what do you consider a valid ip? any tcp connection to your server has a valid source address otherwise there is no communication. (although somebody could send you syn packets with a invalid ip, but thats not very harmful)

You probably should not block on a hostname basis because it would generate a lot of DNS traffic. You would be better of doing it on an ip level and by using iptables.
read this: http://betabug.ch/blogs/ch-athens/933

If you want access control on the basis of hostnames you can do it by using mod_access. I think for what you want you need to enable the "HostnameLookup double" feature in your apache config.
see http://httpd.apache.org/docs/2.0/mod/mod_access.html
but consider these http://httpd.apache.org/docs/2.0/misc/p ... ml#runtime and http://httpd.apache.org/docs/2.0/dns-caveats.html

hope thats helpful in anyway

ZeLegolas · Post by **ZeLegolas** » Thu Aug 19, 2010 2:32 am

francofallica wrote:what do you consider a valid ip?

If I check the apache's log some time i have an ip address, some time a host name. But now i received some "no-revers-dns.set" and I don't know who tried to access to the server. If we can force Apache to put the ip address for people who they tried to access to the server it will be better. But I don't know if it's possible.

francofallica wrote:You probably should not block on a hostname basis because it would generate a lot of DNS traffic. You would be better of doing it on an ip level and by using iptables. read this: http://betabug.ch/blogs/ch-athens/933

Yes I know I can block with iptables but for that I need to know witch ip I should block. But if for the host name have "no-revers-dns.set" I cannot do anything

francofallica wrote:If you want access control on the basis of hostnames you can do it by using mod_access. I think for what you want you need to enable the "HostnameLookup double" feature in your apache config.
see http://httpd.apache.org/docs/2.0/mod/mod_access.html
but consider these http://httpd.apache.org/docs/2.0/misc/p ... ml#runtime and http://httpd.apache.org/docs/2.0/dns-caveats.html

Ok thanks I will take a look.

francofallica wrote:hope thats helpful in anyway

Sure I appreciate your help

ZeLegolas · Post by **ZeLegolas** » Tue Aug 24, 2010 12:37 am

To have the remote ip address on the log not the remote host name we just have to change:

Code: Select all

#file /etc/apache2/modules.d/00_mod_log_config.conf
#replace:
LogFormat "%h %l %u %t \"%r\" %>s %b" common
#by:
LogFormat "%a %l %u %t \"%r\" %>s %b" common

After that we can create 3 scripts:

First: initWatchAccessLog Implement a service (must be in /etc/init.d/)

Code: Select all

#!/sbin/runscript

depend() {      
 need net apache2
 after apache2
}

checkconfig() {  
 ebegin "Check config"
 eend $?
}

start() {
  ebegin "Starting watching Apache access_log"
  start-stop-daemon --start --background  --pidfile /var/run/watchApacheAccesslog.pid --make-pidfile --exec /var/scripts/watchApacheAccesslog
  eend $?
}

stop() {
  ebegin "Stop watching Apache access_log"
  pkill -P $(cat /var/run/watchApacheAccesslog.pid)
  start-stop-daemon --stop --pidfile /var/run/watchApacheAccesslog.pid --name watchApacheAccesslog
  eend $?
}

Second: watchApacheAccesslog filter traces (must be in the folder you specify in initWatchAccessLog)

Code: Select all

#!/bin/bash
#set -x
on_die()
{
  echo "$(date  +'%G-%m-%d %H:%M:%S') Stop service" >> $LOGFILE
  exit
}

trap "on_die" SIGKILL SIGABRT SIGQUIT SIGINT SIGTERM 

pushd /var/scripts

LOGFILE=/var/log/watchApacheAccesslog.log
LOGAPACHE=/var/log/apache2/access_log

if [[ ! -f $LOGAPACHE ]]
then
  echo "$(date  +'%G-%m-%d %H:%M:%S') Don't start Apache log file missing" >> $LOGFILE
  exit 1
fi

echo "$(date  +'%G-%m-%d %H:%M:%S') Start service" >> $LOGFILE

tail -n0 -f $LOGAPACHE | while read -r line
do
 RESULT=$(echo $line | sed -n "s/\([0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\).*\"\(.*\)\" \(.*\) .*/'\1' '\2' '\3'/p")
 CODE=$(echo $RESULT|sed -n "s/'[^']*' '[^']*' '\([^']*\)'.*/\1/p")
 IP=$(echo $RESULT|sed -n "s/'\([^']*\)'.*/\1/p")
 IPFIREWALL=$(echo $IP|sed -n "s/\([0-9]*\.[0-9]*\.[0-9]*\).*/\1/p")

 if [[ $IPFIREWALL != "192.168.1" && $CODE -ge 400  ]]
 then
   URL=$(echo $RESULT|sed -n "s/'[^']*' '\([^']*\)'.*/\1/p")
   IPFIREWALL="${IPFIREWALL}.0/24"
 
   INFIREWALL=$(iptables -vnL web-blacklist|grep "$IPFIREWALL")

   if [[ $INFIREWALL == "" ]]
   then
    printf '%s %-15s %s \"%s\"\n' "$(date  +'%G-%m-%d %H:%M:%S')" $IP $CODE "$URL"  >> $LOGFILE
    . /etc/init.d/apache2 stop
    echo $IPFIREWALL >> web-blacklist
    cat web-blacklist | sort | uniq > web-blacklist.tmp
    mv web-blacklist.tmp web-blacklist
    . ./webblock
    . /etc/init.d/apache2 start
   fi
 fi

done

echo "$(date  +'%G-%m-%d %H:%M:%S') Stop service" >> $LOGFILE

popd

Third: webblock block IP with iptables

Code: Select all

#!/bin/bash
#set -x
VAL=$(ifconfig | grep wlan | wc -l)

if [[ $VAL -eq 1 ]]
then
 IFDEV=$(ifconfig | grep wlan | cut -d ' ' -f 1)
 else
  IFDEV=$(ifconfig | grep eth | cut -d ' ' -f 1)
fi

IP="$(ifconfig $IFDEV | grep inet | cut -d ':' -f2 | cut -d ' ' -f1)"
SUB="192.168.1.0/24"

iptables -D INPUT  -i $IFDEV -d $IP  -p tcp -m multiport --ports http -j web-blacklist &> /dev/null

iptables -F web-blacklist &> /dev/null
iptables -F web-reject    &> /dev/null
iptables -X web-blacklist &> /dev/null
iptables -X web-reject    &> /dev/null

iptables -N web-blacklist &> /dev/null
iptables -N web-reject    &> /dev/null

iptables -A web-reject -j LOG --log-level 4 --log-prefix=WEB-DENY:
iptables -A web-reject -j DROP

iptables -I INPUT 1  -i $IFDEV -d $IP  -p tcp -m multiport --ports http -j web-blacklist

if [ -f web-blacklist ]
then
 cat web-blacklist | while read IPADDR
 do
  iptables -A web-blacklist -i $IFDEV -d $IP -s $IPADDR -j web-reject
 done
fi

iptables -A web-blacklist -j LOG --log-level 4 --log-prefix=WEB-AUHTORIZE:
iptables -A web-blacklist -j ACCEPT

The scripts are really basic it's just a prove of concept.
Anyway I hope they will help