我有一个运行CentOS的VPS。 我安装了Apache并configuration了访问日志。 只是检查它,发现一些有趣的stream量:
VPS-Hostname MYIP MYIP - - [23/Dec/2014:16:47:20 -0500] "GET / HTTP/1.1" 200 13 VPS-Hostname MYIP MYIP - - [23/Dec/2014:16:47:20 -0500] "GET /favicon.ico HTTP/1.1" 404 209 VPS-Hostname MYIP MYIP - - [23/Dec/2014:16:47:20 -0500] "GET /favicon.ico HTTP/1.1" 404 209 VPS-Hostname 66.119.41.34 66.119.41.34 - - [23/Dec/2014:19:05:53 -0500] "GET /xvidtox-china-company HTTP/1.1" 404 219 VPS-Hostname 66.119.41.34 66.119.41.34 - - [23/Dec/2014:19:15:18 -0500] "GET /xdmx-rental-cars-insurance HTTP/1.1" 404 224 VPS-Hostname 66.119.41.34 66.119.41.34 - - [23/Dec/2014:19:16:47 -0500] "GET /nv-life-insurance-dies-when-premium/?si=2aa54ab4c0b33 HTTP/1.1" 404 234 VPS-Hostname 119.63.196.62 119.63.196.62 - - [23/Dec/2014:19:53:55 -0500] "GET /images/misc/legend.png HTTP/1.1" 404 220 VPS-Hostname 66.119.41.34 66.119.41.34 - - [23/Dec/2014:20:45:21 -0500] "GET /xdmx-rental-cars-insurance/?si=2467513 HTTP/1.1" 404 225 VPS-Hostname 115.159.66.44 115.159.66.44 - - [23/Dec/2014:21:49:18 -0500] "GET http://www.ly.com/ HTTP/1.1" 200 13 VPS-Hostname 66.119.41.34 66.119.41.34 - - [23/Dec/2014:22:24:00 -0500] "GET /xpwx-china-exporters HTTP/1.1" 404 218 VPS-Hostname 46.246.113.109 46.246.113.109 - - [24/Dec/2014:00:28:24 -0500] "CONNECT www.netflix.com:443 HTTP/1.0" 405 235 ... 270.vps.ovh.ca 46.246.113.109 46.246.113.109 - - [24/Dec/2014:01:47:28 -0500] "CONNECT www.netflix.com:443 HTTP/1.0" 405 235 VPS-Hostname 119.63.196.32 119.63.196.32 - - [24/Dec/2014:01:53:20 -0500] "GET /images/forumicons/sony2.jpg HTTP/1.1" 404 225 VPS-Hostname 46.246.113.109 46.246.113.109 - - [24/Dec/2014:02:05:02 -0500] "CONNECT www.netflix.com:443 HTTP/1.0" 405 235 ... VPS-Hostname 218.59.238.93 218.59.238.93 - - [24/Dec/2014:04:01:23 -0500] "GET http://proxyjudge.us/ HTTP/1.0" 200 13 VPS-Hostname 93.174.93.218 93.174.93.218 - - [24/Dec/2014:04:38:50 -0500] "GET http://httpheader.net HTTP/1.1" 200 13 VPS-Hostname 93.174.93.218 93.174.93.218 - - [24/Dec/2014:04:39:10 -0500] "-" 408 - VPS-Hostname 93.174.93.218 93.174.93.218 - - [24/Dec/2014:04:39:32 -0500] "-" 408 - VPS-Hostname 5.231.208.205 5.231.208.205 - - [24/Dec/2014:06:21:00 -0500] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 226 VPS-Hostname 46.246.113.109 46.246.113.109 - - [24/Dec/2014:06:55:21 -0500] "CONNECT www.netflix.com:443 HTTP/1.0" 405 235 VPS-Hostname 119.63.196.28 119.63.196.28 - - [24/Dec/2014:07:52:49 -0500] "GET /images/forumicons/latestmovies.jpg HTTP/1.1" 404 232 前三项是我浏览到我的默认网站我设置,其余我不知道。 我是新来的Apache,所以我不知道到底发生了什么。 有人在服务器上使用apache连接到其他网站? 这怎么可能?
我用默认设置保留httpd.conf,只在底部添加一个虚拟主机configuration到我的“defaultsite”:
<VirtualHost *:80> # This first-listed virtual host is also the default for *:80 ServerAdmin [email protected] ServerName my.vps.hostname DocumentRoot /var/www/defaultsite LogFormat "%v %h %a %l %u %t \"%r\" %>s %b" vhostLogFormat CustomLog /var/log/httpd/defaultsite-access.log vhostLogFormat ErrorLog /var/log/httpd/defaultsite-error.log </VirtualHost>
这是Apache详细介绍的RFC。 默认情况下,Apache将接受请求,即使它们包含无效的URI,但用户将被redirect到您的服务器的主页面。 CONNECT请求被拒绝是正确的行为。
如上面的链接所述,您可以手动阻止这些请求,但是不需要立即。
它几乎看起来好像服务器被用作Web代理。 尝试从该IP禁用端口80出站(内部到外部),看看日志是否继续显示。 如果不是,可能是时候考虑收紧你的安全了…
对于大多数的日志行,你可以在apache wiki中find关于代理滥用的解释。 从最后的第五个和第四个,即408作为响应代码超时请求。 没什么可担心的,他们正在扫描。