dont log apache mod_status requests

Wenn M/Monit konfiguriert wurde Apache zu überwachen, setzt es in regelmäßigen Abständen Anfragen ab.

127.0.0.1 - - [04/Jan/2012:12:40:02 +0100] "GET /server-status?auto HTTP/1.1" 200 609 "-" "libwww-perl/5.836"

Diese Anfragen blähen die logfiles extrem auf - was nervig seien kann, wenn man die logs mal manuell durchsehen möchte. Man kann Apache beibringen diese Anfragen nicht zu loggen.

In /etc/apache2/mods-enabled/status.conf setzt man eine Umgebungsvariable, dontlog.

<Location /server-status>
    SetHandler server-status
    Order deny,allow
    Deny from all
    Allow from 127.0.0.1 ::1
    SetEnv dontlog
</Location>

Dann sucht man die CustomLog Anweisung in der Apache-Konfig und ändert (zb in "sites-available/default" ) die Zeile so ab, dass nur geloggt wird, wenn dontlog nicht gesetzt ist.

CustomLog ${APACHE_LOG_DIR}/access.log combined env=!dontlog

Nurnoch Apache neustarten und dann werden die Anfragen auf /server-status nicht mehr geloggt.

Links:
SetEnv
mod_status
CustomLog Directive

find in *.gz

zgrep

compressed logfiles

logrotate (<- needed)
rsyslog (optional)

uncomment "#compress" in /etc/logrotate.conf

run to test it: logrotate /etc/logrotate.conf -f

optional define olddir in logrotate.conf
eg: olddir /var/log/old
or define it per file.. its up to you.

check if any files missed and create commands in /etc/logrotate.d/ for them..

find files bigger than..

find . -type f -size +1024k | xargs du -h

Detect Portscans

psad is great:
http://www.cyberciti.biz/faq/linux-detect-port-scan-attacks/

Hide Apache version from HEAD response

put

ServerTokens ProductOnly
ServerSignature Off

at the bottom of you apache2.conf and restart

source: http://www.debianadmin.com/apache-tipshide-apache-information-php-software-version.html

Spammer / Exploit-Scanner.. Secure your Apache..

Tired of Lines like that in your server-logs?

[Sun Nov 13 15:21:25 2011] [error] [client 174.133.29.34] File does not exist: /var/www/Comments
[Sun Nov 13 15:22:31 2011] [error] [client 174.133.29.34] File does not exist: /var/www/u20944
[Sun Nov 13 15:23:06 2011] [error] [client 174.133.29.34] File does not exist: /var/www/aarticle
[Sun Nov 13 15:23:20 2011] [error] [client 174.133.29.34] File does not exist: /var/www/remaxmi
[Sun Nov 13 15:23:44 2011] [error] [client 174.133.29.34] File does not exist: /var/www/author
[Sun Nov 13 15:23:44 2011] [error] [client 174.133.29.34] File does not exist: /var/www/category
[Sun Nov 13 15:23:51 2011] [error] [client 174.133.29.34] File does not exist: /var/www/gc
[Sun Nov 13 15:26:44 2011] [error] [client 174.133.29.34] File does not exist: /var/www/medicine
[Sun Nov 13 15:28:00 2011] [error] [client 174.133.29.34] File does not exist: /var/www/tag

Then install fail2ban

ensure you have /etc/fail2ban/filter.d/apache-nohome.conf

open /etc/fail2ban/jail.conf

insert 

[apache-nohome]
enabled = true
port    = http,https
filter  = apache-nohome
logpath = /var/log/apache*/*error.log
maxretry = 5

because the regexp wont match, you need to edit /etc/fail2ban/filter.d/apache-nohome.conf

and change the wrong regexp: failregex = [[]client <HOST>[]] File does not exist: .*/~.*

to this correct one:

 failregex = [[]client (?P<host>\S*)[]] File does not exist:

then restart fail2ban 

/etc/init.d/fail2ban restart

ensure the apache jail is running..:

fail2ban-client status

and watch the bastards getting banned:

cat /var/log/fail2ban.log

fail2ban-client status apache-nohome

source of correct regexp:

http://www.kauderwwwelsch.de/2011-04-01/fail2ban-die-phpmyadmin-sucher-bannen/