Koozali.org: home of the SME Server

/var/log/httpd/error_log

Offline nickdanger

  • 8
  • +0/-0
/var/log/httpd/error_log
« on: November 04, 2011, 06:14:37 PM »
In my: /var/log/httpd/error_log, I am showing errors from external IP addresses, trying to access: ibays/Primary/html/robots.txt (or admin). I assume these are spiders or bots, but I can't figure out how an external IP address is connecting as a client. This is supposed to be a private server only, at least that is what we selected. I obviously do not understand what is going on, as I am only the ad-hoc administrator of a small group who has no professional.

Thank you,
N.D.
« Last Edit: November 04, 2011, 06:17:12 PM by nickdanger »

Offline cactus

  • *
  • 4,880
  • +3/-0
    • http://www.snetram.nl
Re: /var/log/httpd/error_log
« Reply #1 on: November 05, 2011, 12:44:04 AM »
In my: /var/log/httpd/error_log, I am showing errors from external IP addresses, trying to access: ibays/Primary/html/robots.txt (or admin). I assume these are spiders or bots, but I can't figure out how an external IP address is connecting as a client. This is supposed to be a private server only, at least that is what we selected. I obviously do not understand what is going on, as I am only the ad-hoc administrator of a small group who has no professional.
An example off the line would be helpful. My guess is everything is OK since the logged entry are in the errors_log file they are most likely not served although some external site is trying to access it, which is logged.

You can easily try off course by accessing your site from an external location.

Just to be sure, what is the output off the following command:
Code: [Select]
db configuration show SystemMode
« Last Edit: November 05, 2011, 12:45:43 AM by cactus »
Be careful whose advice you buy, but be patient with those who supply it. Advice is a form of nostalgia, dispensing it is a way of fishing the past from the disposal, wiping it off, painting over the ugly parts and recycling it for more than its worth ~ Baz Luhrmann - Everybody's Free (To Wear Sunscreen)

Offline nickdanger

  • 8
  • +0/-0
Re: /var/log/httpd/error_log
« Reply #2 on: November 05, 2011, 10:03:59 PM »
Here are examples of the /httpd/error_log entries:

[Tue Nov 01 19:13:48 2011] [error] [client 67.8.66.34] File does not exist: /home/e-smith/files/ibays/Primary/html/robots.txt
[Tue Nov 01 20:06:36 2011] [error] [client 95.39.23.87] File does not exist: /home/e-smith/files/ibays/Primary/html/robots.txt
[Wed Nov 02 08:16:57 2011] [error] [client 218.149.84.37] File does not exist: /home/e-smith/files/ibays/Primary/html/admin

and the configuration information:
[admin@prime ~]# db configuration show SystemMode
SystemMode=servergateway-private

The local network is in IANA reserved address space (192.168.X.X)

I agree that there does not seem to be an actual intrusion, but I can not understand how a external IP address got a connection to make a file inquiry. I have logged these entries from Canada, Great Briton, Russia, etc. (a couple each day).

I am running SME server 8.0b6 with all current updates.


 
« Last Edit: November 05, 2011, 10:17:56 PM by nickdanger »

Offline cactus

  • *
  • 4,880
  • +3/-0
    • http://www.snetram.nl
Re: /var/log/httpd/error_log
« Reply #3 on: November 05, 2011, 10:27:41 PM »
The local network is in IANA reserved address space (192.168.X.X)
The local network has nothing to do with this. Your problem concerns your external (WAN) interface. However even for the external facing interface setting the IP address to a address space reserved for local use does not make your server not accessible from the web. You can always proxy to this address space and by means of the proxy expose the internal subnet or IP to the internet. Other methods are tunnels or VPN connections, but those should not be the reason for your log entries.

I agree that there does not seem to be an actual intrusion, but I can not understand how a external IP address got a connection to make a file inquiry. I have logged these entries from Canada, Great Briton, Russia, etc. (a couple each day).
Setting your server to private mode prevents certain services from being available to the external facing interface. I an not sure for which services this regime is enforced by head, but judging from this apache seems available.

Be careful whose advice you buy, but be patient with those who supply it. Advice is a form of nostalgia, dispensing it is a way of fishing the past from the disposal, wiping it off, painting over the ugly parts and recycling it for more than its worth ~ Baz Luhrmann - Everybody's Free (To Wear Sunscreen)

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: /var/log/httpd/error_log
« Reply #4 on: November 06, 2011, 05:26:34 PM »
Have you defined any additional 'local networks' on your server?  Long ago there were various instructions advising people to add '0.0.0.0' as a 'local' network -- which would cause your SME server to treat the entire world as if it were your local network...

Have you checked the access assigned to 'httpd-e-smith' (config show httpd-e-smith)?

You can review the 'access' type of all of your services using:
Code: [Select]
for f in $(config print |grep \=service |awk -F\= '{print $1}';); do config show $f |grep  "\=service\|access\="; done |less

Offline cactus

  • *
  • 4,880
  • +3/-0
    • http://www.snetram.nl
Re: /var/log/httpd/error_log
« Reply #5 on: November 06, 2011, 05:28:56 PM »
Have you defined any additional 'local networks' on your server?  Long ago there were various instructions advising people to add '0.0.0.0' as a 'local' network -- which would cause your SME server to treat the entire world as if it were your local network...
Really? Not trying to shoot the messenger but that would have been really bad practice.
Be careful whose advice you buy, but be patient with those who supply it. Advice is a form of nostalgia, dispensing it is a way of fishing the past from the disposal, wiping it off, painting over the ugly parts and recycling it for more than its worth ~ Baz Luhrmann - Everybody's Free (To Wear Sunscreen)

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: /var/log/httpd/error_log
« Reply #6 on: November 06, 2011, 06:36:54 PM »
Really? Not trying to shoot the messenger but that would have been really bad practice.

I remember someone else did it (not me).. maybe it should be avoided..

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: /var/log/httpd/error_log
« Reply #7 on: November 06, 2011, 06:43:52 PM »
Really? Not trying to shoot the messenger but that would have been really bad practice.
No argument here.  I did say long ago...

Offline nickdanger

  • 8
  • +0/-0
Re: /var/log/httpd/error_log
« Reply #8 on: November 06, 2011, 08:57:04 PM »
Thank you for the quick reply.

There are no additional local networks defined.

I tried your very helpful command line, and the results are:

[admin@prime ~]# for f in $(config print |grep \=service |awk -F\= '{print $1}';); do config show $f |grep  "\=service\|access\="; done |less

[admin@prime ~]# DynDNS=service
[admin@prime ~]# acpid=service
[admin@prime ~]# apmd=service
[admin@prime ~]# backup=service
[admin@prime ~]# backupwk=service
[admin@prime ~]# bootstrap-console=service
[admin@prime ~]# clamav=service
[admin@prime ~]# clamd=service
[admin@prime ~]# cpuspeed=service
[admin@prime ~]# crond=service
[admin@prime ~]# ctrlaltdel=service
[admin@prime ~]# dhcpd=service
[admin@prime ~]# dnscache=service
[admin@prime ~]#     access=private
[admin@prime ~]# dnscache.forwarder=service
[admin@prime ~]# fetchmail=service
[admin@prime ~]# freshclam=service
[admin@prime ~]# ftp=service
[admin@prime ~]#     access=private
[admin@prime ~]# haldaemon=service
[admin@prime ~]# horde=service
[admin@prime ~]# httpd-admin=service
[admin@prime ~]#     access=localhost
[admin@prime ~]# httpd-e-smith=service
[admin@prime ~]#     access=public

[admin@prime ~]# imap=service
[admin@prime ~]#     access=private
[admin@prime ~]# imaps=service
[admin@prime ~]#     access=private
[admin@prime ~]# imp=service
[admin@prime ~]#     access=SSL
[admin@prime ~]# ippp=service
[admin@prime ~]# irqbalance=service
[admin@prime ~]# isdn=service
[admin@prime ~]# klogd=service
[admin@prime ~]# ldap=service
[admin@prime ~]#     access=private
[admin@prime ~]# ldap.init=service
[admin@prime ~]# local=service
[admin@prime ~]# lpd=service
[admin@prime ~]# masq=service
[admin@prime ~]# messagebus=service
[admin@prime ~]# microcode_ctl=service

So I guess Apache server is being run as a public service by default, which I still think is odd for the selection, "private server/gateway" but as I have said, I know just enough to be dangerous.

Maybe an edit to the Apache Module, "mod_authz_host" will address my concerns, but I am certainly open to other suggestions.

Thanks again,
N. D.

Offline cactus

  • *
  • 4,880
  • +3/-0
    • http://www.snetram.nl
Re: /var/log/httpd/error_log
« Reply #9 on: November 06, 2011, 11:11:36 PM »
So I guess Apache server is being run as a public service by default, which I still think is odd for the selection, "private server/gateway" but as I have said, I know just enough to be dangerous.
Yes, so it seems.

Maybe an edit to the Apache Module, "mod_authz_host" will address my concerns, but I am certainly open to other suggestions.
Why? what are your concerns? the evidenc you have shown us shows that the server does not serve the files as they are denied access? I am not sure why you would need mod_authz_host?
Why is it a problem if external access gets an access denied error?
Be careful whose advice you buy, but be patient with those who supply it. Advice is a form of nostalgia, dispensing it is a way of fishing the past from the disposal, wiping it off, painting over the ugly parts and recycling it for more than its worth ~ Baz Luhrmann - Everybody's Free (To Wear Sunscreen)

Offline nickdanger

  • 8
  • +0/-0
Re: /var/log/httpd/error_log
« Reply #10 on: November 07, 2011, 01:53:37 AM »
The problem is, that I am expected to exercise "due diligence" in securing the server, and advertising a service without the need to do so, does not meet that standard, (at least as I see it).

Offline nickdanger

  • 8
  • +0/-0
Re: /var/log/httpd/error_log
« Reply #11 on: November 07, 2011, 03:13:46 AM »
I decided to try this:

[admin@prime ~]# config setprop httpd-e-smith access private
[admin@prime ~]# signal-event remoteaccess-update

Not sure what problems it may cause, and not sure if it will get over-written by the firewall templates, but it is easy enough to do and undo  :-).

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: /var/log/httpd/error_log
« Reply #12 on: November 07, 2011, 02:39:22 PM »
[admin@prime ~]# config setprop httpd-e-smith access private
[admin@prime ~]# signal-event remoteaccess-update
That should take care of it.

"config setprop ... access private" automatically adjusts the value of 'AllowHosts' in the firewall settings.  There's some more info in the wiki in case you need to make any adjustments.

Offline nickdanger

  • 8
  • +0/-0
Re: /var/log/httpd/error_log
« Reply #13 on: November 10, 2011, 06:16:27 PM »
Thank you all again. Somehow when reading the wiki, I missed the section on "DB Variables Configuration." I think it is very nice that SME server has an uncluttered GUI for the essentials, but also a lot of practical information on how to customize the parameters and templates. The hard part for a noob like me, is finding where everything is located in the directory structure.