James,
On 6/27/24 11:36, James H. H. Lampert wrote:
On 6/27/24 8:01 AM, Christopher Schultz wrote:
Why aren't you seeing the source-IP in your own logs?
Because our webapp developer hadn't thought to put them into the log
messages we generate. He did, however, direct us to the
localhost_access_log files (where I quite frankly hadn't thought to
look). And they turned out to mostly be from an IP address that doesn't
return anything in a reverse DNS lookup.
That's fine. IPs are IPs. Just bad the IP.
You can also perform IP reverse-lookup which is hit-or-miss. I did the
same on an IP that was obviously scanning us last week in the way you
described, and I got many results each claiming that the IP was (a)
Russian (b) Ukrainian (c) Belgian (d) Polish and a bunch of other things
as well. So obviously it's not foolproof. But sometimes it says
"Sandusky, OH" and you say "oops that's our data center" and have to
figure out what that means for you.
Don't ban your own data center, it probably won't go well for you. :)
The filenames in the requests seem to run in alphabetical order, and
cover a gamut from nonsense combinations of random letters to clinical
terms for sexual anatomy(!).
Yep, it's just a stupid scanner.
Anyone who was *really* trying to get it would be doing it much more
covertly. fail2ban would be a fine solution in this case.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
