Leo Donahue - PLANDEVX wrote:
Tomcat 6.0.35
http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html#Access_Log_Valve
"Some requests may be handled by Tomcat before they are passed to a container.
These include redirects from /foo to /foo/ and the rejection of invalid requests".
What is an invalid request? If I have a deny set for a Remote Host Filter, is
that considered an invalid request attempt?
What I'm trying to do is deny a certain requestor from making a POST request to
a URL that is no longer published, yet retain the attempted request in the
access log. If I'm denying the request, should I even care to log the fact
that there are still attempts at a non-existent webapp?
The requestor makes about 200 POST requests within a few seconds everyday
around the same time for the past 4 months. They all result in HTTP 500.
Find him and shoot him.
Seriously, you should be able to log its IP address. From the IP address, you should be
able to find the domain (WHOIS), and an email address for a domain admin or better someone
responsible for spam and other nasties. If it is not in China, send them an email
indicating the problem, with an excerpt of your logs.
In my experience, in most cases (80%), it works, in the sense that the attempts stop. In
1% of cases, you might even get a polite thank you answer. (*)
If it continues, then it is usually better to filter this before it even reaches Tomcat.
A firewall or iptables (Linux) just blocking any connection from that IP will do fine, and
will not force your www server to handle that load for nothing.
Most of these things are nasty hacking programs which continuously scan a range of IP
addresses and try to break in using a range of well-known "weak" URLs. Most of those are
"trojan" programs that run on hosts that have been broken in, and are not themselves even
suspecting that they have been broken in.
It can also be a legitimate program which just has the wrong hostname or IP address to
connect to. It may be worth 5 minutes of your time to let such "normal people" know that
something is amiss, rather than letting them continue to host a trojan or have a
badly-configured application running.
(*) I would be curious to see the break-down of the other 79%. They could be nice people
who realise that one of their servers is doing something it shouldn't; or they could be
nasty people knowing that their server is doing something it shouldn't, and stopping
because they've been found out. But there is no way to know for sure.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
