[4310] in WWW Security List Archive
Re[2]: Access Logfile Question
daemon@ATHENA.MIT.EDU (Paul F Haskell (haskell))
Sun Feb 9 13:46:25 1997
Date: Sun, 09 Feb 1997 10:24:52 -0500
From: haskell@bellatlantic.net (Paul F Haskell (haskell))
Reply-To: phaskell@med.osd.mil
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Our server is NCSA (HTTP/1.0), version is 1.3. When it fails a DNS
lookup it does in fact record the IP address. Another interesting thing
here is that UNKNOWN_HOST isn't a fully qualified host name. Is
UNKNOWN_HOST just the host part of the fully qualified host name?
We are considering turning off the reverse DNS lookup in order to
capture an IP address. The letting our Web stats package to the reverse
lookup to attempt to match an IP address with this UNKNOWN_HOST. Since
we are running tcp_wrappers, we could try to deny UNKNOWN_HOST and wait
to see if we get a complaint about the inability to access.
Paul,
==========================================================================
>-----From:Daniel Rinehart <danielr@ccs.neu.edu>
>
>It might be helpful to send some additional information to the
>list concerning your problem, like server type, version, patch level, etc.
>In general reverse DNS if it fails will record the IP number of the site
>accessing your server. There maybe some option set that has this default
>behavior modified, or possibly is a bug in the server you are running.
>>------From: phaskell@med.osd.mil
>>
>>Subject: Access Logfile Question
>>
>>We are running reverse DNS from our server. We have observed the
>>following entry in our access logfile:
>>
>>UNKNOWN_HOST - - [05/Jan/1997:05:20:05 -0500] "GET /index.html HTTP/1.0"
>>304 0
>>
>>In fact there are a number of these lines, 370 out of a 280K line
>>logfile for last month to be more precise.
>>
>>Does anyone have any idea who this might be, how to find out who this
>>is, and/or how this might happen?
==========================================================================
--
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* Paul F. Haskell Electronic Data Systems (EDS) *
* EDS-D/SIDDOMS Internet: paul.haskell@med.osd.mil *
* 5113 Leesburg Pike (Skyline 4), Suite 300 FAX: 703-845-3099 *
* Falls Church, Virginia 22041 Telephone: 703-845-3080 *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
