since some days, i am getting some tries of hack attacks, but actually all seems fine.
but i saw some log i could not explain:
127.0.0.1:443 216.218.206.66 - - [09/Oct/2015:04:49:29 +0200] "GET / HTTP/1.1" 404 4857 "-" "-"
127.0.0.1:80 220.181.108.177 - - [09/Oct/2015:07:56:11 +0200] "-" 408 0 "-" "-"
127.0.0.1:443 199.115.117.88 - - [09/Oct/2015:10:35:04 +0200] "GET /admin/i18n/readme.txt HTTP/1.1" 404 5081 "-" "python-requests/2.8.0"
here is my log configuration:
# - Exeption
SetEnvIf Request_URI "\.jpg$|\.jpeg$|\.gif$|\.png$|\.ico|\.icon|\.css$|\.js$|piwik\.php$|frogglogin\.php" dontlog
SetEnvIf User-agent "(bot|baidu)" dontlog
CustomLog ${APACHE_LOG_DIR}/access.log vhost_combined env=!dontlog
- how is it possible to thoose requests to reach 127.0.0.1 ?
- what can i do to prevent 408 errors ?
- should i panic to see thoose kind of attaks incomming ?
thanks
PS:
is this a good idea ?
<VirtualHost 127.0.0.1>
# [ Default restriction ]
<Directory />
Order deny,allow
Deny from all
allow from 127.0.0.1
</Directory>
</VirtualHost>
There is no way that the public IP address will reach directly to your loopback address. It is the matter of NAT where probably apache translates those IP addresses to loopback because either you told apache to do that or some misconfiguration.
There is no panic for such thing, it is normal to be attacked by botnets and/or automated apps designed to attempt login pages and so on.
When this attemps are in progress I'd rather check with:
To check the connections.
This is how i get ride of this :
I added this configuration after all defined virtual host, to catch "else" request (the request that doesn't match any other virtual host). The most important is the virtual position(last) and the command
ServerAlias *