# [Solved] Apache2 log with "no-revers-dns.set"

## ZeLegolas

Hi

On a server I see on the access.log file some traces beginning with "no-revers-dns.set"

What does that mean? How I can set Apache to detect and refused this type of access?

I'm also interested to know if it's possible to ask Apache to check automatically the remote who it try access to the website. If Apache can not get an valid ip address for each request I would like to reject the session automatically.

RegardsLast edited by ZeLegolas on Tue Aug 24, 2010 12:39 am; edited 1 time in total

----------

## francofallica

Ok, First: I wasn't able to confirm my idea and I am not sure about it but I think it means that apache was not able to resolve an ip to a domain name. But it could also mean that you need to enable reverse lookups in your apache config. 

second:

what do you consider a valid ip? any tcp connection to your server has a valid source address otherwise there is no communication. (although somebody could send you syn packets with a invalid ip, but thats not very harmful) 

You probably should not block on a hostname basis because it would generate a lot of DNS traffic. You would be better of doing it on an ip level and by using iptables. 

read this: http://betabug.ch/blogs/ch-athens/933

If you want access control on the basis of hostnames you can do it by using mod_access. I think for what you want you need to enable the "HostnameLookup double" feature in your apache config. 

see http://httpd.apache.org/docs/2.0/mod/mod_access.html

but consider these http://httpd.apache.org/docs/2.0/misc/perf-tuning.html#runtime and http://httpd.apache.org/docs/2.0/dns-caveats.html

hope thats helpful in anyway

----------

## ZeLegolas

 *francofallica wrote:*   

> what do you consider a valid ip? 

 

If I check the apache's log some time i have an ip address, some time a host name. But now i received some "no-revers-dns.set" and I don't know who tried to access to the server. If we can force Apache to put the ip address for people who they tried to access to the server it will be better. But I don't know if it's possible.

 *francofallica wrote:*   

> You probably should not block on a hostname basis because it would generate a lot of DNS traffic. You would be better of doing it on an ip level and by using iptables. read this: http://betabug.ch/blogs/ch-athens/933

 

Yes I know I can block with iptables but for that I need to know witch ip I should block. But if for the host name have "no-revers-dns.set" I cannot do anything  :Sad: 

 *francofallica wrote:*   

> If you want access control on the basis of hostnames you can do it by using mod_access. I think for what you want you need to enable the "HostnameLookup double" feature in your apache config.
> 
> see http://httpd.apache.org/docs/2.0/mod/mod_access.html
> 
> but consider these http://httpd.apache.org/docs/2.0/misc/perf-tuning.html#runtime and http://httpd.apache.org/docs/2.0/dns-caveats.html

 

Ok thanks I will take a look.

 *francofallica wrote:*   

> hope thats helpful in anyway

 

Sure I appreciate your help  :Smile: 

----------

## ZeLegolas

To have the remote ip address on the log not the remote host name we just have to change:

```
#file /etc/apache2/modules.d/00_mod_log_config.conf

#replace:

LogFormat "%h %l %u %t \"%r\" %>s %b" common

#by:

LogFormat "%a %l %u %t \"%r\" %>s %b" common

```

After that we can create 3 scripts:

First: initWatchAccessLog Implement a service (must be in /etc/init.d/)

```
#!/sbin/runscript

depend() {      

 need net apache2

 after apache2

}

checkconfig() {  

 ebegin "Check config"

 eend $?

}

start() {

  ebegin "Starting watching Apache access_log"

  start-stop-daemon --start --background  --pidfile /var/run/watchApacheAccesslog.pid --make-pidfile --exec /var/scripts/watchApacheAccesslog

  eend $?

}

stop() {

  ebegin "Stop watching Apache access_log"

  pkill -P $(cat /var/run/watchApacheAccesslog.pid)

  start-stop-daemon --stop --pidfile /var/run/watchApacheAccesslog.pid --name watchApacheAccesslog

  eend $?

}
```

Second: watchApacheAccesslog filter traces (must be in the folder you specify in initWatchAccessLog)

```
#!/bin/bash

#set -x

on_die()

{

  echo "$(date  +'%G-%m-%d %H:%M:%S') Stop service" >> $LOGFILE

  exit

}

trap "on_die" SIGKILL SIGABRT SIGQUIT SIGINT SIGTERM 

pushd /var/scripts

LOGFILE=/var/log/watchApacheAccesslog.log

LOGAPACHE=/var/log/apache2/access_log

if [[ ! -f $LOGAPACHE ]]

then

  echo "$(date  +'%G-%m-%d %H:%M:%S') Don't start Apache log file missing" >> $LOGFILE

  exit 1

fi

echo "$(date  +'%G-%m-%d %H:%M:%S') Start service" >> $LOGFILE

tail -n0 -f $LOGAPACHE | while read -r line

do

 RESULT=$(echo $line | sed -n "s/\([0-9]*\.[0-9]*\.[0-9]*\.[0-9]*\).*\"\(.*\)\" \(.*\) .*/'\1' '\2' '\3'/p")

 CODE=$(echo $RESULT|sed -n "s/'[^']*' '[^']*' '\([^']*\)'.*/\1/p")

 IP=$(echo $RESULT|sed -n "s/'\([^']*\)'.*/\1/p")

 IPFIREWALL=$(echo $IP|sed -n "s/\([0-9]*\.[0-9]*\.[0-9]*\).*/\1/p")

 if [[ $IPFIREWALL != "192.168.1" && $CODE -ge 400  ]]

 then

   URL=$(echo $RESULT|sed -n "s/'[^']*' '\([^']*\)'.*/\1/p")

   IPFIREWALL="${IPFIREWALL}.0/24"

 

   INFIREWALL=$(iptables -vnL web-blacklist|grep "$IPFIREWALL")

   if [[ $INFIREWALL == "" ]]

   then

    printf '%s %-15s %s \"%s\"\n' "$(date  +'%G-%m-%d %H:%M:%S')" $IP $CODE "$URL"  >> $LOGFILE

    . /etc/init.d/apache2 stop

    echo $IPFIREWALL >> web-blacklist

    cat web-blacklist | sort | uniq > web-blacklist.tmp

    mv web-blacklist.tmp web-blacklist

    . ./webblock

    . /etc/init.d/apache2 start

   fi

 fi

done

echo "$(date  +'%G-%m-%d %H:%M:%S') Stop service" >> $LOGFILE

popd
```

Third: webblock block IP with iptables

```
#!/bin/bash

#set -x

VAL=$(ifconfig | grep wlan | wc -l)

if [[ $VAL -eq 1 ]]

then

 IFDEV=$(ifconfig | grep wlan | cut -d ' ' -f 1)

 else

  IFDEV=$(ifconfig | grep eth | cut -d ' ' -f 1)

fi

IP="$(ifconfig $IFDEV | grep inet | cut -d ':' -f2 | cut -d ' ' -f1)"

SUB="192.168.1.0/24"

iptables -D INPUT  -i $IFDEV -d $IP  -p tcp -m multiport --ports http -j web-blacklist &> /dev/null

iptables -F web-blacklist &> /dev/null

iptables -F web-reject    &> /dev/null

iptables -X web-blacklist &> /dev/null

iptables -X web-reject    &> /dev/null

iptables -N web-blacklist &> /dev/null

iptables -N web-reject    &> /dev/null

iptables -A web-reject -j LOG --log-level 4 --log-prefix=WEB-DENY:

iptables -A web-reject -j DROP

iptables -I INPUT 1  -i $IFDEV -d $IP  -p tcp -m multiport --ports http -j web-blacklist

if [ -f web-blacklist ]

then

 cat web-blacklist | while read IPADDR

 do

  iptables -A web-blacklist -i $IFDEV -d $IP -s $IPADDR -j web-reject

 done

fi

iptables -A web-blacklist -j LOG --log-level 4 --log-prefix=WEB-AUHTORIZE:

iptables -A web-blacklist -j ACCEPT
```

The scripts are really basic it's just a prove of concept.

Anyway I hope they will help

----------

