Forum Moderators: phranque
I deny the IP in httpd.conf but it is still logging with this error. Surely the deny would be logged before the header error?
Here's the evidence:
access_log
85.234.184.150 - - [17/Jan/2007:10:38:32 +0000] "GET / HTTP/1.0" 400 1918 "-" "-" 2 widgets.co.uk "-" "-"
error_log
[Wed Jan 17 10:38:35 2007] [error] [client 85.234.184.150] request failed: error reading the headers
That's it. GET / is logged as accessed and three seconds later it is flagged up in the error log.
Why does this happen? Is it some kind of exploit?
Why aren't I seeing a 403 being logged instead?
httpd.conf
<Directory "/home/widgets/public_html">
Options FollowSymLinks
<Files ~ "^.*$">
order allow,deny
allow from all
deny from 129.21.0.0/16 #rochester
deny from 85.234.184.150 #latvia
#others here...
</Files>
RewriteEngine on
RewriteCond %{HTTP_HOST} ^widgets\.co\.uk
RewriteRule (.*) http : // www . widgets.co.uk/$1 [R=301,L] (edit - delinked)
</Directory>
[edited by: Frank_Rizzo at 10:58 am (utc) on Jan. 17, 2007]
So the server itself is kicking them out because they're sending a request that it can't understand.
Jim
As I say, this has been happening for months. You'd think Latvian Joe would get the message by now.
I guess in order to block this I need to deny in the hosts file rather than httpd.conf
I can't tell from your posted log entry, but he's probably trying unsuccessfully and repeatedly to overrun one or more of your request input buffers. I can't imagine why he'd try more than once, though; If it doesn't work once, it won't work a thousand more times, either. Probably just badly-written code from a bad-intentioned and poorly-skilled coder.
Jim
