Brian, Since you are using Apache perhaps you can enable more client details in your log verbosity by changing your LogFormat from the default settings to the combinedio settings which will include more information about the client software that is connecting to your web server.
Such details as these can be shown if you increase your LogFormat:
LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i" %I %O" combinedio CustomLog "logs/access_log" combinedio
Client Agent (small sample) "Mozilla/5.0 (Windows NT 5.1; rv:19.0) Gecko/20100101 Firefox/19.0" "Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips PHP/5.4.16 (internal dummy connection)" "Googlebot/2.1 (+http://www.google.com/bot.html)" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "Mozilla/5.0 (compatible; MojeekBot/0.6; +https://www.mojeek.com/bot.html)"
Tim Osburn W7RSZ / JG1MBR https://www.osburn.com
On Mon, 8 May 2017, Brian Kantor wrote:
Date: Mon, 8 May 2017 23:27:14 -0700 From: Brian Kantor Brian@UCSD.Edu Reply-To: AMPRNet working group 44net@hamradio.ucsd.edu To: AMPRNet working group 44net@hamradio.ucsd.edu Subject: Re: [44net] gateway errors detail available
(Please trim inclusions from previous messages) _______________________________________________ Yes, the host 'hamradio.ucsd.edu' where the mailing list is hosted also archives all messages and makes them available via the web.
It's amusing: despite not being real, from the following Apache log entries, no-such-file has been a popular target this evening:
gw.ampr.org-ssl 70.39.157.194 - - [08/May/2017:17:56:38 -0700] "GET /private/no-such-file.txt HTTP/1.1" 401 381 gw.ampr.org-ssl 66.85.73.59 - - [08/May/2017:17:58:59 -0700] "GET /private/no-such-file.txt HTTP/1.1" 401 381 gw.ampr.org-ssl 220.233.167.221 - - [08/May/2017:17:59:43 -0700] "GET /private/no-such-file.txt HTTP/1.1" 401 381 gw.ampr.org-ssl 4.79.123.0 - - [08/May/2017:18:09:35 -0700] "GET /private/no-such-file.txt HTTP/1.1" 401 381 gw.ampr.org-ssl 68.40.58.30 - - [08/May/2017:18:56:26 -0700] "GET /private/no-such-file.txt HTTP/1.1" 401 381 gw.ampr.org-ssl 4.79.123.0 - - [08/May/2017:21:42:57 -0700] "GET /private/no-such-file.txt HTTP/1.1" 401 381 gw.ampr.org-ssl 165.225.80.161 - - [08/May/2017:21:48:27 -0700] "GET /private/no-such-file.txt HTTP/1.1" 401 381
The first one above was logged just 19 seconds after I posted the message to the list. The others came later; they could be humans. Note that none of them logged in; they just tried to fetch the file and went away. Oh, I'm not concerned, I just was a bit surprised. And curious.
- Brian
On Tue, May 09, 2017 at 04:42:26AM +0000, Ruben ON3RVH wrote:
Is the content of the list posted on a website? Like for archiving purposes? Otherwise someone might have a mailbox from the list configured with a scraper.. Can you see which is the source IP for the requests? Maybe this can lead you to the correct person.. 73, Ruben - ON3RVH
44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
Yes, Tim, thank you, I knew that was possible, but chose not to log all that detail because I want to keep the log somewhat smaller. On our public-facing web server at work, we do log all that information because the people collecting site and page statistics want to include it in their analysis. It's just amusing that I happened to be watching the web server logs at the moment this happened. - Brian
On Tue, May 09, 2017 at 03:49:54PM +0900, Tim Osburn wrote:
Since you are using Apache perhaps you can enable more client details in your log verbosity by changing your LogFormat from the default settings to the combinedio settings which will include more information about the client software that is connecting to your web server.
-
Brian Kantor -
Tim Osburn