I'm running Apache for my webserver (a Linux box) and I've noticed a some trolls hitting it trying to do some WinNT exploits on it -- actually a lot of little trolls.
It bothers me enough that I'll likely report them, but the point to this post is, I'd like to know how to keep them from getting logged, or at least keep them from generating massive logs like they are doing now.
I went through my logs, collected the 30 some odd different trolls addresses and proceeded to add some rather interesting denies to my http.conf file.
I was *hoping* if I denied them it would simply say, "such-and-such-troll-ip was denied." or something like that.
But instead, what get is the whole url they tried, followed by the what I think is the deny code is (403 unathorized access I think, but I'm kinda tired so I could be way off). So, its still just as long as before they were denied and not as easy to get all the information from.
Anyway, I guess the question comes down to, I don't want to restrict everyone from the webserver, so I want to keep Apache handling its own denies as that doesn't mess with my firewall ruleset. But I also don't want to see every attempt that people who are *denied* make. Obviously I want to see what attempts non-restricted people make, but not the trolls I've already got denied.
Is this even possible with Apache? I found their security documentation pretty thin, especially on the logging side. I think I may have even missed a chapter, 'cause there wasn't much there.
Any ideas, suggestions?
Mithian
It bothers me enough that I'll likely report them, but the point to this post is, I'd like to know how to keep them from getting logged, or at least keep them from generating massive logs like they are doing now.
I went through my logs, collected the 30 some odd different trolls addresses and proceeded to add some rather interesting denies to my http.conf file.
I was *hoping* if I denied them it would simply say, "such-and-such-troll-ip was denied." or something like that.
But instead, what get is the whole url they tried, followed by the what I think is the deny code is (403 unathorized access I think, but I'm kinda tired so I could be way off). So, its still just as long as before they were denied and not as easy to get all the information from.
Anyway, I guess the question comes down to, I don't want to restrict everyone from the webserver, so I want to keep Apache handling its own denies as that doesn't mess with my firewall ruleset. But I also don't want to see every attempt that people who are *denied* make. Obviously I want to see what attempts non-restricted people make, but not the trolls I've already got denied.
Is this even possible with Apache? I found their security documentation pretty thin, especially on the logging side. I think I may have even missed a chapter, 'cause there wasn't much there.
Any ideas, suggestions?
Mithian
