I have an Apache 2.2 webserver running on Windows 7 with six virtual hosts set up.
- Domain name A points to
?:/.../urls/1/
- Domain name B points to
?:/.../urls/2/
- Domain name C+D point to
?:/.../urls/3/
- Domain name E* points to
?:/.../urls/4/
- My public IP points to
?:/.../urls/5/
- Localhost + network IP point to
?:/.../urls/6/
(pseudo-addresses and paths)
Edit: Actual order in config
- Localhost + network IP point to
?:/.../urls/6/
- My public IP points to
?:/.../urls/5/
- Domain name A points to
?:/.../urls/1/
- Domain name B points to
?:/.../urls/2/
- Domain name C+D point to
?:/.../urls/3/
- Domain name E* points to
?:/.../urls/4/
End Edit
I don't own domain name E yet, so for now I have it defined in my hosts file, and it works when I try to access it in a browser by the domain name.
I've been doing some extensive file structure changes and altered my virtual hosts a bit, so for now each site is just showing a test page that simply states which site it is. Domain name A/B/C/etc. Each site has its own access log and error log. All seemingly straightforward stuff. Having a private site on localhost is new to me. In the past, localhost, network IP and domain name A all pointed to my main site so there was no consideration for privacy.
What concerns me now is that site 6, which should only be accessible by localhost
, 127.0.0.1
and 192.168.1.100
, is recording hits from external addresses in the access log. This site denies from all except my own addresses, and the foreign requests have resulted in 403 as expected, whether they attempt to access real files like index.html or something bogus, though a few requests have resulted in a 400 error which I'm not familiar with. When certain common errors are triggered, I redirect to a custom error script with ?code=$HTTP_CODE
to dump %ENV data to a file in the hopes that I can glean some useful information about these hits and also return an error page to the user. Nothing as of yet makes any sense to me.
I want to know how/why these requests are reaching my internal addresses, if I should be worried about anything in ?:/.../urls/6/
being visible to the public, if I have misconfigured anything in Apache, and if so, how to fix it.
Here are some snippets that might be relevant. Paths and my web addresses have been obfuscated.
hosts file
127.0.0.1 domain-name-E.com # domain that i don't own yet
127.0.0.1 www.domain-name-E.com # domain that i don't own yet
httpd-vhosts.conf Edit: Adjusted to show actual order of VHs
<Directory "?:/.../urls/">
Order Deny,Allow
Allow from all
</Directory>
NameVirtualHost *:80
# site 6: private
<VirtualHost *:80>
DocumentRoot "?:/.../urls/6/www/"
ServerName localhost
ServerAlias 127.0.0.1
ServerAlias 192.168.1.100
ScriptAlias /cgi/ "?:/.../urls/6/cgi/"
<Directory "?:/.../urls/6/cgi/">
AllowOverride All
</Directory>
ErrorLog "?:/.../logs/errors-site6.log"
# CustomLog "?:/.../logs/access-site6.log" common
LogFormat "%{%Y/%m/%d (%a) at %H:%M:%S}t %a Login: %u Sent: %B B in %D µs Status: %s/%>s for %H %m %{Host}i%U%q Using: %{User-agent}i From: %{Referer}i" custom
CustomLog "?:/.../logs/access-site6.log" custom env=!dontlog
SetEnvIf Remote_Addr "127\.0\.0\.1" dontlog
SetEnvIf Remote_Addr "192\.168\.1\..*" dontlog
SetEnvIf Remote_Addr "XXX\.XXX\.XXX\.XXX" dontlog # my public IP address
</VirtualHost>
# site 5 here
# site 1 here
# site 2 here
# site 3 here
# site 4 here
?:/…/urls/6/.htaccess
# site 6: private
Deny from all
Allow from 127.0.0.1
Allow from 192.168.1
Allow from XXX.XXX.XXX.XXX # my public IP address
?:/…/logs/access-site6.log (alignment tidied up a bit)
# timestamp # IP # domain/path?query # agent # referrer
2019/06/24 (Mon) at 18:50:52 61.219.11.153 Login: - Sent: 226 B in 3001 µs Status: 400/400 for HTTP/1.1 GET -/ Using: - From: -
2019/06/24 (Mon) at 19:08:14 104.152.52.22 Login: - Sent: 1211 B in 512029 µs Status: 403/403 for HTTP/1.0 GET -/?code=403 Using: masscan/1.0 (https://github.com/robertdavidgraham/masscan) From: -
2019/06/25 (Tue) at 00:12:51 138.99.29.110 Login: - Sent: 226 B in 3001 µs Status: 400/400 for HTTP/1.1 GET -/Login.htm Using: - From: -
2019/06/25 (Tue) at 02:26:21 122.116.24.230 Login: - Sent: 226 B in 3000 µs Status: 400/400 for HTTP/1.1 GET -/Login.htm Using: - From: -
2019/06/25 (Tue) at 04:21:55 92.63.194.15 Login: - Sent: 1211 B in 365021 µs Status: 403/403 for HTTP/0.9 GET -/?code=403 Using: - From: -
2019/06/25 (Tue) at 09:28:05 89.248.169.12 Login: - Sent: 1211 B in 309018 µs Status: 403/403 for HTTP/1.1 GET 80/?code=403 Using: Mozilla/5.0 zgrab/0.x From: -
2019/06/25 (Tue) at 10:07:53 185.53.88.37 Login: - Sent: 0 B in 384022 µs Status: 403/403 for HTTP/1.0 GET -/robots.txt?code=403 Using: - From: -
2019/06/25 (Tue) at 10:48:16 77.247.110.106 Login: - Sent: 0 B in 464027 µs Status: 403/403 for HTTP/1.0 GET -/robots.txt?code=403 Using: - From: -
2019/06/25 (Tue) at 13:46:30 192.31.231.241 Login: - Sent: 1211 B in 519029 µs Status: 403/403 for HTTP/1.1 GET default/.html?code=403 Using: curl/7.64.1 From: -
2019/06/25 (Tue) at 15:14:24 77.247.110.106 Login: - Sent: 0 B in 375022 µs Status: 403/403 for HTTP/1.0 GET -/robots.txt?code=403 Using: - From: -
2019/06/25 (Tue) at 21:00:55 220.133.33.166 Login: - Sent: 226 B in 3001 µs Status: 400/400 for HTTP/1.1 GET -/Login.htm Using: - From: -
2019/06/26 (Wed) at 01:33:22 110.249.212.46 Login: - Sent: 226 B in 2000 µs Status: 400/400 for HTTP/1.1 GET -/testget?q=23333&port=80 Using: - From: -
?:/…/logs/errors-site6.log
[Mon Jun 24 18:50:52 2019] [error] [client 61.219.11.153] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Mon Jun 24 19:08:14 2019] [error] [client 104.152.52.22] client denied by server configuration: ?:/.../urls/6/www/
[Tue Jun 25 00:12:51 2019] [error] [client 138.99.29.110] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /Login.htm
[Tue Jun 25 02:26:21 2019] [error] [client 122.116.24.230] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /Login.htm
[Tue Jun 25 04:21:55 2019] [error] [client 92.63.194.15] client denied by server configuration: ?:/.../urls/6/www/
[Tue Jun 25 09:28:05 2019] [error] [client 89.248.169.12] client denied by server configuration: ?:/.../urls/6/www/
[Tue Jun 25 10:07:53 2019] [error] [client 185.53.88.37] client denied by server configuration: ?:/.../urls/6/www/robots.txt
[Tue Jun 25 10:48:17 2019] [error] [client 77.247.110.106] client denied by server configuration: ?:/.../urls/6/www/robots.txt
[Tue Jun 25 13:46:30 2019] [error] [client 192.31.231.241] client denied by server configuration: ?:/.../urls/6/www/.html
[Tue Jun 25 15:14:24 2019] [error] [client 77.247.110.106] client denied by server configuration: ?:/.../urls/6/www/robots.txt
[Tue Jun 25 21:00:55 2019] [error] [client 220.133.33.166] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /Login.htm
[Wed Jun 26 01:33:22 2019] [error] [client 110.249.212.46] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /testget
?:/…/logs/detail-site6.log (alignment tidied up a bit and some irrelevant key/val pairs omitted)
2019/06/24 at 07:08:15 PM
$VAR1 = {
'DOCUMENT_ROOT' => '?:/.../urls/6/www/',
'GATEWAY_INTERFACE' => 'CGI/1.1',
'HTTP_ACCEPT' => '*/*',
'HTTP_USER_AGENT' => 'masscan/1.0 (https://github.com/robertdavidgraham/masscan)',
'QUERY_STRING' => 'code=403',
'REDIRECT_REQUEST_METHOD' => 'GET',
'REDIRECT_STATUS' => '403',
'REDIRECT_URL' => '/',
'REMOTE_ADDR' => '104.152.52.22',
'REMOTE_PORT' => '48100',
'REQUEST_METHOD' => 'GET',
'REQUEST_URI' => '/',
'SCRIPT_FILENAME' => '?:/.../urls/6/cgi/error/.pl',
'SCRIPT_NAME' => '/cgi/error/.pl',
'SERVER_ADDR' => '192.168.1.100',
'SERVER_NAME' => 'localhost',
'SERVER_PORT' => '80',
'SERVER_PROTOCOL' => 'HTTP/1.0',
'SERVER_SIGNATURE' => '',
'SERVER_SOFTWARE' => 'Apache',
};
2019/06/25 at 04:21:55 AM
$VAR1 = {
'DOCUMENT_ROOT' => '?:/.../urls/6/www/',
'GATEWAY_INTERFACE' => 'CGI/1.1',
'QUERY_STRING' => 'code=403',
'REDIRECT_REQUEST_METHOD' => '',
'REDIRECT_STATUS' => '403',
'REDIRECT_URL' => '/',
'REMOTE_ADDR' => '92.63.194.15',
'REMOTE_PORT' => '1468',
'REQUEST_METHOD' => 'GET',
'REQUEST_URI' => '',
'SCRIPT_FILENAME' => '?:/.../urls/6/cgi/error/.pl',
'SCRIPT_NAME' => '/cgi/error/.pl',
'SERVER_ADDR' => '192.168.1.100',
'SERVER_NAME' => 'localhost',
'SERVER_PORT' => '80',
'SERVER_PROTOCOL' => 'HTTP/0.9',
'SERVER_SIGNATURE' => '',
'SERVER_SOFTWARE' => 'Apache',
};
2019/06/25 at 09:28:05 AM
$VAR1 = {
'DOCUMENT_ROOT' => '?:/.../urls/6/www/',
'GATEWAY_INTERFACE' => 'CGI/1.1',
'HTTP_ACCEPT' => '*/*',
'HTTP_ACCEPT_ENCODING' => 'gzip',
'HTTP_HOST' => '80',
'HTTP_USER_AGENT' => 'Mozilla/5.0 zgrab/0.x',
'QUERY_STRING' => 'code=403',
'REDIRECT_REQUEST_METHOD' => 'GET',
'REDIRECT_STATUS' => '403',
'REDIRECT_URL' => '/',
'REMOTE_ADDR' => '89.248.169.12',
'REMOTE_PORT' => '32902',
'REQUEST_METHOD' => 'GET',
'REQUEST_URI' => '/',
'SCRIPT_FILENAME' => '?:/.../urls/6/cgi/error/.pl',
'SCRIPT_NAME' => '/cgi/error/.pl',
'SERVER_ADDR' => '192.168.1.100',
'SERVER_NAME' => '80',
'SERVER_PORT' => '80',
'SERVER_PROTOCOL' => 'HTTP/1.1',
'SERVER_SIGNATURE' => '',
'SERVER_SOFTWARE' => 'Apache',
};
2019/06/25 at 10:07:53 AM
$VAR1 = {
'DOCUMENT_ROOT' => '?:/.../urls/6/www/',
'GATEWAY_INTERFACE' => 'CGI/1.1',
'QUERY_STRING' => 'code=403',
'REDIRECT_REQUEST_METHOD' => 'HEAD',
'REDIRECT_STATUS' => '403',
'REDIRECT_URL' => '/robots.txt',
'REMOTE_ADDR' => '185.53.88.37',
'REMOTE_PORT' => '58418',
'REQUEST_METHOD' => 'GET',
'REQUEST_URI' => '/robots.txt',
'SCRIPT_FILENAME' => '?:/.../urls/6/cgi/error/.pl',
'SCRIPT_NAME' => '/cgi/error/.pl',
'SERVER_ADDR' => '192.168.1.100',
'SERVER_NAME' => 'localhost',
'SERVER_PORT' => '80',
'SERVER_PROTOCOL' => 'HTTP/1.0',
'SERVER_SIGNATURE' => '',
'SERVER_SOFTWARE' => 'Apache',
};
2019/06/25 at 10:48:17 AM
$VAR1 = {
'DOCUMENT_ROOT' => '?:/.../urls/6/www/',
'GATEWAY_INTERFACE' => 'CGI/1.1',
'QUERY_STRING' => 'code=403',
'REDIRECT_REQUEST_METHOD' => 'HEAD',
'REDIRECT_STATUS' => '403',
'REDIRECT_URL' => '/robots.txt',
'REMOTE_ADDR' => '77.247.110.106',
'REMOTE_PORT' => '54263',
'REQUEST_METHOD' => 'GET',
'REQUEST_URI' => '/robots.txt',
'SCRIPT_FILENAME' => '?:/.../urls/6/cgi/error/.pl',
'SCRIPT_NAME' => '/cgi/error/.pl',
'SERVER_ADDR' => '192.168.1.100',
'SERVER_NAME' => 'localhost',
'SERVER_PORT' => '80',
'SERVER_PROTOCOL' => 'HTTP/1.0',
'SERVER_SIGNATURE' => '',
'SERVER_SOFTWARE' => 'Apache',
};
2019/06/25 at 01:46:30 PM
$VAR1 = {
'DOCUMENT_ROOT' => '?:/.../urls/6/www/',
'GATEWAY_INTERFACE' => 'CGI/1.1',
'HTTP_ACCEPT' => '*/*',
'HTTP_HOST' => 'default',
'HTTP_USER_AGENT' => 'curl/7.64.1',
'QUERY_STRING' => 'code=403',
'REDIRECT_REQUEST_METHOD' => 'DKEMDIF&0',
'REDIRECT_STATUS' => '403',
'REDIRECT_URL' => '/.html',
'REMOTE_ADDR' => '192.31.231.241',
'REMOTE_PORT' => '33716',
'REQUEST_METHOD' => 'GET',
'REQUEST_URI' => '/.html',
'SCRIPT_FILENAME' => '?:/.../urls/6/cgi/error/.pl',
'SCRIPT_NAME' => '/cgi/error/.pl',
'SERVER_ADDR' => '192.168.1.100',
'SERVER_NAME' => 'default',
'SERVER_PORT' => '80',
'SERVER_PROTOCOL' => 'HTTP/1.1',
'SERVER_SIGNATURE' => '',
'SERVER_SOFTWARE' => 'Apache',
};
2019/06/25 at 03:14:24 PM
$VAR1 = {
'DOCUMENT_ROOT' => '?:/.../urls/6/www/',
'GATEWAY_INTERFACE' => 'CGI/1.1',
'QUERY_STRING' => 'code=403',
'REDIRECT_REQUEST_METHOD' => 'HEAD',
'REDIRECT_STATUS' => '403',
'REDIRECT_URL' => '/robots.txt',
'REMOTE_ADDR' => '77.247.110.106',
'REMOTE_PORT' => '61954',
'REQUEST_METHOD' => 'GET',
'REQUEST_URI' => '/robots.txt',
'SCRIPT_FILENAME' => '?:/.../urls/6/cgi/error/.pl',
'SCRIPT_NAME' => '/cgi/error/.pl',
'SERVER_ADDR' => '192.168.1.100',
'SERVER_NAME' => 'localhost',
'SERVER_PORT' => '80',
'SERVER_PROTOCOL' => 'HTTP/1.0',
'SERVER_SIGNATURE' => '',
'SERVER_SOFTWARE' => 'Apache',
};
Could this instead be a misconfiguration on my router? Or malware on my machine or router that is phoning home? If so, how can I check, and can I stop it sooner?
Or is this all just normal chaotic internet traffic that I can ignore and rest easy knowing it won't ever see my private site?
Best Answer
When you want a virtual host that only responds to queries for
http://localhost
do not make that virtual host available on all IP-addresses with the IP-address wildcard:See the manual for exact VHost matching rules but doing the above gives Apache httpd only a single discriminator to use to select which requests should be handled by this virtual host, namely when the request includes the
Host: localhost
header and it won't verify that the request was made to either thelocalhost
IP-address127.0.0.1
or the loopback network interface.Instead bind that VHost to the specific localhost IP-address with either
or the equivalent