After someone tried a buffer overflow attack I started getting a message from cron like this:
/etc/cron.daily/00webalizer:
Error: Skipping oversized log record
Webalizer.conf says that the logfile is /var/log/httpd/access_log but I look at that file and it's empty. This must be why there's nothing when I look at the Apache Access Log in the System Logs GUI. Access_log.1 has the buffer overflow attack with other items after it. Why am I getting this message and why has it stopped logging?
TIA,
Bruce
Oversized log record
Re: Oversized log record
Webalizer does not like the line. Some think this should be a "warning" not an error, but you may want to try:
http://www.redhat.com/archives/fedora-list/2005-February/msg01773.html
or just ignore.
http://www.redhat.com/archives/fedora-list/2005-February/msg01773.html
or just ignore.
-
marathonman
- Posts: 26
- Joined: 2008/04/27 14:47:18
- Location: Revere, MA
Re: Oversized log record
So if I ignore it, all traffic is still being logged and if I add '\"%!414r\"' to the LogFormat directive, buffer overflow attacks won't get logged?
Thanks again,
Bruce
Thanks again,
Bruce
Re: Oversized log record
One better option since you put it that way, run fail2ban with a custom filter for *one* attempt on the pattern with a LOOOOOOOOONGGGGG iptables ban for all ports:
http://www.fail2ban.org
It's what I do for the relay searchers ;)
http://www.fail2ban.org
It's what I do for the relay searchers ;)
-
marathonman
- Posts: 26
- Joined: 2008/04/27 14:47:18
- Location: Revere, MA
Re: Oversized log record
Thanks. I'll look into that.
Bruce
Bruce