Hello. I have (Perfect Server setup) Ubuntu 16.04 LTS with apache 2.4.37 and in apache error.log file is a lot: Code: [Wed Dec 26 08:45:57.649682 2018] [access_compat:error] [pid 10835] [client 180.76.15.142:59430] AH01797: client denied by server configuration: /var/www/html/robots.txt [Wed Dec 26 08:48:15.444509 2018] [access_compat:error] [pid 10976] [client 180.76.15.12:37345] AH01797: client denied by server configuration: /var/www/html/ [Wed Dec 26 08:50:02.133953 2018] [access_compat:error] [pid 11358] [client 127.0.0.1:40910] AH01797: client denied by server configuration: /var/www/html/ [Wed Dec 26 08:51:07.155109 2018] [access_compat:error] [pid 11224] [client 5.62.43.34:5515] AH01797: client denied by server configuration: /var/www/html/cpanel [Wed Dec 26 12:36:31.976661 2018] [access_compat:error] [pid 19592] [client 185.244.25.106:41956] AH01797: client denied by server configuration: /var/www/html/index.php [Wed Dec 26 12:40:02.538578 2018] [access_compat:error] [pid 21489] [client 127.0.0.1:50744] AH01797: client denied by server configuration: /var/www/html/ [Wed Dec 26 12:45:01.921430 2018] [access_compat:error] [pid 22918] [client 127.0.0.1:51294] AH01797: client denied by server configuration: /var/www/html/ [Wed Dec 26 13:15:02.149298 2018] [access_compat:error] [pid 32447] [client 127.0.0.1:53898] AH01797: client denied by server configuration: /var/www/html/ [Wed Dec 26 13:15:09.242782 2018] [access_compat:error] [pid 304] [client 88.135.47.227:19376] AH01797: client denied by server configuration: /var/www/html/ [Wed Dec 26 13:20:01.960645 2018] [access_compat:error] [pid 2361] [client 127.0.0.1:54674] AH01797: client denied by server configuration: /var/www/html/ [Wed Dec 26 13:23:20.585811 2018] [access_compat:error] [pid 3893] [client 5.255.250.180:39644] AH01797: client denied by server configuration: /var/www/html/robots.txt [Wed Dec 26 13:23:24.394489 2018] [access_compat:error] [pid 3893] [client 5.255.250.180:39644] AH01797: client denied by server configuration: /var/www/html/ [Wed Dec 26 13:25:02.086940 2018] [access_compat:error] [pid 4077] [client 127.0.0.1:56846] AH01797: client denied by server configuration: /var/www/html/ [Wed Dec 26 13:30:02.510932 2018] [access_compat:error] [pid 5674] [client 127.0.0.1:59564] AH01797: client denied by server configuration: /var/www/html/ [Wed Dec 26 13:35:02.698305 2018] [access_compat:error] [pid 7324] [client 127.0.0.1:33512] AH01797: client denied by server configuration: /var/www/html/ [Wed Dec 26 13:37:36.640703 2018] [access_compat:error] [pid 8375] [client 27.78.123.251:34494] AH01797: client denied by server configuration: /var/www/html/ [Wed Dec 26 13:37:43.465513 2018] [access_compat:error] [pid 8635] [client 103.229.86.186:44925] AH01797: client denied by server configuration: /var/www/html/ [Wed Dec 26 13:40:01.895182 2018] [access_compat:error] [pid 8982] [client 127.0.0.1:34086] AH01797: client denied by server configuration: /var/www/html/ [Wed Dec 26 13:45:02.482745 2018] [access_compat:error] [pid 9969] [client 127.0.0.1:35064] AH01797: client denied by server configuration: /var/www/html/ What it can be and how to prevent this? And why localhost client tries access blocked directory. There is only default apache website inside /var/www/html.
As that says, it's denied by your configuration. ISPConfig does not setup a default website nor configure the main /var/www/html, likely your OS has configured some defaults for the main document root, and you may have additionally created a default website yourself. Find the config for that and you will see why it's denied (apachectl -S will tell you the config file for any vhosts; for the main document root you have to read through all the global (not inside a virtual host) config).
Yes, I understand that it's denied by my configuration and I of course know which one it is (apache's default one) - /etc/apache2/sites-enabled/000-default.conf. I added there: Code: <Directory /var/www/html> Require all denied </Directory> but I am curious why localhost ip 127.0.0.1 tries access this directory. I don't know how to interpret it. Second thing is how to block attempts to access to this directory from external ip addresses. PS I have blocked access to this due to a lot of these attempts from external ips. [EDIT] I also have found something: Code: apache2 11178 www-data 132u IPv6 48746480 0t0 TCP s1.example.net:https->185-39-163-17.wdm.pl:65484 (ESTABLISHED) apache2 6015 www-data 132u IPv6 48681774 0t0 TCP s1.example.net:http->sogouspider-218-30-103-24.crawl.sogou.com:16533 (ESTABLISHED) apache2 32701 www-data 132u IPv6 48635422 0t0 TCP s1.example.net:http->sogouspider-218-30-103-24.crawl.sogou.com:42631 (CLOSE_WAIT) apache2 27093 www-data 132u IPv6 48605480 0t0 TCP s1.example.net:http->li-lon-uk-gp3-wk105.internet-census.org:47588 (CLOSE_WAIT) Are they some kind of scanning bots?
All requests which do not include a hostname or where the hostname doesn't match a virtual host definition will hit the default; my guess is maybe it's ispconfig's "HTTPD monitoring" of the local web server. You could turn that setting off and see if the requests stop, or you could monitor http traffic on the loopback interface and you might see the request if it's port 80 (try `ngrep -Wbyline -d lo host 127.0.0.1 and port 80`), or you could check the access.log to see what details it records from the request. There's probably a way to debug/save traffic from a specific address (127.0.0.1) if needed, but I've never looked into that offhand. Try `Require local` or you can get more complex, see https://httpd.apache.org/docs/2.4/howto/access.html and https://httpd.apache.org/docs/2.4/mod/mod_authz_host.html Sure, the majority of requests on most sites comes from bots. They may or may not be malicious.
