Jan 19, 2010

Knowing Apache Logs

LOG is the main friend of an Apache Administrator. We can see error_log , access_logs under LOG directory in Apache web server. It contain many things. Here I am briefly explaining what all the fields mean in a single line of Apache Log. CLF or Common Log Format is the core of logging in Apache. A module called mod_log_config is responsible for all these logging activities.

The CLF log file contains a separate line for each request. A line is composed of several tokens separated by spaces:

host ident authuser date request status bytes

host : The fully qualified domain name of the client, or its IP address

ident : If the IdentityCheck directive is enabled and the client machine runs
identd, then this is the identity information reported by the client

authuser :If the requested URL required a successful Basic HTTP authentication,

then the user name is the value of this token.

date : The date and time of the request. The date field can be [day/month/year:hour:minute:second zone]

request : The request line from the client, enclosed in double quotes (“).

status : The three-digit HTTP status code returned to the client.

: The number of bytes in the object returned to the client, excluding all
HTTP headers.

Jan 3, 2010

Multitail - For viewing multiple logs simultaneoulsy

Tail is a command in unix like systems for viewing log files. We can view only one log at a time , for viewing multiple log files we can use multitail.


yum install multitail (For Redhat , Centos )

apt-get install multitail (Ubuntu ,Debian )


multitail -f /var/log/httpd/error_log /var/log/httpd/access_log

3.Also you can run a command and watch its output

multitail -f /var/log/iptable.log "ping server.com"

4.You can see 3 files in 2 columns

multitail -s 2 /var/log/qmail_pop.log /var/log/qmail_send.log /var/log/spamassassin.log

Enjoy !!!

OpenSSH Security Tips

OpenSSH is tool used for connecting and managing remote linux machines. And this should be secured. I am here by telling some security tips to make the SSH server perfect.

1.The following iptable rule will drop incoming connections which make more than 5 connection attempts upon port 22 within 60 seconds

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 5 -j DROP

2.Disable Empty Passwords

Open the file /etc/sshd/sshd_config and

PermitEmptyPasswords no


open --> vi /etc/hosts.deny


open --> vi /etc/hosts.allo

sshd: (Change to your desired IP)

4.Change the SSH Port

The Idea behind this , suppose we change the port 22 to something other say Oracle 1521 , the attackers thinks that this is an Oracle server and will try oracle hacking tools :)

Port 300

5.Force Logout for Idle Sessions
ClientAliveInterval 300
ClientAliveCountMax 0

And to be continued .......