Oversized log record

Support for webhosts that use CentOS
marathonman
Posts: 26
Joined: 2008/04/27 14:47:18
Location: Revere, MA

Oversized log record

Postby marathonman » 2009/02/09 02:56:53

After someone tried a buffer overflow attack I started getting a message from cron like this:

/etc/cron.daily/00webalizer:

Error: Skipping oversized log record

Webalizer.conf says that the logfile is /var/log/httpd/access_log but I look at that file and it's empty. This must be why there's nothing when I look at the Apache Access Log in the System Logs GUI. Access_log.1 has the buffer overflow attack with other items after it. Why am I getting this message and why has it stopped logging?

TIA,
Bruce

pjwelsh
Posts: 2580
Joined: 2007/01/07 02:18:02
Location: Central IL USA

Re: Oversized log record

Postby pjwelsh » 2009/02/09 17:20:31

Webalizer does not like the line. Some think this should be a "warning" not an error, but you may want to try:
http://www.redhat.com/archives/fedora-l ... 01773.html
or just ignore.

marathonman
Posts: 26
Joined: 2008/04/27 14:47:18
Location: Revere, MA

Re: Oversized log record

Postby marathonman » 2009/02/10 02:06:57

So if I ignore it, all traffic is still being logged and if I add '\"%!414r\"' to the LogFormat directive, buffer overflow attacks won't get logged?

Thanks again,
Bruce

pjwelsh
Posts: 2580
Joined: 2007/01/07 02:18:02
Location: Central IL USA

Re: Oversized log record

Postby pjwelsh » 2009/02/10 19:14:28

One better option since you put it that way, run fail2ban with a custom filter for *one* attempt on the pattern with a LOOOOOOOOONGGGGG iptables ban for all ports:

http://www.fail2ban.org

It's what I do for the relay searchers ;)

marathonman
Posts: 26
Joined: 2008/04/27 14:47:18
Location: Revere, MA

Re: Oversized log record

Postby marathonman » 2009/02/11 01:50:45

Thanks. I'll look into that.

Bruce