0

OK, I'm really confused. I run an Apache 2.2 website on a Mac 10.8.5, and have been doing so for years. I inspect the logs regularly, and I'm careful about service denial in my .htaccess to parties that aren't friendly.

So my logs list IPs. Every once in a while, the log oddly lists a hostname instead of an IP. No big deal. As of the other day, this has changed, for no apparent reason. Now, the majority of my log entries show hostnames, and a few just show IPs. So my system is working hard to look up hostnames for almost everyone!

So I go look in /etc/Apache2/extra/httpd-default.conf, where I find the default 

HostnameLookups Off

I go looking around in other conf files to see where there might be a rogue HostnameLookup command, but find none.

So what's is going on? Why is my system looking up hostnames when I'm telling it not to? More to the point, why has it suddenly started doing that? I have not installed any third-party crap, nor have I been doing anything in my conf files. I restarted Apache and rebooted the machine, to no avail.

Now, interestingly, I get several log lines with host names, followed immediately by log lines with just the IP for that hostname. So it's not as if it can't get an IP for that hostname. It just suddenly decides not to.

user241086
  • 1
  • Could you do a `grep -r HostnameLookups /etc/apache2 | grep -v \#` and also a `grep -r Include /etc/apache2 | grep -v \#`? Also, you could edit your LogFormat to use `%a` instead of `%h` to force it to write only the IP. Also, if `mod_authz_host` is configured with names, it will still perform DNS lookups (and thus they could be logged) – NuTTyX Sep 05 '14 at 19:17
  • grep -r HostnameLookups /etc/apache2 | grep -v \# gives /etc/apache2/extra/httpd-default.conf:HostnameLookups Off and /etc/apache2/original/extra/httpd-default.conf:HostnameLookups Off – user241086 Sep 05 '14 at 22:43
  • grep -r Include /etc/apache2 | grep -v \# gives a long list of hits. What exactly am I looking for in those? – user241086 Sep 05 '14 at 22:46
  • Where is LogFormat? and where is mod_authz_host configured? I know that it is loaded, but that's the only reference to it I've found. – user241086 Sep 05 '14 at 22:47
  • Check if you are loading any config file outsite /etc/apache2 to search there for the HostnameLookup. As for the LogFormat, do a `grep` just like the previous. Usually there are several by default, check which one you are using in your TransferLog/CustomLog (TransferLog asumes the last LogFormat prior to that directive). If there is no LogFormat, stablish a new one overriding the default config: `LogFormat "%a %l %u %t \"%r\" %>s %b"`. The mod_authz_host is configured by `Allow` and `Deny` directives, check if there is something like `Allow from hostname` instead of `Allow from 1.1.1.1` – NuTTyX Sep 05 '14 at 23:44
  • OK. I fixed it. The answer was ... bizarre. You clued me in by saying that the mod-auth_host was configured by Allow and Deny. So I said, gee, what mods were made to Allows and Denys around the time this started happening? Turns out a stent of mine tried something "clever". Wanted to Deny a range, but with a comment why. So he put "Deny 00.111.222 #specified rane". All in one line. Well, it seemed to serve properly after that, but the Lookups were hosed. – user241086 Sep 06 '14 at 02:17
  • I've now removed that Deny command, and EVERYTHING WORKS THE WAY IT USED TO. I now again see only IPs in my logs. So can anyone explain that to me? Why a "#" inside a Deny command messes up the HostLookups? Weird! You'd think it would just crash Apache, as errors in .htaccess files tend to do. But no, it mucks things up. So I will thank you for the clue! – user241086 Sep 06 '14 at 02:27
  • Comments must be used on their own lines. Being on tje same line, it was treated like a hostname, forcing apache to do a reverse DNS lookup to check if it matches that hostname. If apache had resolved that nsme, default log config logs the name instead of IP – NuTTyX Sep 06 '14 at 09:16
  • OK. So it seems that with that ill-placed "#" in the Deny field, whenever a request came in, and Apache ran through the .htaccess to validate it, it tripped up on that "#", making it think that field was a hostname. That being the case, it needed to do a Lookup to validate it. So it ended up forcing a Lookup on everything! That's interesting how an error in a .htaccess file, of which, normally, Apache is very intolerant of, will send Apache off doing crazy things. A mistake in an "Allow" or "Deny" command will therefore impact the way Apache processes EVERY request. – user241086 Sep 06 '14 at 13:54
  • Allow and deny accept more than one parameter, if it does not look like an IP it will be interpreted as a hostname/domain. To check if an IP corresponds to a hostname/domain, a DNS lookup MUST be performed. So that is the intended behaviour – NuTTyX Sep 06 '14 at 15:12
  • That's sensible. I guess in validating the request Apache asks the question if the incoming request is from "#specified name". It says, "duh, not sure, better see if the hostname for this requester looks like that". So I guess putting a non-IP field in a Deny command forces Apache to do a LookupHostname for every incoming request. Very interesting. That means that if this kind of thing starts happening again, I better check my .htaccess for misplaced text in Allow, Deny commands. – user241086 Sep 06 '14 at 18:51

0 Answers0