John Bailey wrote (after Render-Vue): > > Is this true then that they can't check or are they > > basically saying we can't be bothered cause there's > > too much going through and it's doesn't justify the > > man hours to check it your wee problems. > > I think that's entirely down to the config of the proxy.
More than likely, yes. I used to work for the JANET Web Cache Service in the UK - see http://wwwcache.ja.net - which, in a randomly sampled week in January 2000 shipped 3.1TB - yes, Terabytes! - of data, comprising 294 million different objects. That's a lot of logging. We were actually forced by the terms of reference for the project to log *everything*, and process those logs for a service level agreement. ISTR we kept logs for three months, which required a couple of machines with massive amounts of storage just to archive them. Most ISPs do not need to do this, since due to privacy laws they are only permitted to keep logs for a short period and then not divulge anything to third parties. John however does make a pertinent note, that properly configured proxies *should* pass an X- header with the source IP in them. Again, for privacy reasons (and logistical ones too) many do not. It is not written in any standard, nor is it a requirement AFAIK in law anywhere. At least, nowehere I've come across is particularly proscriptive about proxies, apart from perhaps China! What Chae brings up is a perennial problem for all webserver administrators: just when do you bother to report things? It's worth figuring out your own thresholds for things. One formmail attempt from one address I would ignore, several hundred would have me on the phone to the source ISP pretty damned quickly. DoS attacks (and I'm talking real ones here, fragmented ICMP floods for example which saturate lines) generally have me on the phone to my upstreams to filter it. Unfortunately there are thousands of people out there trying to anonymise themselves, for whatever reason. All the readers of this list better get used to the fact that there will ALWAYS be anomalies in your webserver/mailserver/system logs. It's just a matter of how to interpret them, and that's an exercise for each individual or organisation to decide upon. Personally? Every day I ignore more and more. The more you see, the less anomalous it becomes - and it then becomes easier to pick out the *real* odd, nasty or generally unpleasant behaviour. (John: retrieval of etc/passwd is often attempted via web pages. It doesn't often work, unless the webserver software is very badly written, configured or just old). Have a good day Graeme -- Graeme Fowler System Administrator Host Europe Group PLC _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
