0

I would like to stop Apache (2.2) from doing reverse lookups for client IP addresses. I have

HostnameLookups Off

and

LogFormat "%h %l %u %t %V \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" port:%p" combined_vhost
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common

in httpd.conf but Apache still in many cases often does the lookups and writes down domain names instead of IP addresses into accesslogs.

I need the IPs from accesslogs to block them on firewall.

If it is not possible to set this up in Apache config., maybe it can be done in the bind config. On the machine I need to fix, bind runs as local recursive resolver.

The domain names are useless because they can't be resolved back to the original IP address (seems there is intentional lack of usual DNS A/AAAA record for these domain names).

Ján Lalinský
  • 262
  • 1
  • 10
  • 1
    `%h` in access log means hostname, see https://httpd.apache.org/docs/2.4/mod/mod_log_config.html#formats This is obviously obtained by doing a reverse DNS query on the IP address as this is the only thing that Apache sees being an HTTP server where the protocol is built upon TCP/IP. – Patrick Mevzek Jan 27 '22 at 20:14
  • The page says *"%h Remote hostname. Will log the IP address if HostnameLookups is set to Off, which is the default. If it logs the hostname for only a few hosts, you probably have access control directives mentioning them by name."* That is what is happening, there are mostly IP addresses, but sometimes there are hostnames, which is the case in this attack. Maybe there are some "access control directives" that are causing the DNS resolution. However I don't see any such rules in any configuration. I tried setting up %a instead of %h, but this did not change apache behaviour. – Ján Lalinský Jan 27 '22 at 20:31
  • Oh, when LogFormat is changed in virtualhost, it makes no effect. But if I set it up in global httpd.conf, it does. So formatting string %a instead of %h in httpd.conf solves my problem. – Ján Lalinský Jan 27 '22 at 21:07

2 Answers2

0

Do not use names anywhere in configuration, just IP addresses and change the configuration format to log only IP addresses.

It is unclear however why you want to do that, you are creating a nightmare maintenance for yourself. IP addresses do change sometimes...

The domain names are useless because they can't be resolved back to the original IP address

That is not a problem at all. The DNS will timeout or return an error and life goes on.

Patrick Mevzek
  • 9,273
  • 7
  • 29
  • 42
0

There is a LogFormat directive which tell Apache what should be written to accesslogs. For preferring IP address to hostname, there is the format string %a.

For Apache 2.2 LogFormat documentation, see

https://httpd.apache.org/docs/2.2/mod/mod_log_config.html#formats

When LogFormat is changed in a virtualhost context, it seems to have no effect; I tried changing %h into %a in a virtualhost block but still hostnames were being written into virtual host's accesslog.

But then I made the change in the global configuration file httpd.conf, and this helped. Now apache logs always IP addresses, not hostnames.

Ján Lalinský
  • 262
  • 1
  • 10