Shulou(Shulou.com)06/01 Report--

How to use the virtual host cPanel panel to view the server access log, in view of this problem, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a more simple and easy way.

I believe that everyone has installed the code for website statistics on their own websites, such as Google analytics, Quantum Statistics, Baidu Statistics, cnzz, 51.la and so on. These tools can count the traffic of the site, that is, the number of visits to all pages that visitors can see on the site, but none of these statistical tools can count the original access information of resources on your host, such as who downloaded a picture.

Most fee-paying hosts provide original access log (Raw Access Log). The website server will automatically record some information of each visitor and save it in the original access log file. If your host does not provide log function, it is recommended that you change the host when it expires. The log records the access information of all resources on the site, including images, CSS, JS, FLASH, HTML, MP3 and other resources loaded during the opening process of all web pages, as well as who visits these resources, what is used for access and what is the result of access, and so on. It can be said that the original access log records the use of all resources of the host.

If your website has been attacked, illegal chain theft and bad requests, etc., you can probably analyze the clues by analyzing the original access log. For example, at the beginning of this year, I uploaded a mp3 to my host, which was unfortunately included by Baidu mp3, which led to a large number of pirate links, resulting in a sharp increase in my host traffic. Although this is not a big deal for me, I feel unhappy! By analyzing the logs, I found out the root cause of the problem, deleted the mp3, and the host traffic came down.

Different hosts use different panels, so the method of viewing the original access log is also different, but the format of the log record is all the same. For more information on how to view the original access log, please consult the relevant host customer service. Here is the cPanel panel. By clicking the button in the red box, and then selecting your website domain name, you can download the original access log and open it with a text editor:

Each line of the original access log is a record similar to the following:

64.10.90.61-[04/Mar/2001:11:47:26-0600] "GET / intro.htm HTTP/1.1" 13947 "http://www.yourdomain.com/"" Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt) "

Let's talk about the meaning of this record:

64.10.90.61

This is the IP of a visitor (or maybe a robot).

[04/Mar/2001:11:47:26-0600]

This is the time the visitor visited the resource (Date).-0600 is the time zone corresponding to this time, that is, the difference between GMT and-6 hours.

GET / intro.htm HTTP/1.1

Request information, including the request method, the requested resources and the protocol used. This statement means to obtain a web page / intro.htm,intro.htm as a web page on the site in GET manner and in accordance with the HTTP/1.1 protocol.

200 13947

200 is the status code (Http Code) returned by the request. Different status codes represent different meanings. For more information, please read the HTTP status code. 13947 is the traffic consumed by the request (Size in Bytes), in byte.

Http://www.yourdomain.com/

Source of visitors (Referer). This paragraph tells us where visitors came to this page. It could be another page of your site, a search page from a search engine, and so on. Through this source information, you can find out the webpage of the thief chain.

Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)

The type of browser used by the visitor (Agent), which records the operating system, browser model, etc.

After reading the above instructions, you may also know what is recorded in each line of record, and you can start to analyze the original visit log of your website independently, but if you are asked to read these messy logs directly, I believe you will be very mad. I don't want to do it. The "Latest Visitors" in the cPanle panel provides a way to view logs after formatting, which looks more comfortable:

In the figure above, Host: 218.17.120.205 is the IP of the visitor. It can be seen that the visitor has initiated three requests during the current time period. Corresponding to the three lines of records in the original access log, the resources requested by the visitor (i.e. the web page of visitor traffic, etc.) are marked in red. For more information, please see the above instructions. " Only the access information of the last 300 IP can be displayed in "Latest Visitors". Here I have written a formatting tool for the original access log, which can format the original access log into the format shown in the figure above, easy to read, tool address: http://ludou.co.tv/logreader/

The above describes how to view the original access log, and now let's talk about how to analyze the contents of the log:

1. Pay attention to those resources that are accessed frequently

If you find that a resource (web page, picture, mp3, etc.) is frequently visited in the log, you should pay attention to where the resource is used! If the source of these requests (Referer) is not your website or is empty, and the status code (Http Code) is 200, it means that your resources are likely to be hacked. Through Referer, you can find out the URL of the person who stole the link. This may be the reason for the surge in your website traffic. You should do a good job of hotlink protection. Please take a look at the following picture, the japan.mp3 file on my website has been visited frequently, and the following picture is only part of the log. This person is extremely sinister. Because I have already deleted the file, it is too late to get japan.mp3, and it has launched no less than 100 requests to japan.mp3 in just an hour. See that I have set up hotlink protection to forge the source Referer and Agent, and keep changing IP. It is a pity that it is useless. There is no such file at all. The requested status code Http Code is 403 or 404.

2. Pay attention to requests for resources that do not exist on your site

For example, the four request information in the following figure. / admin/editor/db/kmoxewebeditor.mdb and other resources are not the resources of this site, so Http Code is either 403 or 404, but from the name analysis, it may be a file to save database information. If the information is taken away by others, it will be much easier to attack your website. The purpose of these requests is nothing more than to scan your website for vulnerabilities, download these known vulnerability files through aimless scanning, and you are likely to find a loophole in your site. Through observation, we can see that the Agent used in these requests are almost all unconventional browser types such as Mozilla/4.0, Mozilla/5.0, or libwww-perl/, and the log formatting tool I provided above has integrated the alerting function for these requests. We can prevent scanning by banning access to these Agent. The specific methods are described below.

Common scanning attacks also include passing malicious parameters:

/ / header.php?repertoire=../proc/self/environ

/? _ SERVERDOCUMENT_ROOT= http://wdwinfo.ca/logs/.log?

3. Observe the visit of search engine spiders

By looking at the information in the log, you can see how often your site is visited by spiders, and then you can see whether your site is favored by search engines. These are all issues that SEO is concerned about. The log formatting tool has integrated the prompt function for search engine spiders. The list of Agent used by spiders in common search engines is as follows:

Google spider

Mozilla/5.0 (compatible; Googlebot/2.1; + http://www.google.com/bot.html)

Baidu spider

Baiduspider+ (+ http://www.baidu.com/search/spider.htm)

Yahoo! spider

Mozilla/5.0 (compatible; Yahoo! Slurp/3.0; http://help.yahoo.com/help/us/ysearch/slurp)

Yahoo! Chinese spider

Mozilla/5.0 (compatible; Yahoo! Slurp China; http://misc.yahoo.com.cn/help.html)

Microsoft Bing Spider

Msnbot/2.0b (+ http://search.msn.com/msnbot.htm)

Google Adsense spider

Mediapartners-Google

Youdao spider

Mozilla/5.0 (compatible; YoudaoBot/1.0; http://www.youdao.com/help/webmaster/spider/;)

Soso searches for blog spiders

Sosoblogspider+ (+ http://help.soso.com/soso-blog-spider.htm)

Sogou Sogou Spider

Sogou web spider/4.0 (+ http://www.sogou.com/docs/help/webmasters.htm#07)

Twiceler crawler

Mozilla/5.0 (Twiceler-0.9 http://www.cuil.com/twiceler/robot.html)'

Google image search spider

Googlebot-Image/1.0

Russian Yandex search engine Spider

Yandex/1.01.001 (compatible; Win16; I)

Alexa spider

Ia_archiver (+ http://www.alexa.com/site/help/webmasters; crawler@alexa.com)

Feedsky spider

Mozilla 5.0 (compatible; Feedsky crawler / 1.0; http://www.feedsky.com)

Korean Yeti spider

Yeti/1.0 (NHN Corp.; http://help.naver.com/robots/)

4. Observe the behavior of visitors

By viewing the formatted log, you can view and track a series of visits to an IP in a certain period of time. The more access records of a single IP, the higher the PV of your site and the good user stickiness; if the visit records of a single IP are Xi Xi, you should consider how to make the content of your site more attractive. By analyzing the behavior of visitors, you can provide a strong reference for your website construction, which content is good and which content is bad, and determine the development direction of the website; through the analysis of visitors' behavior, we can see what they have done. We can guess the intentions of visitors and find out malicious users in time.

The above are just some of my personal tips, you can simply analyze the contents of your log, after all, my personal experience is still relatively short, can not be a comprehensive log analysis. In the cPanel host control panel, there are two log analysis tools, awstats and webalizer, which are based on the original access log. They are powerful and rich. You can have a try and consult the host customer service if you don't understand.

The strategy of responding to the enemy

The above said how to analyze your log, let's talk about how to keep the enemy thousands of miles away. Here we take the .htaccess programming of the Linux host as an example to explain how to prevent malicious requests.

1. Block a certain IP

If you don't want an IP to visit your site, you can block it. There are two ways to prevent blocking: first, there is a Security-IP Deny Manager in the cPanel panel. Click on it and fill in the IP to be blocked. Second, add the following statement to .htaccess to block the two IP paragraphs 123.165.54.14, 123.165.54.15, and 123.165.55. In the same way:

Deny from 123.165.54.14

Deny from 123.165.54.15

Deny from 123.165.55

2. Block a certain browser type (Agent)

In general, if robots are used to scan or maliciously download your website resources, they use almost the same type of Agent, such as Mozilla/4.0, Mozilla/5.0 or libwww-perl/, as I mentioned above. You can block an Agent to prevent attacks. Add the following rules in .htaccess:

SetEnvIfNoCase User-Agent ". * Firefox/3\ .6\ .3. *" bad_agent

Order Allow,Deny

Allow from all

Deny from env=bad_agent

The above rules block the source of Firefox/3.6.3 in Agent, that is, Agent, which includes the following example, will not be able to access your website:

Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3

The above is just an example, must not be used for your site, otherwise users using Firefox 3.6.3 will not be able to visit your site, the result Http Code is 403, they see are 403 pages, that is, forbidden to visit the page. Here let me show you how to write blocking rules. The above sentence SetEnvIfNoCase User-Agent ". * Firefox/3\ .6\ .3. *" bad_agent specifies the rules to be blocked, and the core statement ". * Firefox/3\ .6\ .3. *" is used to match sources containing Firefox/3.6.3. See regular expressions for writing. Here are several regular examples that you can apply:

From the above table, you can almost get a general idea of all the points in the regular formula. It's all written as. ; ^ for the beginning of the match, $for the end of the match;. * for matching characters of any length (including those with a length of 0). The following is a complete example that you can apply, and I believe you can write your own rules:

# # Block Bad Bots by user-Agent

SetEnvIfNoCase User-Agent "^ libwww-perl" bad_agent

SetEnvIfNoCase User-Agent "^ Mozilla/4\ .0 $" bad_agent

SetEnvIfNoCase User-Agent "^ Mozilla/5\ .0 $" bad_agent

SetEnvIfNoCase User-Agent "^ $" bad_bot

Order Allow,Deny

Allow from all

Deny from env=bad_bot

3. Block a certain source (Referer)

If a website frequently steals your website and does not listen to advice, you can achieve the purpose of hotlink protection by banning its Referer. Here is an example to prohibit http://www.google.com from stealing links to your website. The regular programming is the same as above. Add the following rules to .htaccess:

SetEnvIf Referer "^ http://www\.google\.com" bad_referer

Order Allow,Deny

Allow from all

Deny from env=bad_referer

4. Hotlink protection

By judging the source (Referer), you can achieve simple hotlink protection using the following code. The URL listed below allows access to files with the suffix jpg | gif | png | css | js | bmp | mp3 | wma | swf on your website. Access to these files is prohibited on all other websites. The rule is written in the same way as above. You can change the domain name slightly and apply it to your website and add the following rules to .htaccess:

SetEnvIf Referer "^ http://www\.ludou\.org/" local_referer

SetEnvIf Referer "^ http://cache\.baidu\.com/" local_referer

# remove the # in the following statement to allow requests with empty Referer. Generally, it is better to allow.

# SetEnvIf Referer "^ $" local_referer

Order Deny,Allow

Deny from all

Allow from env=local_referer

5. Rename the file

Even if the resources on your site are hacked, you can also achieve hotlink protection by renaming your files. after all, the pirates do not know that you have changed the file name, and it will not monitor your files all day.

Summary

In any case, where there is defense, there is attack, attack and defense will always be a pair of enemies, such a saw will never stop. The method introduced above can only achieve the purpose of simple prevention, if someone intends to attack your website, that thing can not play a big role, we can only according to the moves of the opponent, see the move to avoid accidents, such an ability, but also need each stationmaster to learn and accumulate slowly, after all, it is not so simple to do a website.

This is the answer to the question about how to use the virtual host cPanel panel to view the access log of the server. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.