I'm seeing a lot of these in the apache error log, from many different client IPs:
Invalid method in request \x80d\x01\x03\x01
with "lots" i mean several per second, constantly. None of these IPs are found in the regular apache logs, so only in the error log.
Is this something to worry about, and if so, how can I repair or protect against it?
I suppose I could just make fail2ban block the IPs but that seems a bit unnecessary when I don't know what's going on.
Edit: Apache is serving both regular HTTP (about 100 vhosts) and SSL HTTPS (4 vhosts).
# uname -a
Linux xxxx 2.6.18-371.3.1.el5PAE #1 SMP Thu Dec 5 13:29:20 EST 2013 i686 i686 i386 GNU/Linux
# /usr/local/cpanel/cpanel -V
11.38.2 (build 12)
# httpd -V
Server version: Apache/2.2.23 (Unix)
Server built: Jan 13 2013 07:13:59
Cpanel::Easy::Apache v3.16.6 rev9999
Server's Module Magic Number: 20051115:31
Server loaded: APR 1.4.6, APR-Util 1.4.1
Compiled using: APR 1.4.6, APR-Util 1.4.1
Architecture: 32-bit
Server MPM: Prefork
threaded: no
forked: yes (variable process count)
Server compiled with....
-D APACHE_MPM_DIR="server/mpm/prefork"
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=128
-D HTTPD_ROOT="/usr/local/apache"
-D SUEXEC_BIN="/usr/local/apache/bin/suexec"
-D DEFAULT_PIDLOG="logs/httpd.pid"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_LOCKFILE="logs/accept.lock"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="conf/mime.types"
-D SERVER_CONFIG_FILE="conf/httpd.conf"
# httpd -l
Compiled in modules:
core.c
mod_authn_file.c
mod_authz_host.c
mod_authz_groupfile.c
mod_authz_user.c
mod_authz_default.c
mod_auth_basic.c
mod_include.c
mod_filter.c
mod_deflate.c
mod_log_config.c
mod_logio.c
mod_env.c
mod_expires.c
mod_headers.c
mod_unique_id.c
mod_setenvif.c
mod_version.c
mod_proxy.c
mod_proxy_connect.c
mod_proxy_ftp.c
mod_proxy_http.c
mod_proxy_scgi.c
mod_proxy_ajp.c
mod_proxy_balancer.c
mod_ssl.c
prefork.c
http_core.c
mod_mime.c
mod_status.c
mod_autoindex.c
mod_asis.c
mod_info.c
mod_suexec.c
mod_cgi.c
mod_negotiation.c
mod_dir.c
mod_actions.c
mod_userdir.c
mod_alias.c
mod_rewrite.c
mod_so.c
# httpd -M
Loaded Modules:
core_module (static)
authn_file_module (static)
authz_host_module (static)
authz_groupfile_module (static)
authz_user_module (static)
authz_default_module (static)
auth_basic_module (static)
include_module (static)
filter_module (static)
deflate_module (static)
log_config_module (static)
logio_module (static)
env_module (static)
expires_module (static)
headers_module (static)
unique_id_module (static)
setenvif_module (static)
version_module (static)
proxy_module (static)
proxy_connect_module (static)
proxy_ftp_module (static)
proxy_http_module (static)
proxy_scgi_module (static)
proxy_ajp_module (static)
proxy_balancer_module (static)
ssl_module (static)
mpm_prefork_module (static)
http_module (static)
mime_module (static)
status_module (static)
autoindex_module (static)
asis_module (static)
info_module (static)
suexec_module (static)
cgi_module (static)
negotiation_module (static)
dir_module (static)
actions_module (static)
userdir_module (static)
alias_module (static)
rewrite_module (static)
so_module (static)
auth_passthrough_module (shared)
bwlimited_module (shared)
frontpage_module (shared)
security2_module (shared)
Syntax OK
Answer
That error signifies that clients are attempting to speak SSL/TLS to a listener that is not actually running SSL.
This might be an error in configuration (missing an SSLEngine On for a virtual host that's intended to be SSL enabled, or is listening on port 443?). Or it might just be a case of some wacky user trying to access https://example.com:80.
Unfortunately, the error doesn't provide any hints on which listener got the request - the best thing to do is to go through your configuration and make sure that all the listeners that are supposed to have SSL are speaking it correctly.
No comments:
Post a Comment