Comment by jpsouth

7 months ago

I may be asking a really silly question here, but

> as soon as an IP address is logged as having visited the trap URL (honeypot, or zipbomb or whatever), a log monitoring script bans that client.

Is this not why they aren’t getting the full file?

2 comments

jpsouth

Reply
kazinator  7 months ago

I believe Apache is logging complete requests. For instance, in the case of clients sent to a honeypot, I see a log entry appear when I pick a honeypot script from the process listing and kill it. That could be hours after the client connected. The timestamps logged are connection time not completion time. E.g. here is a pair of consecutive logs:

  124.243.178.242 - - [29/Apr/2025:00:16:52 -0700] "GET /cgit/[...]
  94.74.94.113 - - [29/Apr/2025:00:07:01 -0700] "GET /honeypot/[...]

Notice the second timestamp is almost ten minutes earlier.