Apache getting hit by localhost (127.0.0.1)

Question

I have a server that keeps getting random hits from itself, well the ip reads as 127.0.0.1. I know there are all sorts of programs that could be doing this, but the server is a bare minimum LAMP server with sendmail and monit. Recently I also installed APC for PHP acceleration. I'm baffled as to why this is happening, here is an example request from the access logs

domain.ext:80 127.0.0.1 - - [10/May/2014:22:51:56 -0400] "OPTIONS * HTTP/1.0" 200 126 "-" "Apache/2.2.22 (Ubuntu) (internal dummy connection)"

What does that mean? Is it normal? I don't think so. I haven't found a lot online about it, so I'm here asking, any insight into this log message and how to stop it would be appreciated. Thanks.

Answer 1

This is normal. Apache web server does it to keep it's threads alive that are waiting to accept new connections.

But as a rule of thumb to prevent unnecessary risks make sure you don't have all the modules enabled by default. Only enable modules that you need. Also I see that you are using apache 2.2 probably you should use the latest one 2.4.9 if you can update.

You can also run some tests on your server that checks some basic vulnerabilities like one provided by SSL labs

There are more commercial products available from Qualys and Nessus that can run scans.

See this link as well

Answer 2

So after reading https://wiki.apache.org/httpd/InternalDummyConnection (Thanks Marc B!) I learned that these access log entries are normal as Apache manages its child processes. It is also pretty easy to filter the logged requests with that signature.

Still, just because Apache does this in most situations, doesn't mean it all ways did on my server and it could easily be a rouge process messing with my server. This is a good example where monitoring my server from the beginning would have been a very good idea.