Check IP who is visiting my site on nginx
Solution 1
Log usually can be turned on and set the path on nginx.conf
/etc/nginx/nginx.conf
If you vim
or use your editor and edit that file and change or check this line
access_log /var/log/nginx/access.log main;
Solution 2
NGINX is capable of logging IP and other information that you might find interesting, but it seems that the log you're showing here isn't configured to include that information. If you adjust your nginx logs you should be able to enable it. If you need help, post your nginx logging configuration here. Mine looks like this:
log_format main
'$remote_addr - $remote_user [$time_local] '
'"$request" $status $bytes_sent '
'"$http_referer" "$http_user_agent" '
'"$gzip_ratio"';
And logs like this in the logs:
76.113.215.212 - - [17/Nov/2013:10:19:19 -0600] "GET / HTTP/1.1" 200 15411 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36"
Once you find the IP(s) in question, you should be able to block them in a number of ways - the most effective is probably as part of the firewall (iptables) or, if a temporary block until reboot is acceptable, you could use a REJECT routing entry which basically makes your computer refuse to talk to that host at all. If you think that's a little heavy handed, you could make rules to block in nginx in various ways probably (rate limiting comes to mind).
Solution 3
if your webserver is behind a load balancer, such as amazon ELB, $remote_addr will not give you the client IP. instead you every entry will be IP of the upstream load balancing device.
to get around this, replace $remote_addr with $http_x_forwarded_for:
log_format main
'$http_x_forwarded_for - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" ';
Related videos on Youtube
alicoding
Updated on September 18, 2022Comments
-
alicoding almost 2 years
I don't really want to know about this since I would like to keep it really private and give my visitor their privacy as much as possible (Not that my blog is popular though).
I just installed Ubuntu with nginx from Digital Ocean with the Ghost preinstalled, but previously I was with Wordpress. Right now (At this moment while I'm writing) I keep seeing this log
POST /bidRequest?exchange=smaato 500 2ms - 19b POST /bidRequest?exchange=smaato 500 1ms - 19b POST /bidRequest?exchange=smaato 500 1ms - 19b POST /bidRequest?exchange=smaato 500 2ms - 19b POST /bidRequest?exchange=smaato 500 1ms - 19b POST /bidRequest?exchange=smaato 500 1ms - 19b POST /bidRequest?exchange=smaato 500 2ms - 19b POST /bidRequest?exchange=smaato 500 3ms - 19b POST /wp-admin/admin-ajax.php 500 2ms - 19b POST /bidRequest?exchange=smaato 500 2ms - 19b POST /bidRequest?exchange=smaato 500 3ms - 19b GET /winBid?erid=EzLM7nyV0n&eid=2&cpm=1.45449&bid=1628&w=1384697998 301 2ms POST /bidRequest?exchange=smaato 500 2ms - 19b POST /bidRequest?exchange=smaato 500 1ms - 19b POST /bidRequest?exchange=smaato 500 3ms - 19b POST /bidRequest?exchange=smaato 500 2ms - 19b
It is coming every second as you can see and they never stop on this and I'm thinking is that they are trying wether to hack my site while I was on Wordpress or something is going on from these requests. I would like to find out about these attacks and block their IP if this is something bad going on. How would I find out or should I install some kind of module/plugin in my box in order to prevent this kind of behaviour?
-
ceejayoz over 10 yearsIt looks like your IP was previously that of a server hosting some sort of API, and someone's still checking against it. Doesn't look like any sort of hacking attempt.
-
alicoding over 10 years@ceejayoz I would suspect that too but I never actually host anything for people to check against? -- Or you are trying to say that the IP that digitalocean gave me was previously used for that?
-
ceejayoz over 10 yearsYes, I'd bet that the IP was previously used by someone else's service. If they're still showing up days from now, someone probably hard-coded the IP in their script.
-
alicoding over 10 yearsThanks @ceejayoz I will have to monitor this for a couple more days...
-
Falcon Momot over 10 yearsIt's highly unlikely this is anything to worry about.
-