Question

Malicious connections in Nginx access log

Posted May 24, 2021 97 views
NginxSecurityFirewallDjango

Is it normal to have a lot of malicious attempts in NGINX access log? As far as I can tell none of them are succeeding, but would be nice if there was a way to stop it. I have very few users to my website so I’m assuming it’s an automated attack that goes through a scanner or something. I have also been getting emails from Django like so, which im not sure if it’s an attack attempt or just a port scanner:

Invalid HTTP_HOST header: 'website.sock:'. The domain name provided is not valid according to RFC 1034/1035.

I am using django with nginx, gunicorn, and using UFW as my firewall.

Here is a few examples:

149.28.111.235 - - [24/May/2021:05:44:45 +0000] "GET /.env HTTP/1.1" 404 133 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:77.0) Gecko/20100101 Firefox/77.0"
192.241.205.171 - - [24/May/2021:06:14:14 +0000] "GET /owa/auth/logon.aspx?url=https%3a%2f%2f1%2fecp%2f HTTP/1.1" 404 158 "-" "Mozilla/5.0 zgrab/0.x"
45.146.164.125 - - [24/May/2021:07:38:34 +0000] "GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1" 200 5562 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.146.164.125 - - [24/May/2021:07:38:36 +0000] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 158 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"
45.146.164.125 - - [24/May/2021:07:38:39 +0000] "POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 158 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36"

One of them actually got a 200 code, which is worrisome, but I’m not sure what these do, besides the .env obviously trying to view environmental variables, and also noticed a few sql injection attempts.

I have banned a few ip addresses, but they are obviously constantly changing.

Thanks, any advice greatly appreciated.

Submit an answer

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!