I have new web server running nginx. The default server is receiving 10K+ requests every day from Russian bots. They are clearly probing for something, but it's hard to say what since the requests are partially hex encoded. I have tried decoding them, but still couldn't tell what their aim is. Here are some examples:
W\xF1p\x8B4\x1D\xFB\x06\xD9\xBF\x82\x87\xE8\xC8\xA2\x98\x9Boj\xB6`6\x15\x8B\x1Ab\x17\x92\xC1\x12\xC9\xCB{AW\x14\xCB\x14\xDD\xC9\x9F
Q\xA3q\xD1\x9E\x93\x95\xD8\xBD_|>\x87z\x95\x0Bz$
\xF3\xFA\xD2s\xB8$\x11(q\xDBk\x9E\xEBn\x22\x22\xE4N\x0B\xFC\xB2\xE6\xD2\x9F\x81\xF4\xC2>dq%\x9F\xD8u)\xAE\x06{
The server returns 400 for all these requests. Regardless, I would like to block these bots from making these requests since I don't want them to succeed at whatever it is they're trying to do.
I use fail2ban but it isn't configured to stop these. Should I set-up a special filter to find these in the logs? The only consistency that I can see is they all have "\x##" where ## is a hex code. However, I don't want to block any legitimate requests, so the filter needs to target these bot requests only.
Any ideas on how to do this?
