5

I am using nginx on my own server, and I noticed a few days ago some strange request in my access.log :

77.50.217.37 - - [19/Aug/2011:17:50:50 +0200] "GET http://images.google.com/ HTTP/1.1" 200 151 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; .NET CLR 1.1.4322; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)"
174.142.123.42 - - [19/Aug/2011:17:51:59 +0200] "GET http://l08.member.ird.yahoo.com/?.src=ym&login=_420_club_chick_&passwd=112211 HTTP/1.0" 200 151 "-" "MobileRunner-J2ME"
65.52.227.217 - - [19/Aug/2011:17:52:30 +0200] "GET http://javaddiction.biz/index.php HTTP/1.1" 404 570 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
188.72.199.25 - - [19/Aug/2011:17:52:35 +0200] "CONNECT google.com:80 HTTP/1.1" 400 172 "-" "-"
188.72.199.25 - - [19/Aug/2011:17:53:40 +0200] "CONNECT google.com:80 HTTP/1.1" 400 172 "-" "-"

Those are request for domains I don't own (google, yahoo....)

I guess it may be webcrawlers, or bot or...

Is there a way to block this kind of packets, using fail2ban, iptables or I don't know what else... ?

jchampem
  • 53
  • 1
  • 3
  • Ignore them. They don't hurt or harm you. – mailq Aug 19 '11 at 16:31
  • Yes, but it's a very low-spec server, I was hoping to reduce load... – jchampem Aug 19 '11 at 16:36
  • 6
    The amount of time and energy your web server will spend replying "`400 - Piss Off!`" to these requests (or returning your default document to the ones that got a `200/OK`) is much lower than the workload of filtering every incoming connection to see if it's "bad". The most efficient thing to do is nothing. – voretaq7 Aug 19 '11 at 16:39

2 Answers2

6

These are harmless crap requests that every web server on the internet sees - most likely script kiddies looking for a web server that is grossly misconfigured and allows you to make proxy requests and use the CONNECT method.

Your server seems appropriately configured to reject attempts to use the CONNECT method (Returns HTTP/400 - Bad Request), and I would bet you a shiny penny that if you telnet in and try to GET http://www.google.com/ you'll get a page off your site for your trouble.

The only way to make this kind of stuff go away is to block all HTTP traffic except from a list of "known good" hosts, which defeats the purpose of a public web server. My best advice is to relax, have a beer, and not obsess over entries in your web server's access/error logs unless you're looking to solve a specific problem.

voretaq7
  • 79,345
  • 17
  • 128
  • 213
0

As voretaq7 said, you probably want to just leave those alone. After all, they are not doing anything (there are already blocked by nginx).

Other requests, though could be causing trouble if they do go through and you have an application that could be sensitive to certain invalid hits.

One module I have used (With Apache, although it is available with nginx) is mod_security. This module lets you enter rules that compare incoming (and even outgoing) traffic for various things, such as the method, and prevent such access as required.

As a side note, I ran:

dig -x 188.72.199.25

and the output says:

199.72.188.in-addr.arpa. 3600   IN  SOA ns0.leaseweb.nl. Postmaster.leaseweb.nl. 2013121501 14400 7200 604800 3600

Which is not Google nor Yahoo! It may have changed since you posted your question, obviously, but such requests are most often run by invalid robots or knowledgeable hackers. Not large corporation which use their resources for things much better than that.

Alexis Wilke
  • 2,057
  • 1
  • 18
  • 33