Check IP who is visiting my site on nginx

Question

I don't really want to know about this since I would like to keep it really private and give my visitor their privacy as much as possible (Not that my blog is popular though).

I just installed Ubuntu with nginx from Digital Ocean with the Ghost preinstalled, but previously I was with Wordpress. Right now (At this moment while I'm writing) I keep seeing this log

POST /bidRequest?exchange=smaato 500 2ms - 19b
POST /bidRequest?exchange=smaato 500 1ms - 19b
POST /bidRequest?exchange=smaato 500 1ms - 19b
POST /bidRequest?exchange=smaato 500 2ms - 19b
POST /bidRequest?exchange=smaato 500 1ms - 19b
POST /bidRequest?exchange=smaato 500 1ms - 19b
POST /bidRequest?exchange=smaato 500 2ms - 19b
POST /bidRequest?exchange=smaato 500 3ms - 19b
POST /wp-admin/admin-ajax.php 500 2ms - 19b
POST /bidRequest?exchange=smaato 500 2ms - 19b
POST /bidRequest?exchange=smaato 500 3ms - 19b
GET /winBid?erid=EzLM7nyV0n&eid=2&cpm=1.45449&bid=1628&w=1384697998 301 2ms
POST /bidRequest?exchange=smaato 500 2ms - 19b
POST /bidRequest?exchange=smaato 500 1ms - 19b
POST /bidRequest?exchange=smaato 500 3ms - 19b
POST /bidRequest?exchange=smaato 500 2ms - 19b

It is coming every second as you can see and they never stop on this and I'm thinking is that they are trying wether to hack my site while I was on Wordpress or something is going on from these requests. I would like to find out about these attacks and block their IP if this is something bad going on. How would I find out or should I install some kind of module/plugin in my box in order to prevent this kind of behaviour?

Answer 1

Log usually can be turned on and set the path on nginx.conf /etc/nginx/nginx.conf

If you vim or use your editor and edit that file and change or check this line

access_log  /var/log/nginx/access.log  main;

Answer 2

NGINX is capable of logging IP and other information that you might find interesting, but it seems that the log you're showing here isn't configured to include that information. If you adjust your nginx logs you should be able to enable it. If you need help, post your nginx logging configuration here. Mine looks like this:

    log_format main
            '$remote_addr - $remote_user [$time_local] '
            '"$request" $status $bytes_sent '
            '"$http_referer" "$http_user_agent" '
            '"$gzip_ratio"';

And logs like this in the logs:

76.113.215.212 - - [17/Nov/2013:10:19:19 -0600] "GET / HTTP/1.1" 200 15411 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.57 Safari/537.36"

Once you find the IP(s) in question, you should be able to block them in a number of ways - the most effective is probably as part of the firewall (iptables) or, if a temporary block until reboot is acceptable, you could use a REJECT routing entry which basically makes your computer refuse to talk to that host at all. If you think that's a little heavy handed, you could make rules to block in nginx in various ways probably (rate limiting comes to mind).

Answer 3

if your webserver is behind a load balancer, such as amazon ELB, $remote_addr will not give you the client IP. instead you every entry will be IP of the upstream load balancing device.

to get around this, replace $remote_addr with $http_x_forwarded_for:

log_format main
'$http_x_forwarded_for - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" ';