Strange request in access.log, how to block?
I am using nginx on my own server, and I noticed a few days ago some strange request in my access.log :
77.50.217.37 - - [19/Aug/2011:17:50:50 +0200] "GET http://images.google.com/ HTTP/1.1" 200 151 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; .NET CLR 1.1.4322; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)"
174.142.123.42 - - [19/Aug/2011:17:51:59 +0200] "GET http://l08.member.ird.yahoo.com/?.src=ym&login=_420_club_chick_&passwd=112211 HTTP/1.0" 200 151 "-" "MobileRunner-J2ME"
65.52.227.217 - - [19/Aug/2011:17:52:30 +0200] "GET http://javaddiction.biz/index.php HTTP/1.1" 404 570 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
188.72.199.25 - - [19/Aug/2011:17:52:35 +0200] "CONNECT google.com:80 HTTP/1.1" 400 172 "-" "-"
188.72.199.25 - - [19/Aug/2011:17:53:40 +0200] "CONNECT google.com:80 HTTP/1.1" 400 172 "-" "-"
Those are request for domains I don't own (google, yahoo....)
I guess it may be webcrawlers, or bot or...
Is there a way to block this kind of packets, using fail2ban, iptables or I don't know what else... ?
Solution 1:
These are harmless crap requests that every web server on the internet sees - most likely script kiddies looking for a web server that is grossly misconfigured and allows you to make proxy requests and use the CONNECT
method.
Your server seems appropriately configured to reject attempts to use the CONNECT
method (Returns HTTP/400 - Bad Request
), and I would bet you a shiny penny that if you telnet in and try to GET http://www.google.com/
you'll get a page off your site for your trouble.
The only way to make this kind of stuff go away is to block all HTTP traffic except from a list of "known good" hosts, which defeats the purpose of a public web server. My best advice is to relax, have a beer, and not obsess over entries in your web server's access/error logs unless you're looking to solve a specific problem.