For few minutes my php fpm went down. In nginx access log I can see in that time lot of this (same IP) Code: 45.32.69.51 - - [15/Nov/2016:15:33:29 +0100] "GET /?FMCuJd=mLnj20&38QLDjwe=HYrlkJJe&XYG=GLGNK&7ikeDcG=RGM00xH3FO1ui5NIPof&c5ImJpwNA2=BdBhfxekVNprAmALvs HTTP/1.1" 502 166 "-" "Mozilla/5.0 (Linux i386; X11) Gecko/20052602 Firefox/20.0" 45.32.69.51 - - [15/Nov/2016:15:33:29 +0100] "GET /?awujLywJPq=3Xnl3qp&140=qnEUjEtiWJoil5l3 HTTP/1.1" 200 257212 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 11_4_1) Gecko/20061111 Firefox/13.0" 45.32.69.51 - - [15/Nov/2016:15:33:30 +0100] "GET /?lPi80C7=11MccAedD6pF&hi3FKhQf=mFK8jGq8&bwV3I=SnCSbA&OS27PSNQYr=aHv8HDMMp4Q8cAa7vuV&PBP=M2L4I HTTP/1.1" 502 166 "http://www.yandex.com/PGYWc4" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_0) Gecko/20012501 Firefox/22.0" 45.32.69.51 - - [15/Nov/2016:15:33:30 +0100] "GET /?BcD=tbVOF62eK5R HTTP/1.1" 200 256708 "http://www.yandex.com/s4oJv5W8?Ux323WG=2g325DPRItfuH&LAKrPBHfR=TCuo&bPDP=nLWSixGelwpfWo2WUa&8RNq6GLI4W=RR0OSpOOU&bkacjCkjk8=OPavU0VpgtsjR&4r0IdNxwG=DUyFYJqDqByv5uw7wKan&umxfP=w2CEW7GetJi&oNqdDRdMPT=P3R2BMf3sHGo" "Mozilla/5.0 (Macintosh; Intel Mac OS X 11_3_4) Gecko/20022609 Firefox/21.0" 45.32.69.51 - - [15/Nov/2016:15:33:30 +0100] "GET /?mRU0Ixofp=T67Ud5kygxulFdo23x&vXrD=lOFW HTTP/1.1" 502 568 "-" "Mozilla/5.0 (Windows; U; MSIE 8.0; Macintosh; .NET CLR 2.0.16502; Intel Mac OS X 10_6_0)" 45.32.69.51 - - [15/Nov/2016:15:33:30 +0100] "GET /?mtVSH5mEE7=IU2dtLNuqTgX&rHjLeNU=62VVde8jYx2&uRWMfQ6ej=JvRCG6xuqO&20daA=n2UIk2 HTTP/1.1" 200 256384 "http://www.baidu.com/NyGKI?0WuP3Ck=HmEGt4dghwkS3Glat&ROie8aDLD=PdcXg8U3Q7IOnE1n8m&F3C0vJ=4jSeyQutQ6&dVwxsW4gp=3OSYAUy" "Mozilla/5.0 (compatible; MSIE 8.0; Macintosh; .NET CLR 3.5.6072; Intel Mac OS X 11_4_5)" 45.32.69.51 - - [15/Nov/2016:15:33:30 +0100] "GET /?ukgr=vgMPpsWc1g&umMEKjpki=hTRmNiPbvHWwYt HTTP/1.1" 502 166 "http://www.google.com/OXmL6?lDA=Cn7GG3TRWDxlShTeLj2&qOJQ3w1=hpQUsl&KVRxd=guAsK&jSHc=OJLPiFYjx10&fX2BYkwl=IMm&L3B=88lj3Sni&f06Unp=Xpx0x" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_4_1) Gecko/20090311 Firefox/14.0" 45.32.69.51 - - [15/Nov/2016:15:33:30 +0100] "GET /?46l=VMrbmC8ithshE6we8fC&xeQdGt4=P24ONCsM526R6RMY HTTP/1.1" 502 568 "-" "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.3; .NET CLR 2.1.29612; Win64; x64)" 45.32.69.51 - - [15/Nov/2016:15:33:30 +0100] "GET /?leLa0xMr=snMFbxu165GH&EyMFo=eaebsVl1QoiIYJ HTTP/1.1" 200 256748 "http://www.google.com/hbdOFUh?b02D=RV1DEQJ6lTWbVm&VCGoH7NNst=EaFSFl6bLPMGd" "Mozilla/5.0 (compatible; MSIE 6.0; Linux i386; .NET CLR 3.5.6072; X11)" 45.32.69.51 - - [15/Nov/2016:15:33:30 +0100] "GET /?QHurh=hKQpobYHMaKTLJB&nYmHYpYJW=rQKMUOcqKRPJk&4BOvPp=DNAF25u0A5&WXPX=27bSlTNQQHKX&wYembSMb=1ThnNHAjdx HTTP/1.1" 200 255186 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 11_3_4) AppleWebKit/536.10 (KHTML, like Gecko) Chrome/18.0.604.43 Safari/537.26" 45.32.69.51 - - [15/Nov/2016:15:33:30 +0100] "GET /?cHv0HfrYq8=qkUS3qEdwMbHx&Cd0tAo=lhIy2jP&7uWvkc=mBmfbGJieX2cHeh&GYSfN=Fry&7GD=TC18CLem8OpCDstNwfT HTTP/1.1" 502 568 "http://www.bing.com/sCrKwyum1w?hHKdrixE3v=Q8WiP6eEQaTKJ&uXRhu=ftOb&cXakFFBKp=8nXLa3gtUIGY&rsaSnYg=VRf2S8hOTfyCRIvvpmM&JRqNkD2j=wp51WCQxD&eA2=nNbRmSXH5&QWl3A=vPbb8A0gES&nXi4NACcfu=piYur&OUbTng=MWnGjb8KR4ScAstvPYmb" "Mozilla/5.0 (compatible; MSIE 10.0; Linux x86_64; .NET CLR 2.3.19866; X11)" 45.32.69.51 - - [15/Nov/2016:15:33:30 +0100] "GET /?2Hq=JKGl HTTP/1.1" 200 44429 "-" "Mozilla/5.0 (Windows NT.6.2; Win64; x64) AppleWebKit/537.18 (KHTML, like Gecko) Chrome/29.0.1726.79 Safari/536.14" 45.32.69.51 - - [15/Nov/2016:15:33:31 +0100] "GET /?L5cNlj=kxOWGx1yptqd&N4jUkLS=QRwERUxBT&i6uE8vCrn=qutVq&EgaHpgjKUC=gktXDtfIjftGN3VWiaB&2M6Aob3K1=kAPVMQAofIAkhUbeBtJ HTTP/1.1" 200 255212 "-" "Mozilla/5.0 (Linux i386; X11) AppleWebKit/535.21 (KHTML, like Gecko) Chrome/16.0.338.21 Safari/536.34" 45.32.69.51 - - [15/Nov/2016:15:33:31 +0100] "GET /?COqlBippM=yEcjwY HTTP/1.1" 502 166 "http://www.pijanitvor.com/iarc1EBy?xPqpe=74ViMfs4wVXwhnLyv&LG3FwDy=J41lKmn&MxSsG=Asd83npGNBcUCv272AjK&cggK6oJQ=CnJT7yXFox&BoIJqCsY=EONGVbVD2fQtl0t&00ixwXCYG=sicgwgGpMhS&cvgC0HOK=xc2vD3ysF17f&BFNEgmix4=sRUjv4MgtMLHoeCI&YsiLj=xlT2hTF67tL" "Mozilla/5.0 (Linux i386; X11) Gecko/20100809 Firefox/13.0" 45.32.69.51 - - [15/Nov/2016:15:33:31 +0100] "GET /?VyY8=ksErAlmN1ai&M2uM1=uScbUAj7maDYNWigUMe HTTP/1.1" 502 166 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_1_2) Gecko/20101308 Firefox/16.0" 45.32.69.51 - - [15/Nov/2016:15:33:31 +0100] "GET /?4l2CO=Iu5l&okO=8yyPYedWJDqCEYX&2EiMYCLq=rqaLXNKhju6Eq&CTwSEKlF=ob7YfnrOuHH30Vp HTTP/1.1" 502 568 "-" "Mozilla/5.0 (compatible; MSIE 7.0b; Linux i386; .NET CLR 2.0.2727; X11)" 45.32.69.51 - - [15/Nov/2016:15:33:31 +0100] "GET /?heYYmB=ah8i&PhqV=6QHKNMMRVLo&hMU6UhA=6AFh5U1oXpqqtkBC&rvLE1MoFn=rWgiFUq HTTP/1.1" 502 166 "http://www.baidu.com/MMX8kWS" "Mozilla/5.0 (Linux i386; X11) Gecko/20060305 Firefox/13.0" 45.32.69.51 - - [15/Nov/2016:15:33:31 +0100] "GET /?HTQj5s=I2GNL&KsYoqsva=YKtGFESKc7lb3tbyFFRI&DJyW20q5=TwFo74df7h&Qyr8=MRUY HTTP/1.1" 502 568 "-" "Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT.6.2; .NET CLR 2.0.16502; WOW64)" 45.32.69.51 - - [15/Nov/2016:15:33:31 +0100] "GET /?PYs=c3F8w&AFfatpxUs=mrFb6qhIOISbcQ4OX2H&oSlBaFTld1=mWsPvHetyfT HTTP/1.1" 502 568 "http://www.bing.com/TtvRFuvX7h?nToy=PPf2Fh16asbWId4So0A&8gNR0PsPIP=HCpdfPqpe&V3WqVPS4=u7JRnaso2fpS4s&SlFKHHY=BfJS3Ikc0F&CKWtVYm=I1O&AvU6nUoCPV=WOnkiT2owtvO26X&rbpL=7acKdqMMvPtEIwU&HH1t8O301M=fqD3sdNn8GAdw&3xPuQkOLT=3kWkwRW5aH" "Mozilla/5.0 (Linux x86_64; X11) AppleWebKit/536.14 (KHTML, like Gecko) Chrome/21.0.1256.84 Safari/536.21" 45.32.69.51 - - [15/Nov/2016:15:33:31 +0100] "GET /?fVJUR4=1Sleqt8cMxx&26cwMD=eDf8jsYNjayEKdm&FFwNUfG=5ODstAKxP&7t2GpV=dkmE0RIKbw1&Dn7V=Iy4Q201ldn35j HTTP/1.1" 502 568 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.25 (KHTML, like Gecko) Chrome/23.0.407.41 Safari/535.34" Should I disable IP or something else regarding this, or should I disable bot names, or what? If yes, how?
nothing to do with bad bot blocking as that gets 444 status not 502, looks like you're being attacked by that ip 45.32.69.51 on old chrome user agents which is a vultr ip http://www.tcpiputils.com/browse/ip-address/45.32.69.51 but looks like baidu and yandex UA are present. Could be they overwhelmed you php-fpm server as it could be down hence 502
502 bad gateway means nginx can't communicate with php-fpm backend because php-fpm is down, unavailable or overloaded.
Seems to me that I have to play with this settings: Code: pm = dynamic pm.max_children = 16 ; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2 pm.start_servers = 6 pm.min_spare_servers = 4 pm.max_spare_servers = 12 pm.max_requests = 500 ... php_admin_value[memory_limit] = 512M
Trying right now: Code: pm = dynamic pm.max_children = 12 ; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2 pm.start_servers = 6 pm.min_spare_servers = 4 pm.max_spare_servers = 10 pm.max_requests = 200 php_admin_value[memory_limit] = 1024M
implement bad bot blocking and adjust user agents as needed Blocking bad or aggressive bots | Centmin Mod Community i.e. rate limit or block baidu and yandex bots
fyi some SSH commands to filter your nginx access.log just change accesslog variable to point to your domain.com's log/access.log location Code (Text): accesslog='/home/nginx/domains/domain.com/log/access.log' read -ep "Filter which status code ? i.e. 404 : " var ; awk -v errno=${var} '$9 == 'errno' { print $1 }' $accesslog | sort | uniq -c | sort -n Then you can filter log based on http status code i.e. 502 i.e. Code (Text): Filter which status code ? i.e. 404 : 405 2 190.129.35.245 2 85.230.197.63 3 158.69.244.240 4 149.56.102.92 4 192.99.144.140 4 198.27.89.245 9 164.132.201.51
Code: # read -ep "Filter which status code ? i.e. 404 : " var ; awk -v errno=${var} '$9 == 'errno' { print $1 }' $accesslog | sort | uniq -c | sort -n Filter which status code ? i.e. 404 : 502 1 109.228.89.178 1 109.245.156.121 1 109.245.39.40 ... 10 134.90.132.13 10 31.147.65.248 10 93.143.31.169 12 37.187.141.25 13 79.101.136.129 16 207.46.13.186 17 180.191.111.244 18 136.243.152.18 18 207.46.13.193 19 68.180.229.238 21 207.46.13.172 3579 45.32.69.51 112100 158.69.116.62 last two blocked
FYI, 502 status doesn't mean the ip is bad as it could be a legit visitor hitting server while php-fpm is down. Though i doubt any legit user would have that mean instances logged for their ip so you'd want to check the ip's user agent in your access logs
Yep, this last two are blocked, others no. I will block only with "extra numbers > 200" Any shortcut command for that?
learn how to use awk and grep to filter on your access and error logs Understanding and using AWK command Advanced Grep Commands Guide
I can list all rows containg one IP Code: grep -iw "31.223.139.91" /home/nginx/domains/pijanitvor.com/log/access.log but how to show and print only useragent of that IP?
probably need to learn how to use awk i.e. if you're using 123.09beta01 default nginx log format which is customised for nginx amplify compatibility, then fields/columns minus date would look like Code (Text): awk '/IP.ADDR/{print $1,$12,$13,$14,$15,$16,$17,$18,$19,$20,$21,$22}' access.log | sort | uniq -c | sort -n where IP.ADDR is the ip address you want to search for i.e. partial ip match on 180.76.15 gives me Code (Text): awk '/180.76.15/{print $1,$12,$13,$14,$15,$16,$17,$18,$19,$20,$21,$22}' access.log | sort | uniq -c | sort -n 1 180.76.15.138 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=- 1 180.76.15.140 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=- 1 180.76.15.143 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=- 1 180.76.15.14 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=- 1 180.76.15.154 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=- 1 180.76.15.159 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=- 1 180.76.15.160 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=- 1 180.76.15.161 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=- 1 180.76.15.19 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=- 1 180.76.15.22 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=- 1 180.76.15.23 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=- 1 180.76.15.26 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=- 1 180.76.15.29 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=- 1 180.76.15.32 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=- 1 180.76.15.7 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=- 2 180.76.15.136 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=- 2 180.76.15.13 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=- 2 180.76.15.16 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=- 2 180.76.15.18 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=- 2 180.76.15.20 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=- 3 180.76.15.155 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=- 3 180.76.15.163 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=- 4 180.76.15.156 "Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)" "-" rt=0.000 ua="-" us="-" ut="-" ul="-" cs=- awk and grep are important commands to master as is sort and uniq commands
what commad you used? try using tail command to list last 10 entries Code (Text): awk '/IP.ADDR/{print $1,$12,$13,$14,$15,$16,$17,$18,$19,$20,$21,$22}' access.log | sort | uniq -c | sort -n|tail -10 Changing access.log to the full path to yours i.e. /home/nginx/domains/domain.com/log/access.log
That is better now. Code: # awk '/45.32.69.51/{print $1,$12,$13,$14,$15,$16,$17,$18,$19,0,$21,$22}' /home/nginx/domains/pijanitvor.com/log/access.log | sort | uniq -c | sort -n|tail -10 26 45.32.69.51 "Mozilla/5.0 (compatible; MSIE 8.0; Linux x86_64; .NET CLR 0 X11)" 26 45.32.69.51 "Mozilla/5.0 (Linux x86_64; X11) Gecko/20080210 Firefox/21.0" 0 29 45.32.69.51 "Mozilla/5.0 (compatible; MSIE 6.1; Linux x86_64; .NET CLR 0 X11)" 33 45.32.69.51 "Mozilla/5.0 (Windows; U; MSIE 10.0; Macintosh; .NET CLR 0 Intel Mac 44 45.32.69.51 "Mozilla/5.0 (Windows; U; MSIE 6.0; Macintosh; .NET CLR 0 Intel Mac 46 45.32.69.51 "Mozilla/5.0 (Windows; U; MSIE 9.0; Macintosh; .NET CLR 0 Intel Mac 51 45.32.69.51 "Mozilla/5.0 (Windows; U; MSIE 6.1; Macintosh; .NET CLR 0 Intel Mac 54 45.32.69.51 "Mozilla/5.0 (Windows; U; MSIE 7.0b; Macintosh; .NET CLR 0 Intel Mac 62 45.32.69.51 "Mozilla/5.0 (Windows; U; MSIE 8.0; Macintosh; .NET CLR 0 Intel Mac 69 45.32.69.51 "Mozilla/5.0 (Windows; U; MSIE 7.0; Macintosh; .NET CLR 0 Intel Mac ip's user agent - Mozilla? Same IP has many other user agents, but in last 10 is Mozilla What could be suspicious ip's user agent