Welcome! Log In Create A New Profile

Access Module Question

Forum List Message List New Topic Print View

Jim Ohlstein

December 25, 2009 01:48PM

Admin
Registered: 15 years ago
Posts: 574

I recently had a spike in requests and saw many lines like this in the
access log:

67.249.108.42 - - [25/Dec/2009:13:15:57 -0500] "GET
/forums/forumdisplay.php?s=&forumid=2 HTTP/1.1" 301 185 "-" "Mozilla/4.0
(compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6; (R1 1.6); .NET
CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR
3.5.30729)"
67.249.108.42 - - [25/Dec/2009:13:15:57 -0500] "GET
/forums/forumdisplay.php?s=&forumid=2 HTTP/1.1" 301 185 "-" "Mozilla/4.0
(compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6; (R1 1.6); .NET
CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR
3.5.30729)"
67.249.108.42 - - [25/Dec/2009:13:15:57 -0500] "GET
/forums/forumdisplay.php?s=&forumid=2 HTTP/1.1" 301 185 "-" "Mozilla/4.0
(compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6; (R1 1.6); .NET
CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR
3.5.30729)"
67.249.108.42 - - [25/Dec/2009:13:15:57 -0500] "GET
/forums/forumdisplay.php?s=&forumid=2 HTTP/1.1" 301 185 "-" "Mozilla/4.0
(compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6; (R1 1.6); .NET
CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR
3.5.30729)"
67.249.108.42 - - [25/Dec/2009:13:15:57 -0500] "GET
/forums/forumdisplay.php?s=&forumid=2 HTTP/1.1" 301 185 "-" "Mozilla/4.0
(compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6; (R1 1.6); .NET
CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR
3.5.30729)"
67.249.108.42 - - [25/Dec/2009:13:15:57 -0500] "GET
/forums/forumdisplay.php?s=&forumid=2 HTTP/1.1" 301 185 "-" "Mozilla/4.0
(compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6; (R1 1.6); .NET
CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR
3.5.30729)"

So I added:

deny 67.249.108.42;

into nginx.conf in the "http" section where there are a few other banned
IP's.

I ran

# nginx -s reload

I expected that this IP would be blocked but it kept showing up in the
log. I reloaded a couple more times with no change. I restarted nginx
and then that IP was indeed blocked and requests went down to normal. Is
this expected behavior? Error log does show that the "reload" signal was
received.

# tail -10000 /var/log/nginx-error* | grep signal | more
2009/12/25 13:16:53 [notice] 22620#0: signal process started
2009/12/25 13:18:40 [notice] 22673#0: signal process started
2009/12/25 13:19:58 [notice] 22693#0: signal process started
2009/12/25 13:25:22 [notice] 23629#0: signal process started

I'm running nginx 0.8.31 on FreeBSD 8.0.

--
Jim Ohlstein

_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
Access Module Question	Jim Ohlstein	December 25, 2009 01:48PM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 213

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018