5

I came across a line in my Nginx access log:

218.201.121.99 - admin [12/Dec/2012:18:33:18 +0800] "GET /manager/html HTTP/1.1" 444 0 "-" "-"

Let me stress that there is only 1 record with this IP.

Notice the authenticated user admin.

After some googling, I was able to find out only that this is authenticated user (http://wiki.nginx.org/HttpCoreModule#.24remote_user), which was authenticated by the Auth Basic Module (http://wiki.nginx.org/HttpAuthBasicModule).

However, nowhere in my site (configuration) do I use HTTP basic authentication.

What is going on? How did it get there? Was the user authenticated?

bearcat
  • 163
  • 1
  • 4

1 Answers1

9

The fact that a username was given in the log means only that the client passed a username (and presumably a password). It does not necessarily mean that it authenticated successfully. In fact, we can see from your log entry that it did not; nginx returned a 444, an internal error which means nginx dropped the connection without sending anything.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • Yes, I have certain rules which return 444. May I know how the user passes the username/password, because it doesn't show in the log. – bearcat Dec 13 '12 at 03:40
  • You can pass HTTP authentication credentials in the URL, such as: http://username:password@example.com/a/sample/url – priestjim Dec 13 '12 at 19:35
  • @PanagiotisPapadomitsos: Look at the log line above. It shows the ful request URL. The credentials are not there, not even in the query string. – bearcat Dec 14 '12 at 00:49
  • 2
    Even if you do not define an HTTP auth rule in your nginx config, people can still push an HTTP auth request to your web server, they will however just get a 444 error, since no HTTP auth rules are defined. What you see in your log is normal and probably a bot's work. – priestjim Dec 16 '12 at 11:33