0

I looked into my nginx access logs to check who accessed my server and I noticed this line:

<IP> - - [25/Feb/2016:02:49:12 +0100] "GET / HTTP/1.1" 302 160 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html)"

I use GeoIP and I only allow requests from my country and if a request comes from another country, nginx should return HTTP 444. But this time nginx returned 302 to the caller. Why?

Is this kind of http-request a bad one? Have somebody tried to hack my server?

PatrickMA
  • 113
  • 6
  • `"GET / HTTP/1.1" ` does not look to be a bad request. Is hard to say why nginx replied 302 from that ip without knowing your nginx config. – Petter H Feb 25 '16 at 18:41

2 Answers2

0

The nmap portion is unrelated the the geo IP blocking. Someone in your country is running a scripting engine which made a request from your website. Your website is configured to send a 302 when the home page is requested.

That's the best I can tell from the information provided.

Tim
  • 31,888
  • 7
  • 52
  • 78
  • What other information can I provide you to find out why nginx returned 302? – PatrickMA Feb 26 '16 at 06:27
  • Nginx config including location. Nginx access and error logs. If you give the actual live domain name it may be easier, and there's really no reason to obfuscate most of the time. – Tim Feb 26 '16 at 08:26
0

nmap is likely scanning IP addresses, not host names. You are likely wondering about the 302 response because that's not the usual response of your website's home page.

I suspect you will find if you make an HTTP request to port 80 of the ip address of your server, that it returns a 302 from configuration for a "default domain" which is not usually used because normal requests include a host name in the request..

It's unlikely someone is trying to hack your server, but it is of course possible. There is a lot of background junk traffic that happens on the internet, often from automated systems looking for known vulnerabilities in common software.

Take it as reminder to keep your software stack up to date.

Also, you can take the incoming IP and use a Geo IP lookup service to get an idea of whether the IP address originated in your country.

Mark Stosberg
  • 3,901
  • 24
  • 28
  • Thank you for the answer. The IP Adress which targeted my server is located in the USA. So I'm wondering why nginx did not return 444. – PatrickMA Feb 26 '16 at 06:24
  • We need to see your Nginx configuration. If you have have a "default server" configuration like it appears, perhaps your GeoIP blocking is not set to work in that `server{}` block. – Mark Stosberg Feb 26 '16 at 14:39