I recently had a spike in requests and saw many lines like this in the
access log:
67.249.108.42 - - [25/Dec/2009:13:15:57 -0500] “GET
/forums/forumdisplay.php?s=&forumid=2 HTTP/1.1” 301 185 “-” “Mozilla/4.0
(compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6; (R1 1.6); .NET
CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR
3.5.30729)”
67.249.108.42 - - [25/Dec/2009:13:15:57 -0500] “GET
/forums/forumdisplay.php?s=&forumid=2 HTTP/1.1” 301 185 “-” “Mozilla/4.0
(compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6; (R1 1.6); .NET
CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR
3.5.30729)”
67.249.108.42 - - [25/Dec/2009:13:15:57 -0500] “GET
/forums/forumdisplay.php?s=&forumid=2 HTTP/1.1” 301 185 “-” “Mozilla/4.0
(compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6; (R1 1.6); .NET
CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR
3.5.30729)”
67.249.108.42 - - [25/Dec/2009:13:15:57 -0500] “GET
/forums/forumdisplay.php?s=&forumid=2 HTTP/1.1” 301 185 “-” “Mozilla/4.0
(compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6; (R1 1.6); .NET
CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR
3.5.30729)”
67.249.108.42 - - [25/Dec/2009:13:15:57 -0500] “GET
/forums/forumdisplay.php?s=&forumid=2 HTTP/1.1” 301 185 “-” “Mozilla/4.0
(compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6; (R1 1.6); .NET
CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR
3.5.30729)”
67.249.108.42 - - [25/Dec/2009:13:15:57 -0500] “GET
/forums/forumdisplay.php?s=&forumid=2 HTTP/1.1” 301 185 “-” “Mozilla/4.0
(compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6; (R1 1.6); .NET
CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR
3.5.30729)”
So I added:
deny 67.249.108.42;
into nginx.conf in the “http” section where there are a few other banned
IP’s.
I ran
nginx -s reload
I expected that this IP would be blocked but it kept showing up in the
log. I reloaded a couple more times with no change. I restarted nginx
and then that IP was indeed blocked and requests went down to normal. Is
this expected behavior? Error log does show that the “reload” signal was
received.
tail -10000 /var/log/nginx-error* | grep signal | more
2009/12/25 13:16:53 [notice] 22620#0: signal process started
2009/12/25 13:18:40 [notice] 22673#0: signal process started
2009/12/25 13:19:58 [notice] 22693#0: signal process started
2009/12/25 13:25:22 [notice] 23629#0: signal process started
I’m running nginx 0.8.31 on FreeBSD 8.0.
–
Jim O.