Detect suspicious activity with nginx

Hi guys

We are looking for a way to detect suspicious activity on high-traffic
websites. Parsing log files is not good option here, our current nginx
config generates around 90G of logs for around 412K http requests each

We are looking to use nginx to detect suspicious activity and generate
precise log when it happens for post-processing.

Some tools we are looking for would be something like

  • Detect IPs which accessed /uri1/ X times without accessing other URI
    in a period of time Y.

  • Detect IPs that are indexing our site by accessing sequential uris
    like /uri123, /uri124, /uri125, …

We are using load balancing services (haproxy), we enabled realip module
in nginx, we need something that can work with it.

If you have any pointers / ideas / module names that could help us,
please let me know.

Have a good day


Hi Max,

In my opinion you dont want to rely on nginx to do the analytics simply
log suspicious activity but rather need to look at a better
log analyzing solution. Have you checked out splunk? It is a very
log analyzer that will allow you to more intelligently parse the logs
has a free licence.


I would also look into some kind of blacklist, like
spam/drone/proxy/etc, to compare IP addresses that are suspicious and
kindly redirect them to /dev/null


You can try ides from and move then
Lua or Perl.