Nginx and Cloudflare: How to Detect Cloners, Crawlers and IPs with Malicious Requests?

The following are the steps I performed to catch the malicious IP that was bugging my server for the past few weeks. Please note that I’m using SSH to access my Nginx server and used Cloudflare as my DNS.

1. Identify which of your sites is under attack. If you’re using one domain for your server then skip this. What I did to identify this is to check the running process in my server using htop or top and checked the processes in MySQL using “show processlist.” You’ll see a list of requests for a database and in my case I found out that there’s a high request in a specific DB used by my site.
2. Turn on “access logging” for that site in your Nginx configuration.
3. Analyze the log and check the IPs accessing your site. For example you use the, site-access.log as the filename of your log. Use the following command to list all the IPs accessing your site.

   cat site-access.log | awk '{print $1}' | sort -r | uniq -c | sort -nr

   The command will list all the IPs that accessed your site with the number of requests made by each IP. Check the information of each IP with high request using online IP lookup tools like the tool from http://whatismyipaddress.com/ip-lookup. With this tool, you’ll find which IP are legit search engine bots or not. You should take note of the GEO location, ISP, Description and ASN (Autonomous System Number) of the IP

4. Use Cloudflare’s Firewall features to block or “Javascript Challenge” the suspected IP. In my case I just used the Javascript Challenge option to test if that’s the IP that is really attacking the site. Actually, if you don’t want to undergo to the tons of analysis, you can simply enable the option “I’m Under Attack” in Cloudflare and and let CF do his thing automagically. 🙂 But of course all IPs, legit, good or bad will be affected by CF’s anti-DDOS solution (which is usually a Javascript challenge). I don’t want all IPs to show the anti-DDOS message so I just select some IPs that I suspected doing the attack. Now if you choose to identify the IP and you did capture it, you can use iptables to block the IP permanently or use the block option of Cloudflare instead.

That’s it! If you have any suggestion, question or feedback about this post, please feel free to add your comment below.