can't replicate/block portscanner

Jonathan Vanasco nginx at 2xlp.com
Fri Dec 9 23:29:04 UTC 2016


I got hit with a portscanner a few minutes ago, which caused an edge-case I can't repeat.

the access log looks like this:

	94.102.48.193 - [09/Dec/2016:22:15:03 +0000][_] 500 "GET / HTTP/1.0" 10299 "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)" "-" cookies="-"

the server block was:

	server {
	    listen 80 default_server;
	    server_name _; 
	    ...
	}

but there is another ip block:

	server { listen 80;
		      server_name ~^[0-9.]*$;
        }


i can't figure out how to duplicate this request.  the 500 was triggered, because the upstream application server didn't get find a "HTTP_HOST" environment variable set up, and i'd like to protect against this. 


More information about the nginx mailing list