Detect suspicious activity with nginx

Maxime Ducharme max at techboom.com
Tue Aug 9 21:17:08 UTC 2011


Hi guys

We are looking for a way to detect suspicious activity on high-traffic
websites. Parsing log files is not good option here, our current nginx
config generates around 90G of logs for around 412K http requests each
days.

We are looking to use nginx to detect suspicious activity and generate
precise log when it happens for post-processing.

Some tools we are looking for would be something like

- Detect IPs which accessed /uri1/ X times without accessing other URI
in a period of time Y.

- Detect IPs that are indexing our site by accessing sequential uris
like /uri123, /uri124, /uri125, ...

We are using load balancing services (haproxy), we enabled realip module
in nginx, we need something that can work with it.

If you have any pointers / ideas / module names that could help us,
please let me know.

Have a good day

Max




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20110809/c8bd9059/attachment.bin>


More information about the nginx mailing list