Nginx Log Analysis: Find Suspicious Activity

G5 Cyber Security

2 weeks ago

TL;DR

This guide shows you how to check your Nginx web server logs for unusual activity, like attempted hacks or bots. We’ll cover common log locations, what to look for, and some simple tools to help.

1. Locate Your Nginx Logs

Nginx usually stores its logs in these places. You’ll need access to the server (usually via SSH) to view them.

Access Log: /var/log/nginx/access.log – Records every request made to your web server.
Error Log: /var/log/nginx/error.log – Records errors and warnings encountered by Nginx.

The exact location can vary depending on how you installed Nginx. Check your Nginx configuration file (usually /etc/nginx/nginx.conf or files in /etc/nginx/conf.d/) for the access_log and error_log directives.

2. Basic Log Viewing

You can view logs using standard Linux commands:

View the last few lines:
```
tail -f /var/log/nginx/access.log
```
(This shows new entries as they happen.)
View the entire log file:
```
cat /var/log/nginx/access.log
```
(Not recommended for large logs!)
Search for specific text:
```
grep "suspicious_string" /var/log/nginx/access.log
```
(Replace suspicious_string with what you’re looking for.)

3. What to Look For in Access Logs

Here are some things that might indicate a problem:

Unusual IP Addresses: Lots of requests from an IP address you don’t recognise could be a bot or attacker.
Strange URLs: Requests for files or pages that don’t exist on your website (404 errors) can indicate someone probing for vulnerabilities.
High Error Rates: A sudden increase in 4xx and 5xx error codes suggests something is wrong, possibly an attack.
Repeated Failed Login Attempts: If you have a login page, look for repeated failed attempts from the same IP address.
Requests with Suspicious Characters: Look for requests containing unusual characters or long strings in the URL or POST data (potential SQL injection or cross-site scripting attacks).

4. What to Look For in Error Logs

The error log is crucial for identifying problems:

Error Messages: Pay attention to any errors related to file access, permissions, or configuration issues.
Warning Messages: Warnings might indicate potential security vulnerabilities or performance bottlenecks.
Connection Errors: Repeated connection refused or timeout errors can suggest a denial-of-service attack.

5. Using Tools for Log Analysis

Manually searching logs can be tedious. Here are some tools to help:

awk: A powerful text processing tool. For example, to count requests per IP address:
```
awk '{print $1}' /var/log/nginx/access.log | sort | uniq -c | sort -nr
```
goaccess: A real-time web log analyzer and interactive viewer that displays statistics in a terminal.
```
sudo apt install goaccess # on Debian/Ubuntu
```
```
goaccess /var/log/nginx/access.log -o report.html
```
Log Management Services: Tools like Graylog, ELK Stack (Elasticsearch, Logstash, Kibana), or Splunk provide more advanced log analysis features and dashboards. These are usually best for larger websites with complex logging needs.

6. Blocking Suspicious IPs

Once you’ve identified a suspicious IP address, you can block it in Nginx:

Edit your Nginx configuration file: Add a deny rule to the http or server block.

Example:

http { ... deny 192.168.1.10; allow all; ... }

(This blocks IP address 192.168.1.10.)

Reload Nginx:

sudo nginx -t # Test configuration

sudo systemctl reload nginx # Reload the config

Be careful when blocking IPs – make sure you’re not accidentally blocking legitimate users.