NGINX error logs showing files being requested

Question

I have an Elastic Beanstalk application running on AWS for development purpose. It's running Amazon Linux 2 image which comes with NGINX.

Today I pulled some logs and noticed lots of these in the error logs:

2021/06/24 14:44:52 [error] 10780#10780: *31743 "/usr/share/nginx/html/owa/index.html" is not found (2: No such file or directory), client: 172.XXX.XXX.XXX, server: localhost, request: "GET /owa/ HTTP/1.1", host: "44.XXX.XXX.XXX"

2021/06/24 15:09:50 [error] 10780#10780: *32145 open() "/usr/share/nginx/html/.env" failed (2: No such file or directory), client: 172.XXX.XXX.XXX, server: localhost, request: "GET /.env HTTP/1.1", host: "35.XXX.XXX.XXX"

2021/06/24 15:36:11 [error] 10780#10780: *32566 open() "/usr/share/nginx/html/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" failed (2: No such file or directory), client: 172.XXX.XXX.XXX, server: localhost, request: "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1", host: "35.XXX.XXX.XXX"

2021/06/24 13:14:42 [error] 10780#10780: *30267 open() "/usr/share/nginx/html/system_api.php" failed (2: No such file or directory), client: 172.XXX.XXX.XXX, server: localhost, request: "GET /system_api.php HTTP/1.1", host: "35.XXX.XXX.XXX"

What does the 10780#10780: *30267 mean? What are the server, host, and client in this context?

What would be making these GET requests to the these locations? Do NGINX normally have .html, .php, and .env files at these locations, or is it some bot that's just blindly trying to see if I have left sensitive information on the server?

If it's spam, how can I block these?

Thank you.

Answer 1

I use fail2ban (you can search tutorials on the net to install) with the following settings in /etc/fail2ban/jail.local

[nginx-4xx]
enabled = true
port = http,https
logpath = /var/log/nginx/access.log

And the following contents in /etc/fail2ban/filter.d/nginx-4xx.conf

[Definition]
failregex = ^<HOST>.*"(GET|HEAD|POST).*" (404|444|403|400|499) .*$
ignoreregex =

This gets rid of all those bots blindly exploring my site. Also fyi, my bantime settings is -1 (ban forever), but that should only be used when you are sure there are no broken links.