0

Lately i see some line like this in my access.log

[2a05:22c7:1:2102::7] 114.32.218.17 - - [13/Dec/2024:01:03:10 +0000] "GET / HTTP/1.0" 200 12794 "-" "-"

Normally my access.log are like this

[alebalweb-blog.com] 170.79.144.26 - - [13/Dec/2024:01:05:01 +0000] "GET / HTTP/2.0" 200 7830 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:133.0) Gecko/20100101 Firefox/133.0" [alebalweb-blog.com] 170.79.144.26 - - [13/Dec/2024:01:05:01 +0000] "GET /style.css HTTP/2.0" 200 2374 "https://www.alebalweb-blog.com/" "Mozilla/5.0 (X11; Linux x86_64; rv:133.0) Gecko/20100101 Firefox/133.0" [alebalweb-blog.com] 170.79.144.26 - - [13/Dec/2024:01:05:01 +0000] "GET /images/transparent.gif HTTP/2.0" 200 0 "https://www.alebalweb-blog.com/" "Mozilla/5.0 (X11; Linux x86_64; rv:133.0) Gecko/20100101 Firefox/133.0"

What are these lines? Should I block them? How can I block them with fail2ban?

Improve this question
1
  • 2
    This is probably just vulnerability scanning, which is not unusual. Even if the scan poses no threat, which it probably doesn’t, it’s at least consuming resources. I would block them. Commented Dec 14, 2024 at 2:11

1 Answer 1

Reset to default
1

"-" is used in Apache to indicate a missing field in a log entry. In your case, the client did not send a Referer or User-Agent in the request.

I would be concerned if these are frequent and if they use different paths. It could be a health check or, as pointed out in the comments, you're getting scanned. If you're concerned, block the IP and watch for a different IP taking its place.

Improve this answer
1
  • lots of ips... so how can i recognize and block them all with fail2ban? Commented Dec 17, 2024 at 1:50

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.