If you are using Laravel Forge to provision your server and you're not serving traffic directly from your server's public IP address, chances are you disabled the "default" site that comes with the new server (as you should).
Chances are, however, access_log is still turned on in the catch-all config. All the spam requests coming from bots all over the world will fill up your access.log file.
In our case, we were getting hundreds of these requests, per second. This was filling up the server disk as you can imagine. Thankfully, we spotted the problem on Appkeep before it was too late.
This is an excerpt from our access.log. Nginx was logging a ton of odd looking, cryptic requests.
5.214.105.83 - - [22/Dec/2022:11:56:32 +0000] "4\x8Fm\x9B2\x92\xB0\x5C\xF1\xD2\xB6\xABg \x8B\x0B+\x96\x00E\xDFP\x97\x9EZ6\x11\x22xo|4\xE3\x8E\xAA%x \x82_\x9B\xFC\xF5\xBD" 400 150 "-" "-"
5.210.152.58 - - [22/Dec/2022:11:56:32 +0000] "z\xD4\x0E\xCF\xB6\x0B@\x05t]\x03#)\x96I6\xD0Y\xE9X\x8C;/[\x8Bb\x01" 400 150 "-" "-"
151.246.8.221 - - [22/Dec/2022:11:56:32 +0000] "&\x12\xFDY\xD9t;9\xBC\x188\x88\x15\x9A\x91\x06\x95\xDA\xB3\xC1t\x96\xCBV\xD0v\xA1\xCC\xA3\xCF\x16\xF9\x80)\xFA\x93" 400 150 "-" "-"
152.228.133.186 - - [22/Dec/2022:11:56:32 +0000] ":\x1A\xD3\xD3\x84O\xC4\x16\xD5u\x01\xD3<\xFC\xF3C\xDE\xDC(b?h\xF8!\xD0L(\x22\xEA\x82\xA6m\x7F\xA2" 400 150 "-" "-"
Whenever a request comes in, and doesn't match with any of your Forge sites, it will be handled according to this config: /etc/nginx/sites-available/000-catch-all. It looks something like this:
server {
listen 80 default_server;
listen [::]:80 default_server;
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name _;
server_tokens off;
// .... some other stuff
error_log off;
return 444;
}
Everything looks good here, except access_log off is missing. We add that right after error_log off; and we're done!
We run the following command to reload Nginx config:
service nginx reload
And voila! The spam requests stop showing up on our disk. We claimed 10% of disk space by getting rid of all the access.log files. Day saved.
P.S. This actually doesn't block the bot requests from coming in. Nginx is configured to close the socket (return 444 does that). If you want to prevent bot attacks, a better solution here would be to use a WAF like Cloudflare.
