Blocking direct IP access with Nginx

Reduce server load by dropping connections made by IP scanners.

I recently SSH’ed into the server for this website and noticed something odd in the Nginx access logs.

11.129.54 - - [01/Aug/2017:01:24:42 -0400] "HEAD http://107.170.221.131:80/PMA2016/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 Jorgee" "-"
11.129.54 - - [01/Aug/2017:01:24:42 -0400] "HEAD http://107.170.221.131:80/PMA2017/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 Jorgee" "-"
11.129.54 - - [01/Aug/2017:01:24:42 -0400] "HEAD http://107.170.221.131:80/PMA2018/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 Jorgee" "-"
11.129.54 - - [01/Aug/2017:01:24:43 -0400] "HEAD http://107.170.221.131:80/pma2011/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 Jorgee" "-"
11.129.54 - - [01/Aug/2017:01:24:43 -0400] "HEAD http://107.170.221.131:80/pma2012/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 Jorgee" "-"
11.129.54 - - [01/Aug/2017:01:24:43 -0400] "HEAD http://107.170.221.131:80/pma2013/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 Jorgee" "-"
11.129.54 - - [01/Aug/2017:01:24:44 -0400] "HEAD http://107.170.221.131:80/pma2014/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 Jorgee" "-"
11.129.54 - - [01/Aug/2017:01:24:44 -0400] "HEAD http://107.170.221.131:80/pma2015/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 Jorgee" "-"
11.129.54 - - [01/Aug/2017:01:24:45 -0400] "HEAD http://107.170.221.131:80/pma2016/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 Jorgee" "-"
11.129.54 - - [01/Aug/2017:01:24:45 -0400] "HEAD http://107.170.221.131:80/pma2017/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 Jorgee" "-"
11.129.54 - - [01/Aug/2017:01:24:45 -0400] "HEAD http://107.170.221.131:80/pma2018/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 Jorgee" "-"
11.129.54 - - [01/Aug/2017:01:24:45 -0400] "HEAD http://107.170.221.131:80/phpmyadmin2011/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 Jorgee" "-"
11.129.54 - - [01/Aug/2017:01:24:46 -0400] "HEAD http://107.170.221.131:80/phpmyadmin2012/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 Jorgee" "-"
11.129.54 - - [01/Aug/2017:01:24:46 -0400] "HEAD http://107.170.221.131:80/phpmyadmin2013/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 Jorgee" "-"
11.129.54 - - [01/Aug/2017:01:24:46 -0400] "HEAD http://107.170.221.131:80/phpmyadmin2014/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 Jorgee" "-"
11.129.54 - - [01/Aug/2017:01:24:47 -0400] "HEAD http://107.170.221.131:80/phpmyadmin2015/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 Jorgee" "-"
11.129.54 - - [01/Aug/2017:01:24:47 -0400] "HEAD http://107.170.221.131:80/phpmyadmin2016/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 Jorgee" "-"
11.129.54 - - [01/Aug/2017:01:24:47 -0400] "HEAD http://107.170.221.131:80/phpmyadmin2017/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 Jorgee" "-"
11.129.54 - - [01/Aug/2017:01:24:48 -0400] "HEAD http://107.170.221.131:80/phpmyadmin2018/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 Jorgee" "-"
11.129.54 - - [01/Aug/2017:01:24:48 -0400] "HEAD http://107.170.221.131:80/phpmanager/ HTTP/1.1" 301 0 "-" "Mozilla/5.0 Jorgee" "-"

For those not familiar with HTTP server administration, Nginx is the web server that runs this website. When you make a request, your browser sends the Host header with the request. The Host header tells Nginx what website you are attempting to access. The logs above show that someone with the IP address of 124.11.129.54 is attempting to access my site directly by it’s IP address. There’s inherently wrong with this, except that my site doesn’t run phpMyAdmin.

PhpMyAdmin is a web frontend for MySQL databases. Website administrators might install this on their webserver for convenient access to the database that stores data for their site. I speculate that these requests originate from vulnerability scanners, worms, or some other exploit tool looking for vulnerable phpMyAdmin instances to pwn.

I can’t think of any legitimate reason why anyone would browse to my site directly by IP address. (Unless DNS wasn’t working and somehow knew the IP of my site beforehand.) For this reason, I configured Nginx to drop connections when the request’s Host header is the IP of the server. This configuration won’t prevent bogus clients from connecting in the first place, but it will save some bandwidth by not replying.