I did a fix on editthis.info yesterday. It was running super slow, and I found that some ip addresses were banging the hell out of it. One was trying to connect to login.live.com or something like that from microsoft. Another one kept requesting a weird string of escape characters. Both had no useragent strings. I am guessing they were trying to exploit some services by doing buffer overruns, but clearly the services don't exist on editthis.info.

I added some 403 errors for the offensive IP's as well as any request that doesn't have a useragent string. Seems to have resolved the problem.

I think I need to do the same to cueflash and my other sites as things have been running slower lately. Probably the same issue. Fortunately nginx makes it pretty easy:

server {
    server_name *.editthis.info editthis.info;
    if ($http_user_agent = "") { return 403; }
    if ($http_user_agent = "-") { return 403; }
    location / {
        include /etc/nginx/blocked_ips.conf;
        allow all;
        ...

and blocked ips looks like:

deny 173.231.10.132;
deny 172.191.112.240;
deny 167.99.118.187;
deny 207.154.240.50;
deny 213.169.42.184;
deny 67.205.133.49;

Be sure to restart nginx after making the changes as they are not dynamically checked.

To find these bad IPs I used:

apt-get install
goaccess -f /var/log/nginx/access.log

This is a command line access log tool. It is nice because you don't have to set it up to run on a webserver, and it is pretty snappy. It definitely is bare bones, but it was all I really needed, and was real time, so I could see the constant flow of attempted attacks coming in.

The one thing I wish it had was some detailed filtering.