How to calculate what sends requests to the server from its own ip?

V

Vincent12020-12-05 00:06:50

linux

Vincent1, 2020-12-05 00:06:50

In the Apache logs with a fuzzy frequency of 1-3 minutes, such entries appear

en-01.mozartkids.com:443 82.98.132.102 - - [04/Dec/2020:15:44:08 -0500] "HEAD / HTTP/1.0" 400 141 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.85 Safari/537.36"

82.98.132.102 - This is the ip of my own vps
There is no non-ordinary software on vps. Ubuntu. VestaCP, PHP, NGINX.
I watched what was spinning there in htop, so everything is also standard.
Has anyone else had a similar experience or can point me in the direction I need to go in order to solve this problem?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

V

Vincent1, 2020-12-05
@Vincent1

As Aleksey Cheremisin Aleksey Cheremisin advised , you need to use tcpdump.
We launch it and wait.
tcpdump tcp port 443
I have almost no visitors on the server, so additional filters were not needed.
As soon as a HEAD entry appeared in the apache access log, tcpdump also showed a request from planetlab24.net.in.tum.de, respectively. Well, then it became clear that just a bunch of apache + nginx did not always correctly display the visitor's ip.
To fix this, read On the VPS in the apache access.log, instead of the visitor's IP, the external IP of the VPS itself is recorded. How to record the desired IP? .
Now the correct ip is written to access.log.

en-01.mozartkids.com:443 138.246.253.24 - - [05/Dec/2020:07:53:47 -0500] "HEAD / HTTP/1.0" 400 4424 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.85 Safari/537.36"

K

ky0, 2020-12-05
@ky0

If the frequency is constant - perhaps some script in the scheduler or monitoring. But since you mentioned a b-goddy panel - of course, the first suspect - it is her offal.