Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
947
Views
2
Helpful
5
Replies

Suspicions Traffic

dmissai
Frequent Visitor
Frequent Visitor

‎09-07-2025 10:35 PM

Hi All,
 
I need your assistance and guidance regarding suspicious traffic attempting to access our Nginx application servers.
 
I've observed the following in our server logs:
 
A seemingly suspicious request was made to an application. Please check the log below for more info

Log:
Sep  7 01:58:57 notify notify.express.tz nginx_access: 104.23.225.17|||-|||07/Sep/2025:01:58:57 +0300|||"GET /.env HTTP/1.1"|||301|||162|||"Mozilla/5.0 (Linux i386; X11) Gecko/20031105 Firefox/25.0"|||"ndeni.go.tz"|||"ndeni.go.tz"


Log:
Sep  7 00:59:19 appserver5 appserver15.express.tz nginx_access_appserver5: 162.158.111.94|||-|||07/Sep/2025:00:59:19 +0300|||"GET /.env HTTP/1.1"|||301|||162|||"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"|||"piga.wall.africa"|||"piga.wall.africa"
 
 
I've attempted to mitigate this by creating an Access Control List (ACL) to block URL patterns `*/*` and `/*`, but this hasn't been effective.
 
Could you please advise on how we can effectively drop this traffic at the firewall, as indicated by the logs?
 
Kind Regards,
DI
5 Replies 5

evelyn69mohr
Community Member

‎09-07-2025 10:44 PM

The suspicious traffic in your logs, which is attempting to access .env files, is a common probing technique for sensitive information. Blocking */* and /* URL patterns at the Nginx level is not effective because the malicious requests are targeting a specific, non-standard path. To effectively block this traffic at the firewall, you should create a rule that denies incoming requests from the specific IP addresses observed in the logs, such as 104.23.225.17 and 162.158.111.94. Additionally, you should consider implementing a Web Application Firewall (WAF) or a more sophisticated Nginx rule set that can detect and block requests for .env or other sensitive configuration files based on the URI path, regardless of the source IP address.

 

aessuccess org

dmissai
Frequent Visitor
Frequent Visitor
In response to evelyn69mohr

‎09-07-2025 11:15 PM

Thank you for your prompt response.
 
Regarding your suggestion to create a rule that denies incoming requests, I wanted to clarify. Since these requests are coming from dynamic IP addresses, did you mean that I would need to manually block each one? This approach might be challenging given the nature of dynamic IPs.
 
I am looking for a more automated solution, possibly utilizing Cisco FMC, to manage these incoming requests.
0 Helpful

MHM Cisco World
VIP
VIP

‎09-08-2025 12:27 AM

It attack 

.env request meaning attacker need to know some info about db of web app.

Let me check how can stop this attack 

MHM

0 Helpful

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎09-08-2025 03:31 AM

If you allow https from outside to inside via ACP add IPS to this ACP line.

IPS will silent drop this attack.

MHM

0 Helpful

Aref Alsouqi
VIP
VIP

‎09-08-2025 07:56 AM

Please take a look at these links, it seems possible to protect those sensitive files from the public accesses:

django - Disable public to download files like .env - Stack Overflow

How to Secure Your Nginx Server: Protect Sensitive Files and Enable Password Authentication | by Sharath A | DevOps.dev

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card