Running and maintaining servers is a tedious job. While it's possible to automate many processes, it is important to put eyeballs on the inner workings to determine if something has changed. The web is an evolving place, and as such, attack vectors are born and die as well. Eyeballs on log files can illuminate new trends and identify new attacks that may not be noticed by automated methods.
I spend hours every week looking through log files. While it's mind-numbing - it can sometimes be illuminating, and it can occasionally save the server from building issues.
Today, I was reading through the server access logs, and I noticed a recurring bot named "NodePing". Quick research identified this as a server status bot. I figured that it was my host running self status on their network....and that's cool! Then I decided to look up the IP address ranges, and that's where things got weird.
It wasn't my host checking up on my servers. It was a company in Moldova, and another in Pennsylvania. Two companies I've never heard of, never done business for or with - and they're monitoring my server. I hesitate to block IP addresses or ranges for things that are as benign as retrieving HTTP headers, but I'm not sure how to react to un-requested monitoring. This certainly uses some of my server resources, although not much. Where do they get by testing my server? And these aren't the only two. As I read log files, I keep running across more-and-more.
After reviewing 2 hours of log files - 137 different IP address ranges are hitting me with these "NodePing" visits. I don't know what these shenanigans are getting at, but I shut it down. I can't think of any reason that 137 different companies should be pinging my server and checking its status. That's just 2 hours.