Nginx 404 Not Found — Missing Resource Detection

WebServerErrors Nginx Reconnaissance / Scanning

What This Means

Analyze Nginx 404 Not Found errors. Identify web vulnerability scanning, broken links, and automated reconnaissance targeting your Nginx server infrastructure.

Example Log

198.51.100.77 - - [08/Mar/2026:16:15:22 +0000] "GET /wp-login.php HTTP/1.1" 404 548 "-" "Mozilla/5.0 (compatible; Googlebot/2.1)"

Indicators of Suspicious Activity

404 responses for CMS-specific paths on non-CMS servers (WordPress, Joomla, Drupal paths)
High-volume 404 bursts from a single IP suggesting directory bruteforcing
Requests for common exploit paths (/shell.php, /cmd.asp, /c99.php)
Fake Googlebot User-Agent strings from non-Google IP addresses
Sequential alphabetical path probing indicating automated scanning
404 requests with SQL injection or XSS payloads in the URL

How to Investigate

Group Nginx access log 404 responses by source IP and URI pattern
Verify claimed Googlebot requests using reverse DNS lookup on the source IP
Check if any scanning IPs also made successful (200) requests
Compare 404 patterns against known vulnerability scanner signatures
Review rate of 404 generation per IP per minute
Correlate with fail2ban logs to see if the IP was already flagged

Recommended Mitigations

Deploy fail2ban with an Nginx 404 jail to auto-block scanning IPs
Configure rate limiting in Nginx using the limit_req module
Return minimal 404 pages that do not reveal server technology
Block requests for common exploit file extensions (.php on non-PHP servers)
Implement geographic IP blocking if your user base is regional
Use Nginx map directive to block known scanner User-Agent patterns

Scan This Log Instantly

Paste a suspicious log line below and get an instant AI-powered security assessment.

0 / 2000

What is 6 + 5?

Need a Full Investigation?

Scan entire log files, detect attack patterns, reconstruct timelines, and generate a full investigation report.

Related Log Types

Related Attack Patterns

Frequently Asked Questions

How do I reduce 404 noise in Nginx logs? ▼

Use Nginx access_log conditional logging to separate 404s into a dedicated log file. You can also use map directives to suppress logging for known benign 404 patterns like favicon.ico.

How does fail2ban work with Nginx 404s? ▼

fail2ban monitors Nginx access logs for 404 patterns. When an IP exceeds your threshold (e.g., 20 404s in 5 minutes), fail2ban adds an iptables rule to block that IP for a configurable duration.

Should I worry about 404s from search engine bots? ▼

Legitimate bot 404s indicate broken links that should be fixed or redirected. However, verify the bot is genuine using reverse DNS — many attackers fake Googlebot User-Agent strings.