Recently, I received a storage limit warning on my DigitalOcean droplet. Fair to say, I was puzzled when I saw the mail because I was barely storing any content on my node.

Upon closer examination of my disk utilization, it turned out that the primary use of space was my reverse proxy’s access logs. This was also shocking because I wasn’t sure how and why I was getting this much traffic.

I quickly looked through my access logs and was taken aback to find that the requests were primarily attempting to access .git, .env, and other potentially sensitive sets of files. I further discovered that this seems to be an issue commonly faced by sites that use Certbot-generated certificates.

The recommended workaround is to add these malicious IP addresses to my incoming firewall deny list. The command that gets the job done is:

cat /var/log/nginx/access.log | grep -E '\.git|\.env' | awk '{print $1}' | uniq | xargs -I {} ufw deny from {}

The above command only bans IPs that have attempted a request to .git, but you can get more clever and come up with a regex that covers other paths as well.

To automate this, I set up a cron tab to monitor my access.log every day and add those IPs to my deny list.