Web Security

How to Detect Web Scanners (Nikto, sqlmap, Nuclei) on Your Server

Name: Inner Warden
Author: Inner Warden

March 18, 20268 min read

Your web server is being probed right now. Automated vulnerability scanners like Nikto, sqlmap, Nuclei, and dozens of others run 24/7, looking for SQL injection points, exposed admin panels, directory traversals, and known CVEs. Most of them announce themselves in the User-Agent header. The rest reveal themselves through their behavior.

This guide covers how web scanners work, how to detect them using both signature matching and behavioral analysis, and how to automatically block them at the firewall level.

What automated web scanners do

Web scanners send hundreds or thousands of HTTP requests to your server, each testing for a specific vulnerability. A single Nuclei scan with the default template set sends over 3,000 requests. sqlmap probes every parameter for SQL injection. Nikto checks for thousands of known misconfigurations.

These tools are freely available and widely used by both security researchers and attackers. The difference is intent, but your server cannot tell the difference. What it can see is the pattern.

Known scanner signatures

Many scanners identify themselves in the HTTP User-Agent header. Inner Warden's user_agent_scanner and web_scan detectors recognize over 20 known scanner signatures:

Nikto

sqlmap

Nuclei

Nmap

WPScan

DirBuster

Gobuster

ffuf

Burp Suite

OWASP ZAP

Acunetix

Nessus

OpenVAS

Arachni

w3af

Skipfish

Wapiti

Jaeles

XSStrike

Commix

testssl.sh

Any request with a matching User-Agent is immediately flagged. But smart attackers change their User-Agent. That is where behavioral detection takes over.

Behavioral detection: HTTP error floods

Even when a scanner hides its identity, its behavior is distinctive. Web scanners generate abnormally high rates of HTTP 4xx errors because they request paths that do not exist on your server. A real user might hit one 404 page. A scanner hits hundreds.

Inner Warden's search_abuse detector tracks the 4xx error rate per source IP. When an IP generates more than the configured threshold of errors in a time window, it is flagged as a scanner regardless of its User-Agent.

User-Agent detection20+ known scanner signatures

Behavioral detectionHTTP 4xx error rate per IP

Log sourceNginx access + error logs

ResponseFirewall block + rate-limit

Real example from production

The IP 192.0.2.71 ran a Nuclei scan against our Nginx server. It sent 2,847 requests in 4 minutes, generating 2,619 errors (404s and 403s). Inner Warden caught it via both methods:

signatureUser-Agent matched: "Nuclei - Open-source project"

behavior2,619 HTTP errors from 192.0.2.71 in 240 seconds

enrichAbuseIPDB confidence: 78% | GeoIP: OVH, FR

blockFirewall deny rule added | TTL 24 hours | reported to AbuseIPDB

Set it up

Web scanner detection requires Nginx access logs. Install Inner Warden and point the sensor at your Nginx log directory:

Install

curl -fsSL https://innerwarden.com/install | sudo bash

Enable web protection

innerwarden enable search-protection

The sensor automatically discovers Nginx logs at /var/log/nginx/access.log and begins scanning for both signatures and behavioral anomalies. Verify detection is active:

Verify

innerwarden status

What to do next

Port scan detection - web scans often follow port scans. Detect both for complete reconnaissance coverage.
Credential stuffing protection - scanners that find login pages often follow up with credential stuffing attacks.
Threat intelligence sharing - report web scanners to AbuseIPDB and push blocks to Cloudflare WAF.