Definitely something unwanted.

Here is a small snippet of User-agents, including your X11; Linux, all from the same ip (18.141.219.173) in a matter of seconds!

Mozilla/5.0 (Linux; Android 12; motorola edge 20 pro) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Mobile Safari/537.36
Mozilla/5.0 (Linux; webOS/2.2.4; U; en-US) AppleWebKit/534.6 (KHTML, like Gecko) webOSBrowser/221.56 Safari/534.6 Pre/3.0
Mozilla/5.0 (Linux; Android 5.1.1; Nexus 7 Build/LMY47V) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.78 Safari/537.36 OPR/30.0.1856.93524
Googlebot-News
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 Camino/2.2.1
Mozilla/5.0 (X11; Linux i686; rv:20.0) Gecko/20100101 Firefox/20.0
Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US) AppleWebKit/125.4 (KHTML, like Gecko, Safari) OmniWeb/v563.15
Gregarius/0.5.2 ( [devlog.gregarius.net...]
Mozilla/5.0 (Linux; Android 11; Mi Note 10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.61 Mobile Safari/537.36
Mozilla/5.0 (X11; Linux i686; rv:6.0a2) Gecko/20110615 Firefox/6.0a2 Iceweasel/6.0a2
Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 MG(Novarra-Vision/6.9)
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
facebookexternalhit/1.1
Mozilla/5.0 (X11; NetBSD amd64; rv:30.0) Gecko/20100101 Firefox/30.0
Mozilla/5.0 (Linux; U; Android 1.0; en-us; dream) AppleWebKit/525.10 (KHTML, like Gecko) Version/3.0.4 Mobile Safari/523.12.2
Mozilla/4.1 (compatible; MSIE 5.0; Symbian OS; Nokia 6600;452) Opera 6.20 [en-US]
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.141 YaBrowser/22.3.3.852 Yowser/2.5 Safari/537.36
Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.3) Gecko/2008092814 (Debian-3.0.1-1)
POLARIS/6.01 (BREW 3.1.5; U; en-us; LG; LX265; POLARIS/6.01/WAP) MMP/2.0 profile/MIDP-2.1 Configuration/CLDC-1.1
Nokia6100/1.0 (04.01) Profile/MIDP-1.0 Configuration/CLDC-1.0
Mozilla/5.0 (X11; Linux i686; rv:43.0) Gecko/20100101 Firefox/43.0
Mozilla/5.0 (iPhone; CPU iPhone OS 14_8_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.2 Mobile/15E148 Safari/604.1

All these, including the facebookexternalhit and Googlebot-News were from the same IP.

Yea, but a couple things here. None of your examples actually has "(X11; Linux x86_64)". Your examples are from an amazon AWS IP, and I'm blocking pretty much all AWS IP's from hitting my server.

From your examples, I'm blocking some bits and pieces of those UA's (like old / odd chrome and FF versions). I'm still curious if X11; Linux x86_64 is ever used by legit users from non-data-center IP's.

Under the head of YMMV: I find the string "X11; Linux x86_64" in Google Web Preview, for example

Mozilla/5.0 (X11; Linux x86_64)  AppleWebKit/537.36 (KHTML, like Gecko; Google Web Preview)  Chrome/134.0.6998.165 Safari/537.36

(Note the duplicate spaces ). Coming from the usual Googloid IPs, so probably is what it claims to be.

A further nuance is X11; Linux x86_64) with closing parenthesis to filter out
(X11; Linux x86_64; rv:128.0)
and other rv: numbers that may or may not be present.

I started out checking for .css requests from this UA, which reveals that about a third to a half of them are blocked--but not necessarily for “I do believe you’re a robot” reasons. That includes forms such as

Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/122.0.6261.57 Safari/537.36

which I block. Don’t remember what the heck HeadlessChrome is, only that I decided somewhere along the line I don’t like it.

Further poring over headers reveals assorted botnet_agent forms that involve Linux blahblah with some specific version of Chrome. But some of them really do appear human. In particular, the ones who present themselves with piwik cookies (yes, the cookie is still _pk_blahblah although it has called itself Matomo for years); I would be very reluctant to label those as robots.

Apologies SumGuy, I thought I saw that string.