Shell Script List All Top IP Address Accessing Apache / Lighttpd Web Server

admin — Mon, 14 Dec 2009 03:45:39 +0000

#!/bin/bash
# Shell Script To List All Top Hitting IP Address to your webserver.
# This may be useful to catch spammers and scrappers.
# ———————————————————————-
# This script is licensed under GNU GPL version 2.0 or above
# ———————————————————————-
# where to store final report?
DEST=/var/www/reports/ips

# domain name
DOM=$1

# log file location
LOGFILE=/var/logs/httpd/$DOM/access.log

# die if no domain name given
[ $# -eq 0 ] && exit 1

# make dir
[ ! -d $DEST ] && mkdir -p $DEST

# ok, go though log file and create report
if [ -f $LOGFILE ]
then
echo “Processing log for $DOM…”
awk ‘{ print $1}’ $LOGFILE | sort | uniq -c | sort -nr > $DEST/$DOM.txt
echo “Report written to $DEST/$DOM.txt”
fi

How do I run this script?

Simply run it as follows:
./script website.com
Sample output (1st coloum is counter and 2nd is IP address):

600 72.30.87.116
50 66.249.71.138
10 66.249.71.140
5 66.249.71.139
3 74.86.49.130

Quick check for a ddos via number of connections

admin — Fri, 31 Jul 2009 17:14:04 +0000

A quick and usefull command for checking if a server is under ddos is:

netstat -anp |grep ‘tcp\|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n

That will list the IPs taking the most amount of connections to a server. It is important to remember that the ddos is becoming more sophistcated and they are using fewer connections with more attacking ips. If this is the case you will still get low number of connections even while you are under a DDOS.

RedHatVN Network » check for a ddos

Shell Script List All Top IP Address Accessing Apache / Lighttpd Web Server

How do I run this script?

Quick check for a ddos via number of connections