Count number of hits per IP on a web server

gabster's picture
Submitted by gabster on Thu, 02/16/2012 - 01:05

I've just had to fight a DDoS on a server, and I used a bash one-liner to have a very rough overview of the picture from the logs.

Once you know you've got a DDoS on your back, here's a quick reminder of how to count, in the last 1000 requests (number is arbitrary, but provides an interesting view when there are many requests), which IPs are doing the most requests:

tail -n 1000 /var/log/apache2/other_vhosts_access.log | awk '{print $2}' | cut -d: -f1 | sort | uniq -c | sort -n

You can then see who's causing the trouble and DROP those IPs with iptables. Of course, make sure that the requests they are doing seem to be illegitimate first.

The above command is tailored for apache, on a debian squeeze server with all vhosts using the default "other_vhosts_access.log" file, with the vhost name at the begining of each line. But you can adapt it to parse nginx logs, too. You only have to have awk print out each IP address from the right field.

Tags:

Comments

Add new comment

More information about text formats

Markdown

  • Quick Tips:
    • Two or more spaces at a line's end = Line break
    • Double returns = Paragraph
    • *Single asterisks* or _single underscores_ = Emphasis
    • **Double** or __double__ = Strong
    • This is [a link](http://the.link.example.com "The optional title text")
    For complete details on the Markdown syntax, see the Markdown documentation and Markdown Extra documentation for tables, footnotes, and more.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
E
4
A
b
z
c
9
S
b
H
Enter the code without spaces.