Comment posted How to check who is flooding your Apache, NGinx Webserver – Real time Monitor statistics about IPs doing most URL requests and Stopping DoS attacks with Fail2Ban by .
Recent comments by
Tags: check, configure, Debian Ubuntu, fail2ban stopping apache dos attacks, How to, how to view get post head requests, install logtop centos rhel fedora, install logtop debian ubuntu, install logtop from source, Installing Logtop, logtop, make, monitor apache log real-time, monitoring top ip requests apache log, nginx monitor top url requests, noarch, script, squid proxy log monitoring logtop, SRPMS, text, url, var
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
You can also get statistics for old archived logs to see which IP has accessed your server most:
zcat mini_httpd.log.2.gz | tail -f – | awk {'print $1; fflush();'} | logtop
View CommentView CommentMozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Other useful things in case if you encounter some specific IP that is too actively accessing the server and you want to temporary kill access to it is with tcpkill command. Here is a chunk of question answer I found online.
Q. How to disconnect clients from your network interfaces.
A1. Killing the the connections with TCPKILL:
TCPKILL is part of dsniff a tools suite for linux to sniff network traffic for cleartext insecurities
This package contains several tools to listen to and create network traffic:
arpspoof – Send out unrequested (and possibly forged) arp replies.
dnsspoof – forge replies to arbitrary DNS address / pointer queries on the Local Area Network.
dsniff – password sniffer for several protocols.
filesnarf – saves selected files sniffed from NFS traffic.
macof – flood the local network with random MAC addresses.
mailsnarf – sniffs mail on the LAN and stores it in mbox format.
msgsnarf – record selected messages from different Instant Messengers.
sshmitm – SSH monkey-in-the-middle. proxies and sniffs SSH traffic.
sshow – SSH traffic analyser
tcpkill – kills specified in-progress TCP connections.
tcpnice – slow down specified TCP connections via “active” traffic shaping.
urlsnarf – output selected URLs sniffed from HTTP traffic in CLF.
webmitm – HTTP / HTTPS monkey-in-the-middle. transparently proxies.
webspy – sends URLs sniffed from a client to your local browser.
What interests us here is TCPKILL first we need to install dsniff, in linux distribution: Debian we do:
apt-get install dsniff
Then we run:
tcpkill host xxx.xxx.xxx.xxx
where xxx… is replaced with the identified offending IP address.
A2. Another method to Kill the offending connections inmediatly is using CUTTER
Cutter will send packets to both ends of a TCP/ip connection to terminate it nicely. It is designed to be used in a Linux router to disconnect unwanted connections.
To install Cutter we issue the following command:
apt-get install cutter
Once installed we run Cutter with the arguments:
cutter
So we replace with our linux box IP address, with the listening port in the server, and with the offending IP
After using TCPKILL or CUTTER The process count should be reduced drastically now and the server’s memory usage lowered to nice numbers. (Our linux server is stabilized now)
View CommentView CommentFinally we need to Block the offending IP address in our Firewall (IPtables rule).