You can also get statistics for old archived logs to …

Friday, 29th March 2024

Comment on How to check who is flooding your Apache, NGinx Webserver – Real time Monitor statistics about IPs doing most URL requests and Stopping DoS attacks with Fail2Ban by admin.

You can also get statistics for old archived logs to see which IP has accessed your server most:

zcat mini_httpd.log.2.gz | tail -f – | awk {'print $1; fflush();'} | logtop

admin Also Commented

How to check who is flooding your Apache, NGinx Webserver – Real time Monitor statistics about IPs doing most URL requests and Stopping DoS attacks with Fail2Ban
Other useful things in case if you encounter some specific IP that is too actively accessing the server and you want to temporary kill access to it is with tcpkill command. Here is a chunk of question answer I found online.

Q. How to disconnect clients from your network interfaces.

A1. Killing the the connections with TCPKILL:

TCPKILL is part of dsniff a tools suite for linux to sniff network traffic for cleartext insecurities

This package contains several tools to listen to and create network traffic:

arpspoof – Send out unrequested (and possibly forged) arp replies.
dnsspoof – forge replies to arbitrary DNS address / pointer queries on the Local Area Network.
dsniff – password sniffer for several protocols.
filesnarf – saves selected files sniffed from NFS traffic.
macof – flood the local network with random MAC addresses.
mailsnarf – sniffs mail on the LAN and stores it in mbox format.
msgsnarf – record selected messages from different Instant Messengers.
sshmitm – SSH monkey-in-the-middle. proxies and sniffs SSH traffic.
sshow – SSH traffic analyser
tcpkill – kills specified in-progress TCP connections.
tcpnice – slow down specified TCP connections via “active” traffic shaping.
urlsnarf – output selected URLs sniffed from HTTP traffic in CLF.
webmitm – HTTP / HTTPS monkey-in-the-middle. transparently proxies.
webspy – sends URLs sniffed from a client to your local browser.

What interests us here is TCPKILL first we need to install dsniff, in linux distribution: Debian we do:

apt-get install dsniff

Then we run:

tcpkill host xxx.xxx.xxx.xxx

where xxx… is replaced with the identified offending IP address.

A2. Another method to Kill the offending connections inmediatly is using CUTTER

Cutter will send packets to both ends of a TCP/ip connection to terminate it nicely. It is designed to be used in a Linux router to disconnect unwanted connections.

To install Cutter we issue the following command:

apt-get install cutter

Once installed we run Cutter with the arguments:

cutter

So we replace with our linux box IP address, with the listening port in the server, and with the offending IP

After using TCPKILL or CUTTER The process count should be reduced drastically now and the server’s memory usage lowered to nice numbers. (Our linux server is stabilized now)
Finally we need to Block the offending IP address in our Firewall (IPtables rule).


Recent Comments by admin

Install and configure rkhunter for improved security on a PCI DSS Linux / BSD servers with no access to Internet
       –rwo, –report-warnings-only
              This option causes only warning messages to be displayed. This can be useful when rkhunter is run via cron. Other options may
              be used to force other items of information to be displayed.

       –sk, –skip-keypress
              When  the  –check command option is used, after certain sections of tests, the user will be prompted to press the return key
              in order to continue. This option disables that feature, and rkhunter will run until all the tests have completed.

         


Install and configure rkhunter for improved security on a PCI DSS Linux / BSD servers with no access to Internet
As rkhunter check, can be pretty annoying and ask you to press keypresses multiple times and spit you a lot of unnecessery data a very good useful option arguments are:

–rwo and –sk

# rkhunter -c –rwo –sk
Warning: The SSH and rkhunter configuration options should be the same:
         SSH configuration option 'PermitRootLogin': yes
         Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no


Fix eth changing network interface names from new Linux naming scheme ens, eno, em1 to legacy eth0, eth1, eth2 on CentOS Linux

Sorry for really late reply.

perhaps you have to create it or rename the ifcfg-eno1 to ifcfg-eth1 or you have some old ifcfg-enp1s0f0 or ifcfg-eno still under /etc/sysconfig/network-scripts/ interfering


How to RPM update Hypervisors and Virtual Machines running Haproxy High Availability cluster on KVM, Virtuozzo without a downtime on RHEL / CentOS Linux
if you happen to be missing versionlock plugin and you need to get use of it

yum versionlock capabilities

You will have to install yum-utils package:

For example on CentOS 8 Linux, to enable the yum versionlock plugiun

yum install yum-utils.noarch


How to log every Linux executed command by every running system program to separte log via rsyslog for better server Security and audit trails

In case if by default log is not configured for snoopy,
these are default output locations on various Linux distributions:

Distribution Snoopy output location Notes
CentOS /var/log/secure  
Debian /var/log/auth.log  
Ubuntu /var/log/auth.log  
(others) /var/log/messages (potentially, could be elsewhere)

Share this on:

Comments are closed.