WordPress Developer & Linux Administrator

Helpful server commands to troubleshoot DoS attacks

DoS attacks suck. They’re hard to trace down, and sometimes it looks like legitimate traffic. Hopefully these commands are of some use to someone in helping to determine which IP addresses are currently (or have recently been) connected to your server. Chances are, one or more of them are offending visitors!

Fair warning, most of these are related to systems administration on a cPanel web server, so you may need to modify slightly for other types of systems.

# active connections on port 80 right now
netstat -a -n | grep :80 | cut -d : -f2 | awk '{print $2}' | \
sort | uniq -c | sort

# real-time list of the top IP's hitting your site at the moment
tail -50000 /usr/local/apache/logs/access_log | awk '{print $1}' | \
sort | uniq -c | sort -n | tail

# To see what Ips are connecting to server and how many connections exist from each IP:
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | \
sort | uniq -c | sort -n

# To see how many connections each IP on the server is receiving: 
netstat -plan |grep :80 | awk '{print $4}' | cut -d: -f1 | \
sort | uniq -c | sort -n

# Get the count of current Active connections to Apache:
netstat -apn | grep :80 | wc -l

# Get Apache status update from command line to see which domain is receiving maximum hits:
lynx http://localhost/whm-server-status

Comments

Your email address will not be published. Required fields are marked *