To find out which IPs did that do the following,
Option 1 :- If you know which domain is attacked. SSH to your server & issue the following command. Make sure you replace “DOMAIN” with your domain name. If you are using cPanel/WHM and the domain is not the primary domain, normally it will be the sub domain of the primary domain.
In the above case we can see too many connections from those ips and it is abnormal. You can block these ips in the firewall such as ConfigServer Firewall (“csf”).
Option 1 :- If you know which domain is attacked. SSH to your server & issue the following command. Make sure you replace “DOMAIN” with your domain name. If you are using cPanel/WHM and the domain is not the primary domain, normally it will be the sub domain of the primary domain.
less /usr/local/apache/domlogs/DOMAIN | awk '{print $1}' | sort | uniq -c | sort -n
Option 2 :-
If you don’t know which domain is attacked. SSH to your server &
issue the following command. Option 1 if preferable especially if your
server is very busy has many domain. It will take quite sometimes to
process the log file. You can check by issuing “top -c” command to find
out which domain consume the most resources.
less /usr/local/apache/logs/access_log | awk '{print $1}' | sort | uniq -c | sort -n
1
2
3
4
5
6
7
| ....................17843 56.51.155.15619234 66.156.66.266234578 156.56.16.76 |
In the above case we can see too many connections from those ips and it is abnormal. You can block these ips in the firewall such as ConfigServer Firewall (“csf”).
No comments:
Post a Comment