Facebook
Twitter
A lot of people "yell" that is hard to find on a heavy LOAD which Site is under Dos Attack.
I don't know if is a good start, we have wrote a fel lines, I hope wil help.
What this script will do?
Will get out from ALL Access_log which IP how many times accessed a domain.
On first run will read the whole acces_log, on second run, let's say after 3 minutes only the differences.
So on second run you can really see who is in TOP of request, from which IP.
Do not alert if you see 100 or 200 access, it will count all files from access_log, not unique request, so go on ALERT only if you see something like 1000 or more request from same IP.
If you see it, then add that IP to firewall and see if load will go down.
Any ideea to improve the script is welcome.
I don't know if is a good start, we have wrote a fel lines, I hope wil help.
What this script will do?
Will get out from ALL Access_log which IP how many times accessed a domain.
On first run will read the whole acces_log, on second run, let's say after 3 minutes only the differences.
So on second run you can really see who is in TOP of request, from which IP.
Do not alert if you see 100 or 200 access, it will count all files from access_log, not unique request, so go on ALERT only if you see something like 1000 or more request from same IP.
If you see it, then add that IP to firewall and see if load will go down.
Any ideea to improve the script is welcome.
Code:
#Work with OLD system /home/httpd/vhosts/
#moving old log files
mv -f toplog4 toplog5 2> /dev/null
mv -f toplog3 toplog4 2> /dev/null
mv -f toplog2 toplog3 2> /dev/null
mv -f toplog1 toplog2 2> /dev/null
mv -f toplog4.tmp toplog5.tmp 2> /dev/null
mv -f toplog3.tmp toplog4.tmp 2> /dev/null
mv -f toplog2.tmp toplog3.tmp 2> /dev/null
mv -f toplog1.tmp toplog2.tmp 2> /dev/null
#getting from access_log
#tail -f /home/httpd/vhosts/*/statistics/logs/access_log |
echo >> lastpos.tmp
mv -f lastpos.tmp lastpos.old.tmp
for file in /home/httpd/vhosts/*/statistics/logs/access_log
do
f=`echo -n $file | sed "s/\/home\/httpd\/vhosts\///g;s/\/.\?access_log//;s/\/statistics\/logs//g"`
echo $f
wc -l $file | cut -f 1 -d " " | tr -d "\n" >>lastpos.tmp ; echo -e "\\t$file" >> lastpos.tmp
oldlines=`cat lastpos.old.tmp | grep $file | cut -f 1`;
if [[ $oldlines = "" ]];
then
oldlines="1";
fi
cat $file | sed 1,"$oldlines"d | cut -f 1 -d " " | grep \. | grep -v == | sed "s/\$/ $f/" >> toplog1.tmp
done;
#add data
(echo -n "#" ; date) > toplog1
(echo -n "#" ; date) > log
cat toplog1.tmp | uniq -c | sort -n | tac >> toplog1
cat toplog?.tmp | sort | uniq -c | sort -n | tac >> log
